cleaner syntax for local actions (#536)

* refactored local actions to cleaner syntax

* openssl commands folded

* removed unnecessary local_action's

playbooks/local.yml

@@ -1,16 +1,23 @@
 ---
 
 - name: Generate the SSH private key
-  local_action: shell echo -e  'n' | ssh-keygen -b 2048 -C {{ SSH_keys.comment }} -t rsa -f {{ SSH_keys.private }} -q -N ""
+  shell: >
+    echo -e  'n' |
+    ssh-keygen -b 2048 -C {{ SSH_keys.comment }}
+    -t rsa -f {{ SSH_keys.private }} -q -N ""
   args:
     creates: "{{ SSH_keys.private }}"
 
 - name: Generate the SSH public key
-  local_action: shell echo `ssh-keygen -y -f {{ SSH_keys.private }}` {{ SSH_keys.comment }} > {{ SSH_keys.public }}
+  shell: >
+    echo `ssh-keygen -y -f {{ SSH_keys.private }}` {{ SSH_keys.comment }}
+    > {{ SSH_keys.public }}
   changed_when: false
 
 - name: Change mode for the SSH private key
-  local_action: file path={{ SSH_keys.private }} mode=0600
+  file:
+    path: "{{ SSH_keys.private }}"
+    mode: 0600
 
 - name: Ensure the dynamic inventory exists
   blockinfile:

playbooks/local_ssh.yml

@@ -1,14 +1,12 @@
 ---
 
 - name: Ensure the local ssh directory is exist
-  local_action:
+  file:
-    module: file
+    path: ~/.ssh/
-    path: "~/.ssh/"
     state: directory
 
 - name: Copy the algo ssh key to the local ssh directory
-  local_action:
+  copy:
-    module: copy
     src: "{{ SSH_keys.private }}"
     dest: ~/.ssh/algo.pem
     mode: '0600'

playbooks/post.yml

@@ -1,8 +1,7 @@
 ---
 
 - name: Wait until SSH becomes ready...
-  local_action:
+  wait_for:
-    module: wait_for
     port: 22
     host: "{{ cloud_instance_ip }}"
     search_regex: "OpenSSH"

roles/vpn/tasks/client_configs.yml

@@ -1,8 +1,7 @@
 ---
 
 - name: Register p12 PayloadContent
-  local_action: >
+  shell: cat private/{{ item }}.p12 | base64
-    shell cat private/{{ item }}.p12 | base64
   register:  PayloadContent
   become: no
   args:
@@ -15,8 +14,7 @@
     PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
 
 - name: Build the mobileconfigs
-  local_action:
+  template:
-    module: template
     src: mobileconfig.j2
     dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
     mode: 0600
@@ -27,8 +25,7 @@
   no_log: True
 
 - name: Build the strongswan app android config
-  local_action:
+  template:
-    module: template
     src: sswan.j2
     dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.sswan
     mode: 0600
@@ -39,8 +36,7 @@
   no_log: True
 
 - name: Build the client ipsec config file
-  local_action:
+  template:
-    module: template
     src: client_ipsec.conf.j2
     dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
     mode: 0600
@@ -49,8 +45,7 @@
     - "{{ users }}"
 
 - name: Build the client ipsec secret file
-  local_action:
+  template:
-    module: template
     src: client_ipsec.secrets.j2
     dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
     mode: 0600
@@ -59,8 +54,7 @@
     - "{{ users }}"
 
 - name: Build the windows client powershell script
-  local_action:
+  template:
-    module: template
     src: client_windows.ps1.j2
     dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
     mode: 0600
@@ -69,8 +63,7 @@
   with_items: "{{ users }}"
 
 - name: Restrict permissions for the local private directories
-  local_action:
+  file:
-    module: file
     path: "{{ item }}"
     state: directory
     mode: 0700

roles/vpn/tasks/main.yml

@@ -24,6 +24,7 @@
       tags: update-users
     - include: distribute_keys.yml
     - include: client_configs.yml
+      delegate_to: localhost
       tags: update-users
 
     - meta: flush_handlers

roles/vpn/tasks/openssl.yml

@@ -1,20 +1,17 @@
 ---
 
+- block:
   - name: Ensure the pki directory does not exist
-  local_action:
+    file:
-    module: file
       dest: configs/{{ IP_subject_alt_name }}/pki
       state: absent
-  become: no
     when: easyrsa_reinit_existent == True
 
   - name: Ensure the pki directories exist
-  local_action:
+    file:
-    module: file
       dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
       state: directory
       recurse: yes
-  become: no
     with_items:
       - ecparams
       - certs
@@ -24,11 +21,9 @@
       - reqs
 
   - name: Ensure the files exist
-  local_action:
+    file:
-    module: file
       dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
       state: touch
-  become: no
     with_items:
       - ".rnd"
       - "private/.rnd"
@@ -37,18 +32,21 @@
       - "serial"
 
   - name: Generate the openssl server configs
-  local_action:
+    template:
-    module: template
       src: openssl.cnf.j2
       dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
-  become: no
 
   - name: Build the CA pair
-  local_action: >
+    shell: >
-    shell openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
+      openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
-      openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:"{{ easyrsa_CA_password }}" &&
+      openssl req -utf8 -new
+      -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
+      -config openssl.cnf
+      -keyout private/cakey.pem
+      -out cacert.pem -x509 -days 3650
+      -batch
+      -passout pass:"{{ easyrsa_CA_password }}" &&
       touch {{ IP_subject_alt_name }}_ca_generated
-  become: no
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       creates: "{{ IP_subject_alt_name }}_ca_generated"
@@ -56,28 +54,33 @@
       subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
 
   - name: Copy the CA certificate
-  local_action:
+    copy:
-    module: copy
       src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
       dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
       mode: 0600
-  become: no
 
   - name: Generate the serial number
-  local_action: >
+    shell: echo 01 > serial && touch serial_generated
-    shell echo 01 > serial &&
-      touch serial_generated
-  become: no
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       creates: serial_generated
 
   - name: Build the server pair
-  local_action: >
+    shell: >
-    shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch &&
+      openssl req -utf8 -new
-    openssl ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" &&
+      -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
+      -config openssl.cnf
+      -keyout private/{{ IP_subject_alt_name }}.key
+      -out reqs/{{ IP_subject_alt_name }}.req -nodes
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -subj "/CN={{ IP_subject_alt_name }}" -batch &&
+      openssl ca -utf8
+      -in reqs/{{ IP_subject_alt_name }}.req
+      -out certs/{{ IP_subject_alt_name }}.crt
+      -config openssl.cnf -days 3650 -batch
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -subj "/CN={{ IP_subject_alt_name }}" &&
       touch certs/{{ IP_subject_alt_name }}_crt_generated
-  become: no
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       creates: certs/{{ IP_subject_alt_name }}_crt_generated
@@ -85,11 +88,21 @@
       subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
 
   - name: Build the client's pair
-  local_action: >
+    shell: >
-   shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
+      openssl req -utf8 -new
-      openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+      -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
+      -config openssl.cnf
+      -keyout private/{{ item }}.key
+      -out reqs/{{ item }}.req -nodes
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -subj "/CN={{ item }}" -batch &&
+      openssl ca -utf8
+      -in reqs/{{ item }}.req
+      -out certs/{{ item }}.crt
+      -config openssl.cnf -days 3650 -batch
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -subj "/CN={{ item }}" &&
       touch certs/{{ item }}_crt_generated
-  become: no
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       creates: certs/{{ item }}_crt_generated
@@ -98,45 +111,60 @@
     with_items: "{{ users }}"
 
   - name: Build the client's p12
-  local_action: >
+    shell: >
-    shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
+      openssl pkcs12
-  become: no
+      -in certs/{{ item }}.crt
+      -inkey private/{{ item }}.key
+      -export
+      -name {{ item }}
+      -out private/{{ item }}.p12
+      -certfile cacert.pem
+      -passout pass:"{{ easyrsa_p12_export_password }}"
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
     with_items: "{{ users }}"
 
   - name: Copy the p12 certificates
-  local_action:
+    copy:
-    module: copy
       src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
       dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
       mode: 0600
-  become: no
     with_items:
       - "{{ users }}"
 
   - name: Get active users
-  local_action: >
+    shell: >
-    shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
+      grep ^V index.txt |
-  become: no
+      grep -v "{{ IP_subject_alt_name }}" |
+      awk '{print $5}' |
+      sed 's/\/CN=//g'
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
     register: valid_certs
 
   - name: Revoke non-existing users
-  local_action: >
+    shell: >
-    shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
+      openssl ca
-      openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
+      -config openssl.cnf
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -revoke certs/{{ item }}.crt &&
+      openssl ca -gencrl
+      -config openssl.cnf
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -revoke certs/{{ item }}.crt
+      -out crl/{{ item }}.crt
       touch crl/{{ item }}_revoked
-  become: no
     args:
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      chdir: configs/{{ IP_subject_alt_name }}/pki/
       creates: crl/{{ item }}_revoked
     environment:
       subjectAltName: "DNS:{{ item }}"
     when: item not in users
     with_items: "{{ valid_certs.stdout_lines }}"
 
+  delegate_to: localhost
+  become: no
+
 - name: Copy the revoked certificates to the vpn server
   copy:
     src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt