Add openvpn setup

2021-10-26 09:35:39 +02:00 · 2021-10-26 09:35:39 +02:00 · 49ee39baba
commit 49ee39baba
parent f22e5301aa
26 changed files with 1684 additions and 4 deletions
--- a/files/openvpn/ca.crt
+++ b/files/openvpn/ca.crt
@ -0,0 +1,94 @@
+$ANSIBLE_VAULT;1.1;AES256
+62646466373330653562633062333536393164333061386366313666383837393661623062363263
+3939333461613966666365653330613066613638346561660a613766633637626664366465313130
+34613530303630313839306162323565643932393662623262346235653236633134663334326436
+3330306662316330310a326633613738633065666334383338366130326131373864386539396165
+35636661396661353964633366316263323636623434303963373537393431383364616531313761
+63386563343964303931373738663339363265613134343964613330336439366436363265316635
+61323439613733306665316536633665383666626434366332613233643835383661363262313230
+38396361643566326165643662373130356236363434653361656565376134353862363839356465
+35626665333034323831623839323166333032653635663438336238386464313839633964386435
+61366662643831623161363865316439363931313065363635663839666234313062383064336461
+65333465646466323363373563373535656135663538306131323264613233333861326535323138
+32343866326364343365353962663438356137363730343263613961333033303234623862623564
+39656665343837313662353532353831323039636237643935376233333565613731383763646235
+33383236666365326166366638393665303735386334623866393761333832663461306632353338
+35313761653462633065343438623766663036343262313261373231613332613935333066643665
+35666635646339313136393538666237346264363765623037323062313233366631306332303932
+35363261326139663766386636383165363236663233326330336137393764366365643836646638
+65326432616439646237656234336635346334636233663335663138616134313565396335663139
+36643933666232323462613335316137663663613137383966306261303335663432333361666130
+32343637666261653031393435343864353539633263623464666462646432623638376661383833
+37646661633731303438386263396333633362653465306232663765376365376636316132376431
+37313565393261643864333766306130383636663262303539336136656535663436366165316665
+35633136663639386264643639363531376662653735343130633832653162376230666165363735
+64393639613839323530343563356262386136623263353632366232633035623432636236356136
+64613134363835653534323131666338623539623638393065646230313837303238343861633738
+34663835626532653262613066623230636131343237646636343534633461313734346339396138
+65653263333266653162623964316130366130643363613466383966383964323736663438653930
+61343130646262663137373162396464613332303533313366616233373061346637633938333161
+64316332616639626137616461313565356338323534636631396661333431626139313135626233
+38316536306433626431333833646565343636333131663461303738323461333639636264316666
+36303662646331656438653336353463353864653731343231383464646265376463623961373930
+39373064653366363134613537376439613663316333356237653736613433326362353135653664
+32393639323463343864333532383438623966376338376331636431333632346166656462643861
+63626366346530333536373331306166343762656165663662393839376364323831373763393766
+31353130616161336530626132316337376330343861326132646437363661363764316263393663
+36363265616439366138373638633038346266326563613733303233353639393738356331343665
+61373962653138353261363737646465386366303864393066643038343566323530376437316237
+35313431323033656163353538663639393630626361303465616539376231323463363362383462
+61363030393639666263313634646137326436666261653734646635666137383434633235373339
+62383164316364363964613734313533653339636264643138313537356166333561383462653031
+61633766373061653838626565646165393630613937643637386536636166396534393339353164
+35653737663137373037653363343033623632373637316536393033663335646365343731623634
+30326439303833666434623532666432373162303064353031663539616433616264303164326363
+65376232333364326664346132666566643961336630646331363661633865636432366239303664
+33666264636331663438656533396436646536346237313562343032353666336532613437333935
+66623032663165356338383337613165396230646535666465623730636465656534343134613439
+33346164336138393664393764383233386561343631376364626131633564666563363532353337
+33363135336333363332623061326230383539623730333036623835666635303331613131633432
+38653732343963616331633735303739353666613237373665386364396437653037623564313862
+30646336646665383233373233373339313539303062373534376264383439643066383965336632
+62343966386334623831616135373130353765613330333134393461383731396438353966346638
+61383038613065643535613431303933633562386138623832333864633332336363633664323435
+31663636653634363462363561646461616231373965326236633166613061623631363738313130
+62636439356462353633663839663666306336343832616239346430373038323735656534353630
+38643533326262323463643363623439346661383039613333303134616366383730656466346563
+63663563363934353761343964316232616335633639356364613736623835386233383038663063
+61626138313732343866356465653466353939666435306331656463623065353738616433646534
+37663839616530383437626139386433396638313632616233386165666236323061626532313038
+64323962346435396434303262643738323063613433303966316339346432353232613630383936
+64643763343335313230353636343730393236303236383164333832313461326437623662646535
+63646336393163363236646434373530373532303265643934393032356364333966336361363034
+32626638306363303966386365643366613739616133636631303136353536623332613863376438
+35656234653737383639373433336135653564383439626561383261393038306266303263633739
+37363134383439316135393061323466636130313638303163633365356264323939373432636363
+63656664333535666265613733386538383032626464323539343131623934393335663561323831
+61633162373264306632323731353062613231626465373965353738346163336364393332386437
+61386439643235363532386165363030323831306236383633366630313237633033363636663366
+35653930386338623337366665306662306536666162346662343030363231633664333531626637
+64386664643562376363646162633037643730353335333239376465663733383066373138323234
+31323236626632613566643766633765333433663263383236656566356435666466646262356638
+39323866376638366638376536623363326438396633663832666334366662613438396363343963
+32353834336437343962303332333561353134663135336465653766613535306431643661396361
+32636530643263613466393961623836613939623737633836613664303762383665343936363862
+33333762653866333638613638306366343234353832636633633363343762353637646535313838
+36653136333830323030353266613432623139373835653263353634373365623263303539363235
+65626235316636663130373062313966316362366136653630323835363061346161313832343532
+33316564386439373837633334306136643534353365346335623037366331616661633265613466
+31323738373936343461613164363837343336356531336264643835646332643031386430643136
+62303561636331616364656630366532366638623535643264666333366166346330623166346266
+63383337623462376430363462393766366661336464313633373039303838633536636463383930
+35663334663961333065303634643561646665643734323865353865366330653861343239356266
+39326565356631376238316530363861336563303132656166343433363562626331633239616432
+63613831346330346366613065343331393265393332633439316532646135353765663232393065
+34623334336337643666656534333738373131626535666239353830383137646633373930303236
+32336132666362353434636237313763646232343137396332353635636638616666626239663934
+32323533613561643437663062643335306235316662333539363532623262393237383861393633
+64393230306339336531306664386634306336343638616162613334616532313863613135393164
+39643934613939663663353365333365353965653563646435666133393133393939663636626634
+33383562333864383363386161623662333935643862313334393731666634646662356238343833
+31323038626634333531326431316462303166666333613266373336616636303263623332343733
+66306664303835633765623464303838303134353638356230626439613131306337333830326536
+66393864613866306663653631656136633830313934666565303334393263623162323934363733
+31653164383233383631613432643966633063306630393665393538313336626465
--- a/files/openvpn/dh2048.pem
+++ b/files/openvpn/dh2048.pem
@ -0,0 +1,26 @@
+$ANSIBLE_VAULT;1.1;AES256
+62323034333531386561326634366134653437616338333435306462316132356539316230343632
+3335323562366664343739353835356139343632346631620a363362313263383531313162656165
+37333232386630363134633339323136313532656139393262373736373733356632303530646331
+3436396430623565380a663536343863626265616662363138383438316438646336333064646664
+62663231396566616366646539616535623533313839626433313331666561353232623537653637
+33353161393333326263366533663461373139376561613763636464373964373635373234393631
+32303232353162346564306364646532643238313631643262346437313534653430343930353332
+30633336323061353932376632336262623436373861616561353866356430383765663136643565
+35373230393436643639306665613261346337613931386432346436346165396363373564353432
+31626538373036333765626335326233623030383439626164386565366166356430316261646338
+36653531316339343438383431623962633133653235623438333632386262653964666332393532
+31353537623239353833353235653365303031613039616634353564343265306333313331633065
+39313033663230313536326434346462316238313037336164323530303435326139623131633131
+61646130303062316134613239343539613036393963313464653132383735646633653464653930
+61626562343064396433666137323566616134343462373662623533383230383861393030346337
+66336130393237373637393535653066653533346435643434393230663564343463653033313339
+66393563633930363962323863323930306433386131353063306438643738373064303930326435
+36366131646162633630666138303564376130356233643237373838366264336136613039376562
+61623033316662333761333062343031353162663261313830326466316361383735363766303031
+37646262363964616262366363636166306632653161356362663339663130323866653730346139
+30326538653465316265623632396261393036643137353739366162313131643334393363326239
+64393132313631626262383064313634333937313664313037333264346662373963663631313430
+34353461643562316335343433326266343034313236323763636466353762326336376433663737
+35373164313830313963633237636134373430356233643538656338353737376266323763366533
+38633430393466326564373134373566366265653063393333653833393537336465
--- a/files/openvpn/server.crt
+++ b/files/openvpn/server.crt
@ -0,0 +1,289 @@
+$ANSIBLE_VAULT;1.1;AES256
+64633266656361373061626438643538373034326262333834343431346334376262316637653032
+6261636630373932393733376464386264333966316439610a633834366163333239313539306562
+36366437353434363562326265363165346534616664303065353861633966323632343932313363
+3931393831623737660a303036366166353565643161633138353238656130383961626336366238
+32396137636439353263363961343663333436323333643433663261393766373036383137326566
+61386339366663383536373464346163373436326231653561323062373433663162613466306233
+66636330623362316463613738316630623264383830383466393636353736393161656337313237
+66666462316135623732653633363737353365366330343061333966653561346363376362363362
+35383138333665343433373038373839633661306138336135626636623362653636656439343962
+37653235396363366236323466323431636231626462613063386162663032373632376138626664
+31386562326264353061356164306165653361396534323937653965326162643136663461396537
+30336633383862623964333830643231633263363236346636643764306533346536356164313538
+65393166663965393531616665363835306462326539313133336331353135653566303338363564
+30306263626634643136333239306566326465653566383437653263623634666365343736383133
+30323865346433613163386631353366613935653536356235336333306639633638393736346666
+66326536653836323634393935656331653366633662306664646238616334303362653231663838
+64666535383866326161383933383335383934373237373863323338326636326230383439373863
+65653930316632633930646330633435313563323333663833383936333665383330393962393930
+31633331303138626636613565626639303232323531646166623337313062373439653462623638
+33313461336332653337663938666636646364633562643937663834613038333762333435623065
+64313538303264626433636230316537663035663538313761643563666638643962646134623533
+37363534343166666265343564623539363164633335363236663430663265613234326230343332
+31303238616231623937306538643536326637363766636563383337353462333361333437666531
+65363738633735363164633963366632633138643966653861353831363534313666386133356634
+36353365373662323465303939316636356565383539363439623264303362626663336466626230
+62333834383730653961306331623263643839386662666331653634313462316361393661383230
+64303332636435643966343230623432623931373464346339656630313265613638323535656336
+63653639376534646434366336376661336638643561396632653639623839393164343030393435
+65356534653863396334653362306262626136663533316361346139303136313233343766663238
+63613338316333323564303639396633616366653034303363363238346632613939303362363834
+65386135353636666661633066376362366436353237653966356332663534666661383932626661
+36363634373065623566656235643738383263616163663237646664346137623532376363633461
+37303761346236663464306237323965326366666566353438313766626633646666613364646663
+36366532383535383664313038303339626335656532316332383032616262336634393539633866
+64313935663836393661323832306464623835323836613731386439363535626435613164376561
+66346638363533653239393239623536613663366235393937316265626464303965663030613738
+64633635376235353264386461616538663639353731623631373039376466333166346130323133
+38306563326632306163386238353637633966353830303936363137613037383432343162393561
+65633165643366653061643638626336373039363662633233386362383833393438313562663234
+37303433383464316634313461313430613662353730353161353334303163656332376465323331
+36303333613438633962333635303931623937336532353565363333333830393732653262616638
+37633366623738353262353965373535336335663934393862353233383063396266306462313433
+36383761306236313231353835326265383633653034313133316136353938333739303062666537
+64383963336134303137376331306261623266376130396634313333376262653364323134353064
+37313262383964333139303232373737613039633635373030613538373662666161376363333562
+35366161343030386261303237383266653131383234383761373837653864663939336134623564
+34373133306165323363356533636330313766306230323561366330326233303464656634643763
+30303361373166623437303132613161326661623935313465633262616231366431336639356461
+36343133613134373165353366663930386465366364643534396439656166356237653139323031
+35626165386132376639656232323034373635353064313666396131366335626139663263356338
+35393661323932613630613536656535323637643938383132663536303436633333303961643863
+36336134353437343837386265373165333164633837386637343835306434383031353834393939
+32366462616236316436386263663036646238366663343664643365663334333231623464376531
+34373632633037313765616436633262336137633932303065363837613837383637616566666534
+34313133316531323766363230333539626665623461653130346535386334633166326465386431
+62323666623031303166373066383236633939653332386563303663613833633762303736613634
+66656134633636613630613532626462656238306565616532636237336131306439366363313233
+30303062643737656130303132626637616436356431343866383031383531646666333139363931
+63366236613832653562653663646465626436633764333936393331396138326531623135383765
+38333236373033636336303938303666646431636538326532353339353966326466653631373336
+63366338353333336161303337306364383435323935376639366161653736326165363862343137
+37336262396536663162623266373336393136303138323131303532393165623232373033626264
+62373964636432656263323862353433646461346162326230356336616335353139356565636138
+31323132326665633537373333623130396533663437316431363361666561366464633161383261
+33323730373036656162373834313166343533616335306163633866663763663834383432366433
+63623165323238336464353634316432353237623034303131366435636538643432393934316466
+35336532656439623031656435626365666164303433353332383831313064326533646239323933
+39373430303932656266613561376635383838396137346666613233313335396561353564313461
+66623062623566356235663561663763356537343733363764343266343335646364336237656534
+61666536326364653530643739306562333466643534383430396235666462343134306534356637
+36386434343830613665666437653531393130613665333938346662363561343562633063333734
+30333730653237613037373236663161353735623063616437376231616338326237376332333934
+38353963633837643262343762333933323462323234653733633561663966626362323461623236
+62663534333433643536646262393033306437653238373765323132393638653966313131346366
+65313364666666646232306563373239333431313032326433333832303335386462353764373430
+30663164356534663465623065643761333134363237376164323864383862653832386632326337
+32653762353666393035303538386161306635393833333538383831376437363135656234636232
+63353037346438346432353636313339396335303534336565356631353363316266656339356537
+61356163666266653062393033623038306161393533303930336131376139616130373133643463
+63386339303639623230396338363230323933363639393561666237636436353339356633373239
+38636231393032663234653265623434326234653539616463613538343763383539336535383937
+32353062366230663333303832313565643764326266626235663664663132623935626635633966
+62306461366537386131353832343539653932393231316239613866383839633032336636653339
+63303664393966613337346135336137343030326566336162636466396636363335356238663534
+34646336373935386331363936383762373538646461666438306231383063333539376136633130
+36656132663037323738633461616530653130386634366534663065346261343763653766386430
+33653034313530663932353264326538616634353239363936333533353930653536363134323262
+39643766666438316666633431353138613630376638336166306362396430666136373237373362
+65616534323134613735663339633261316263656265646161643865383034613364653161303161
+32623864653330343865373635666337663132373264323535336335373962323932333738323232
+35623636656666333665353062623234373131313237616439343438663833353037356535356438
+63666366313136636130353263386234336537663630323738623264646164326438393365653539
+61643935383132373236663162333563356237373638306530333462353565363964396131613162
+31323665633234333630343338343263353730313939616530313238343134313834333433613963
+37353037623033373536326434343135366535326165303030623464393835303938303230653435
+64356463623739643761363764666237356436636364393465656563343862386131396439353330
+35633730633733653233333031613939346132363035333534363239343930353464393833373633
+38643839343134393935323463366537636461373362323761336130396464656334323163356665
+66366336653432356539663833656662653664613262386462363536383838653163303162363666
+63623732616562396265343663353565393530313764613334623938323965336139653235393963
+30386337343662323962633064383131623639333961666232333831356563306365343431316265
+34663064316463636431323839633932393435323362656634363864646562323136393562373163
+30313733376638613230323966383038633331663733363466356364363561646439353962613533
+61633633383235623265313962346538623362663138623562333932653038303264323238616435
+31313131666333653231636561616162616633386433336438636632383662393662653938376639
+32343134346263396333613435353165306361313065393361306137663436663737303130363465
+30636437623036633463666466333533383865643032353565643663316430346433393265323134
+61333039323839656239656231663430303164306461366530396565373839336164373263666439
+38636166363339376266663332343134323562333138666336306131663131653039633062363532
+62313666613736633161396464353532386632366161316330346237386237323266323237353235
+35653434623333376230336262363364336631306430663336633431666162356430313036383664
+62636331323232393735343833386531613132323636333836663436386261373863623633396534
+34373563613964343337333465346636336330323139326566663334613966363362326166303135
+39346239353337636630633138663735663039666437633837653065643539653035363631386237
+37353537626231646365303066633062623136656538623836303038373564306562303239346462
+31623139653563393535313030623835323365613431636237396365336463373363643665653234
+39316633386463393330383831313139363463356238666237653732666139663535653232373335
+31396562373738303164656132643532623034396433626566613730313031323935303535316130
+65633137666566646461336462393866323139646161393233306636633539336666656533636534
+62653431353039636530333434353965663534323831653864386263646231633034393835623235
+36383131636234386434633431653833656265353763376430646563636466346232393964623566
+39366430396363663564303963626666613931663138626431613735323130646536343266636331
+32346530653261653035643133653930623039363466643932373037623436656532663261366634
+31613138373232353135303230323334396330363763363263643863373135633861363364363336
+63653033353363383735313162313866653562616231633962643630323761386237633661613831
+61346431636530363430616533613365623562376135376333393166333937353036343365643937
+30656430663833393837613739666663663133333533613339373834336337356562363761636636
+64656334303462613635323866623264613665633535653438653062626137653066643765663232
+66663334343832303832316331383832366336633331363239663833336435353366396464323032
+32656238383335306435333161343638376635383237666165316161653064343239346336313734
+32313734663661336462633665343036373363336335393930643436396561656330366337356339
+37363733653230333766376630393064346636316536623762336266636234643863353034393766
+64643135373335373137353664616132313934643265623630323639336339663766663537303935
+33313136663139343865343763343065353733376565366466373166626637646137613237363564
+39353164313166366631656532326164393765626534323235343738663937643436393535343664
+33663563666163656132373239353736363662626163383762346665623762393536623362363537
+39303139663934643662383162363235373533353336623432316263333666363332656264343461
+31326431363135333534323038313836323063353237636132333434303338353061396163396335
+61663162656630643761306663663739313931623231633737356538373062626136333463306232
+34643539666162366130353263636163663566663933356432336236663931653537306237366332
+64353535363633343536643534363036656534353761356339313337373237353231386266656135
+31323462656164633937666666363135366435346565333432303133373836633035623436336631
+36326365386562386338656133626161623163613861353662393762613565636137366237643634
+33636439373663373234613238333863653536363064623439633839643161363061393733303861
+37393561633934613434653164306363373266643866396538643034383165623239383330303430
+38636236656130326139346239336466633439623961633639646535316132303135613964326331
+35643761633866313333626163346335383765383839306465633463336130633362346633343636
+33633666323763663465386530366134353365386535393366633137326332613839626635333264
+35386635643266346430646433633334303063656333316433303766303234323930396332316365
+63323939343036633434646432303761373433303636316137376134656165353931396631376334
+65663835643563653632333539383835383533633566323464326133633032663730623265623363
+31316332316461303031353665396566373636653236646265386439613536363635626532356164
+66356431663231633765626533366137393437363736353963373637386539616639333334666161
+64303333643564343139363364326339623161366434393035303937393135376436366165333132
+32656564633762323234376535643335306539643661353162336331313236623661663330336532
+33653339323634653036363534653930366635663330666363653931616464333538306136636439
+35633465393161326638363732653332323063653739386161353635376466633932646665313031
+39353962303736316439663061366330366630623366623561383839396536356534623838376235
+62363333656466363733613230343338623763623436666133376561333936626330303933326230
+30373038386439373262373230323131393230663562626532616337343837656437396233613465
+61306437646132383331653165376365376161366332303732366433373539363937633135313838
+33333764313063393637376635343436303934663739633532343265326431316235373830643030
+64386139653535376364633364393764663031616537643639643865313937373230633036653231
+30333834316338663335633631376137373035333966366362633837396262346165313539383234
+37353261323439373934393630343839343539636533663836346434353765363064336663316134
+65393635396365643436633662623533646130343861356366373363633330633232383063396537
+63396433653237613266396632643536656564636634383235623462613438626463653666363761
+32326138316466303135343465376538633563613536393239393965313733666462646463393565
+32343637363035323736333330323736306630316161643163343538613164633037653635653238
+61656366623739623065363836356530303635353461353836646238303064653565623666633337
+31353265393763346233386363373565623038376663303237306466626132663766333634623833
+64653665623939643366333761363030643866653161396534633633633464646566393063363666
+30366434663465336464613532633562613631303735633934336539656339343231306532636465
+65613633623964623332386438646330613939653861616663646638306461383737316439343536
+30386637336136373930333135663432303264323132316665383964333939646138643235353666
+63313632663061623736633661666661363665373366316134366130396638346166643438663837
+35383730373762363138393763303564383831356635336535386231643165653834663266653832
+62306366623133323837643137383635666435653830363664643465643033303537346264353830
+35396635633238633363613861333564333465373966623335333561386638353635303262393366
+61616137386266666332666338666466323138616236313237373535386262626562656233343035
+63663238343238356533366563323234306330626634666531633733363834643163643938643630
+31343230373437303766313161396637663766393064616439373162643538333436643432626230
+38653830336131336133336136633938616163306633616139366262363935383965383032656139
+63626237633831353464613330653536636533363566663561313434393166393362616538626466
+35663062373530333937333630366561336233366563313938386463613931666361666164346433
+34376139633863646666613266333131316230386561393736633233366637333032356261653332
+31356365326264343132633233343864366562363434346563343133363439383033623035376662
+30633136333730326161663731666636323164636430636338303434383063653533613132363138
+64356365373237613134393830633837613265343363633934366339626433353330646530653431
+63333266653033333738303836633531373638383635343131666133313034363365356634373339
+34313831363532623735656638626465393861643934646232386630663731346162383136396436
+30353465383232633062326332373134353366323366636631393561346632643964313434323737
+38616138663232633337393439313763393639323839366436383664616438366166393931333063
+66346336623762613464623865363066663731663535613139643263353664366535313338393933
+37653561616664393130353634666332616434396362393539616162363137306162613435396537
+37366631306430386362376536333331623535333664366363656138306165343136636266323631
+63663533643731623061626334656566306164613338383763316661663937343461393938343234
+31666165396431336338636438343764616663633436656165306136616334643735333837666531
+38663330663030383938316465363830333138363836343037303839353738316633363538306335
+37363136656637353332613566333137653363343633663237643364653535343765636465646632
+63636536386361323636323666373831636637333138616464633661343930336238646136386365
+38333432336263616364623937316462376533323335646431373938643338383163633562383235
+66333664666438343832303030623131366364303635373838356534373939666133363631383364
+64616335323032393238633334363965653132323862353033376238633161363635383130666638
+33376430356539343434383035306237653138323235623436363037633730396134303030663762
+33363664623736343933326461373938373339353538376161623832343033386339633032393263
+35333564386166363233376539313665393932343739393931306263383965616162333833633665
+34313962323362376633383466376563663938666636326563393261653363633339646164666531
+34343931373065326439663435336238623066613438376131646166373566363532613763353162
+64656438336363616465643862376365373436396437373233373931366666633566333665353336
+38643139666135626534333761323938613335383532306565626330313236653534643335333165
+63613363313530363738303963646130333939363634663263656464393063353932333562363239
+61306663353562333064653332306333373561306361323139633835626561396237366435653835
+38636164383762633037323164653534336435613863313731643435643335346635633664303131
+34326364373465396562336538643837633235613132656266653037616639626361633565306536
+31306631613536633862356166336466386366336566333463623362366132356463623563343635
+33646336636664323666343365333530663366376664366366643937663136346462653939393436
+61393735306664653437303232666233623364303563373337636566323034336430313739326431
+30626335323337323862306663333130366166396561393135646239326337656663646535663439
+37363731353239316462653537353961663762613530373330626662656161613438636630616230
+61623734643762323865353961633835353639326533653063633336336262663833636136313761
+32316430363032363937393165613836346335303364366637626362646336643139633034653334
+63313330303933623731376535333436613731393732666239323063646432633166626233646463
+32623764333362333935366564323761656462376162323633633266666535356135626335643963
+34336366346662643331366265316135336561643364656232633230613935623735336464393930
+33636565616130393065623065383064656632393861613733386265316162666234383231656261
+39393830313832653830623936623666326666376562336166326538313664383537643061336134
+33636139623832356263303063643235636138613761666532363165396433666530653332633664
+30666362636232613536663537373635633861303864346436346330613164633039363363336261
+33643538363430303930326132353431323363643963323232633337306339356431363931646232
+36383230386134633339656338366666343139653062373930656531363366653663616465323232
+39323637363465306336653033643066323432366561316563383533663564303766613334653938
+35393765383366353965333062376666396161323664346636353562656266376261666637646136
+34353366333464613764616163336631346133356265303566383861313566333234313536343332
+36396430353563336530313164333831303466356664393465353134343338363666663237313831
+36313738353830366136643331373933393766323161363635333832653136616539336332323163
+62333531356162323362316430393631633265353565646563306536636333643734356661613035
+39333461323031386239326461363931366634303966636365343465376637326562383939636662
+37633061616335316466346139643363396266313066633966363965313034633964626165643864
+66666134353337633136393131666462633736623963393765396334393361663661396365396538
+36353135306565353962353037323433303261326533333962613439656162383264636239616338
+66663039343637636532326463623339386239633735393361373633653632326461643635326235
+65663336316562353239646461643663643431393639346633373232346639663563613738383831
+63386136383339313261313832373133623339616439313865663063396135343839366566356634
+34613637366630306262636365333132376331396231643830396362313039363331643132313431
+62626663636662383666316262653163346239343339326161376162366631663661633062373439
+32356561353733613764383934376337396238373535396661313766313130383335356164653361
+38393432666639366536326232316234393332323433326532313366323933643065373735303339
+64643132633535383034356466393339633630323834343730623332626135366638333232626337
+36626662373137656337376662663165363836313238623462353962383138353134336139643866
+31393966386432646163336166653163663834636538616235303963363039663535313736313533
+37613130663330326131386336303831313163633334646365633262386163343138353239616263
+34396132303661653137353138356135323266313739323164333931356665393531333531396138
+37666164626338663436356164333264646338396435626138633735396435383762663764663835
+30386437386530653361343139636135653065306137313063343237646531333864316366626437
+66356565666662643364316631393731636662636365663034366263346665656137663665393738
+65336437323263383230653162643165303761613134313863383938313935323938376166656230
+30633736363164653662643531643536373465303535373236666535663462613162306466363364
+38383632393862653562633038326135666437393061376534376362313030303365393739326530
+32373165666563373435656334303731613935323238623164623038326535303835363232653061
+61386130353334663735623738373864326261393631383738386139643137383165333533663030
+30356466653438393437633039396134353537653133353532303932623234353364373330336437
+63646465643134393261653663333763346537656337303961643234633833386138663433303665
+37306137363633653265643638656363366563396433363437303736613836666635653561666366
+64306637353037313363653934336330623561353230643036366438666363373962386265386666
+32653466353838393134613931343231376363646134316266626236653933313937656663363832
+39303662306663343532313762613964336661313538393539336163373936383033643635373162
+31643463313061313738323165303566643963373261646330653130633261326532353364383631
+32326531613235616133636638306163646139656432643738623261383866616333633364376532
+65343137643636373538336464616135356362376430633735373130626636316137636336326536
+35376633643562376230613233306466666236393362373566623163653532386230666463383032
+33303135343030303764646436613037303033636331306334316138396166633336613061636539
+64646133383136633337323462306436323061636337376132613262353031353935376632666339
+62643061623439653966386131626166356134646130663537383762346464663534623266363132
+39623437613032616261353231336264393039623539613164343437613462353139333663616533
+32373739646638303366613236343262326533316166353436653837323738373963323635323937
+36306231326365346537636665373438623364326132353062623661393538353136336136643162
+30313266363934623036316336376566303336326661386435356330396333353262346331636566
+39356264323130613666316233356130623233616665653365333161383864666664666433303637
+65616539613061326462333636373762663936393832343335636230356365306464663637643062
+62303664633939333663643135623834613339306235633437353139326537663561666538356637
+62303736636163336565373266646630393839373233326539353036346661616661336434393733
+66336134393532656330633464326232363834653266663636376437366361663537343165373661
+37393563393662633032626333303437313938313237633432643365643030356531656165373266
+64666332653264396136326436353365386631613165633265373132303134313938346438396161
+65643966383536623232613763656665653139613666346566656434653838386466306330303766
+35326136306133346262666534393537306133613936613339313065643734346664626634646531
+31666637663236393261
--- a/files/openvpn/server.csr
+++ b/files/openvpn/server.csr
@ -0,0 +1,59 @@
+$ANSIBLE_VAULT;1.1;AES256
+64636337653939633132376466633439353733363734356633386130326365356431656262613833
+6361326630366131383631313962316335316163383531390a656531643761343464376330336631
+30373939316464366431393030343061303836373536636237316531646365316433323433656239
+6130373233353739640a633839396433353539383234626362643631646330653136393164626466
+39626532626239373737326662653733666663336665363133366633653966633761663364326465
+36306261353361306533313238343838396263343130353732623662356332303365373361393662
+65653337393365633537636464323234326535626133376662373366323534656333666338613365
+37633462373233656264643833363537613638303236643061646637373166326235636635333961
+35343835393864343234303662336264363566626337643365643630316531326136363763613865
+38363166303831393564353134306633643532653232613339663334613230336530616363316335
+34303530313036616632346237313936383265383137333033663036323361363465613961616338
+66323066316136633532616431316563383062396166363261666330363134616465386236316531
+31623437313832303739306330383832346263613664353031653437393636303639313037336431
+39633236383338616435373739386636646236643663393437623036616461343863396235376435
+33333531303061333934346130333864393165366333366161366164616366333939626337366663
+65353233356335376534643665376164626531646362636437653739656235323131613139393431
+35356663313663303133396330336134623539653035326161313935383933653134636139373765
+32663061653832353635666666323064323737306331616636663565363239366166313163306231
+36346662616635323236663234346563616134396362333236643035656436653533356539636439
+64383535636637663836313333396230633965373737633833333262386334343865386335323235
+35323732653835613930613263643561623630386134643934343134383531366431333561653338
+38613139343630333531366665313333366665616662383266303233623364363862643233306537
+62376632333763393732663431303762306431653264333733653130376662363463396365343232
+35323164633064613638313930613534373131373330313432663338376261616337633935633438
+65316430373064646635303437613633316435366136323065363762613764333261366162353761
+34663062393166623963373935363130383061353864326462393161653163386537613435663066
+38343831623631343439326233353164366161326338396134336539616436356338373664636636
+31376434333335306437643662363834303066323433613966613564336538333736366238306334
+30643433396263333463366136623133353735303337623264653261363964396438383462346335
+34383936633637333336643662306536306533393937343964323832313037383566663633373136
+32623336323630316564323030623036623335656562353936343261303163326433656330303836
+31353631646663656533353735376133643935633261343965386334366631373434316163333966
+31383764353438666531326637616235343532326338613361336332306662363336333461323361
+36616139383434623964666639373236356235663165636339313337323035353337343032383566
+37643633333734343562653637313932613665303862306164306262393034366362383230333165
+35626565326231363533626138613234343132303432656530333132326632613061653163623632
+30353661373733343735326131366537306162343433373662353132623333376534336336616538
+39383537333065303436323735376432386331396237393166646561373334396535633335363537
+33653866383665353737383761623966303437313230306565383634366566313138323562326163
+34336332363736623664643435663132386434613565383663623431306339613035366433353132
+64623934643234376332343562376265353730383865363734393661393634663236353365633130
+34393238326561653762623236383634646263646331306639393936313537356561343362383136
+32373030333034336236393836333331343763336538353930653535633739326130323237656430
+30333665323437353462316336383638363439383537343564613365643633626232303034366566
+39636436306238623461316639643230393730656363656463613236623631363466613433396433
+32343630366536353737313964646233373762656430383764616633313665626335336630653966
+31346330356237636135643934303261373434623561303133323165666136623334653965393539
+33613830666532616333633632356636326566343862653564303539353133376636646435636565
+62646563616630323636623036613633323735663631316335323666313962323634356637633463
+39666233363237353836653831373661346637353539343163333162636531373266373530633364
+37373565383236386231356366616233316262383461316535386433666539343537343330623035
+31383631643636626163346333373063626264313733323032633164373030653834666665383335
+31363038653432323339663033303361363266666534303562656335383131383434663564386661
+64383234623437383035343735623763376462633235653437643962353832613432376564303030
+37393834626266623664383633313831623338343633656165633163653239613866383532306161
+32356664363864396262313934373832653334303336633235356164313061663930663337373536
+39386162626233353330623831623366366564393539356261383366643038316666323731353365
+6230363831656134373564393432623130303963646262666137
--- a/files/openvpn/server.key
+++ b/files/openvpn/server.key
@ -0,0 +1,90 @@
+$ANSIBLE_VAULT;1.1;AES256
+63643635616133643963373633343538323237343637326661666138376233666664623235333735
+6336633666303635346562316566356237643962393530310a343630376139666365376635633132
+65386237316162336461613733393964313866323165383864303562393361623338373333376137
+3633393437663938320a313436323737393763616465306230383766306261346562376233616637
+32656563373033663666306162353239303966613731613161633631343064666465353562643330
+38376639303262383032336235366134303932373930633230326538373333336236373630326132
+35653065613136333332643430333464313334363437636565656266306432303262613865383333
+64633131366435613661643239343765363462356166366136653465333365303838623138336432
+32613561346363326436336632363637346665373165303963363963646236326430353034653632
+39663062323461376361383766306335653837633862393830343439626539633064313333346330
+65363032636230323366623461373264666663306636666365356564343631626638333039353835
+37663135333032393936306630643531653930633965393731663530373764626630643364323733
+62306539613461653439343163393233623133653031393937633335613239316532353630353361
+36376264373935323634663832306530623065346264373131353761623738646661383330333861
+32613536623236323263313238353866323132386566346237366263393864353732316232303132
+34353962346537323466323332326266613239313633333130396531376263383062323730383164
+30376536663031393862636563303763353563646234386439656136663563623862313562633166
+39656562366466643533313539393031343032656638326334333765303932353038313430353266
+39313930303234646664383438356364356334623938306566353136356263323432646163363231
+31386364656339666630343039336666313536373763323337653065393330376234376138613564
+66313739336463346232666563303033623536323563626332616532656338363037343434633037
+62646365373833343364346162396136376134353733623337353563363664363363326135323532
+33636538366432363635363066306661643433613034393564306638356139663436336134643132
+34653931316462636262633037366635646531346535393666343035383734386166633634326536
+34366134326664373538616263306534386235336264383836623438303261663130396236386633
+64633137643233393564343130396534396137623637373231363935343964373232333366306333
+61663866633932303163616362333834613061393464356232396465663234313035326632376464
+66363236353031383232313465663232383463306239646538316534343864333433623164383065
+35393661663334303832653732346532663164313332653564613033656633316666323330666539
+39653063643038613031353865306531356230363331643434323866316534383030626637366332
+65366662613032653835303931376364336661313662356130373632343335313164663066626639
+39383237626664636461663634383664383238613138623865346535383564633632343063393838
+64623835633165363663333765663939396332303936386362653539363463393033306632393265
+39323363376331663537393336383466306436613838306465653035633930643061333833313461
+31633937623966306134616534653333333437346532313434346664653762646531306132326463
+30353433376461316131396232303963396461663837626634353038636261643734396361313136
+36636238363130313966626336343464303432343938323663343664303739636564383561616537
+32363531303633366365343637323162373862396437333433353937386430643234313866633366
+61353636623433386166616635396166363433623036333137623437356436336535313066613937
+31363636333165616165326565323431613033376265666665343137353131366265633338303036
+32393934646536353564653934386137353838353838363834393337303761643230336162666639
+66323134646165396134396664313035343464346163636539323562343632353830326637383666
+35353131373530363761663434396461353065653964613565623964313165626530666132663030
+39316666353736396633346332336263666161306663663564396664373234393166656261306164
+38326635333962316162303539353737336466643864306432366230356163316133383830643330
+34363539636534336565613235383662326262623638663762643334323965313532613462643632
+32633035396563393662353136333266326332393264323761353731306561356335376463343236
+34383463336462376162663533333966306438343330313031356133643065363161386665636337
+65306332386432653865313236303433336663616561326131323561316630313664643162653038
+31663539326236626361313162343561373835323330656334653531643564663662393964386233
+66316336333932326137346664376366343261376665396632656361666363633034343634383633
+36363135373037356336326164363930376638636535366565613633346431663336376466636339
+32336239366233336236353765643262653762356632623735313665333632613661636238663064
+36316334633838353634666266633134393131376665363732646636383239383337386538666632
+39646536383763623230303032616566623233313932613430656563626663656132623164326639
+31333366643062666161353336623537393832633131333435306630363234393834653239366138
+35636361346139306134643332383138336132313362313937653736643732323961633035656334
+39313739663864353637396333313761343537376330656339613163363563383530326461396563
+37626466653263386639396631353537626231666134643237363631626566333762303665336664
+33663430316333666330633864353935623239393662323236303137323134626637363663613964
+31643162633636623462383132623338323839393331313566376235646163636238616131383730
+66353536666634333032326462333733303363313135316639633462313165656666306433656439
+64613839303233356137366364626665633730616230323862663661636434386564316139353535
+34396662336665323565623330393662383162623634633430316231363938316631336535343230
+32306366663936366631373637613230323963313861363031386334333365656639656565376639
+61623662313033386364303862363165373739623734666531323738386136643861616439376137
+39303832356536323738353537663866376535643030383261373666313964626461623761653730
+31663663386361383361323437363264303465373938313164666435366535323230636330613631
+37353165643235326537633865323565363462363038366463323732376136326635393738623433
+38303139363566346132633531333838373638643133346333393736363666663539386338386238
+32666532366265313635376130643739653363343264633663346635643163646561303465333965
+30326339653562646335366262636630393632646338613236303537366239393864363231346538
+66383936616563636439383732646264353634393239666463393365663638376463373164346531
+32336265663431666561343333386466616266663438313230376266663231666634323939343961
+33626666336630643034316333306130386462363230623566356532383561383636363031343531
+30663965323762363161666333356163663333373435623433616633383134616537623932313537
+33323464363531653965346463373663616635373066636131633964303533346331313862363637
+39636337666564663265336534393336393862613833396539613261373132343131393338316366
+62323530323065316539306433316263316636376134373131303762323231353531353330666434
+34653435643530643438656238643639323265383337316639663738333263306238623933616266
+38363765386566313463663335363562373938323161346337366432383633633535323439666335
+63343430316535303338656437303433386265626436643039623839326539343739616335366532
+61663532383532373037646236366661613932393637306166356162646663636534326534613030
+39363939666332303663363163303031336264346333336339383263316230333164626166663836
+61366530313565383862336363626566643064333130393231313466306563663936363364643831
+61633038616339316563623232396133343337623330653331336438663135633738613734623839
+34323038353631353334663234376464396164613034623734626635353433653635373733363634
+34636333306431313535343161303564626262393338636133636634643436626438393863663532
+31343262333835613938346330326463633934373832653436393535336331303133
--- a/files/openvpn/ta.key
+++ b/files/openvpn/ta.key
@ -0,0 +1,37 @@
+$ANSIBLE_VAULT;1.1;AES256
+66383463313234303737613830663139653933363264366361653762383532666664366239613763
+3035646138626235636435363862393035336365363436360a656463316433613437613339346232
+63663435613936636234383233623164323162623233626535353537643834386136316265663434
+3939623763366330310a623938613534636166396634313465333835613066343332616164636136
+32646132363234333732663830313738323431303165373239663063323339666366643731363836
+39656266663861333833333866323036396631663235376533643366333734306132333834623463
+61626631303361383263306563356530336236663536383362363931383431306634353463323262
+66323964643835376162356132373330323533393961313339623361646666333566353134306236
+33356431633139373230383439333761303034346635333464396236623830663030643736366665
+33336462636534356634353535323036363465346563356261623964306130623164346266343032
+35316331323966303938663039386532373362363863306364616465653564393439623634356430
+32646462343335353165643535323834356364323930333534643438636363323466316466386537
+39366532353165666261313335653838353834363434336562663161373463623261626231333432
+64656466623031323163343434353663383032376237633963663935393463653833323430313531
+30333831323834353139396233363765353465656137626338396537636332323736633832393131
+36623731336532653365316336613937653735366432663430373162323630363230333131633831
+34356632663365336366636536623763353535373737326232353538346161366432626632343038
+32306562393234366364643964366131333537653436663432633365393861303036616363316334
+31653337616661326361376130613438383830333836623163363531363865393264366438316566
+37393165333636666365353061303738623333646664643061393137326332346430663032663563
+34643962353734383864313432656362366336393164663036333339663138356562376532313864
+30363866326331666666653362623563313631396561653166303265636531316236383737356531
+32333832326639393963326230666337633961633839393636306239353065663464386366363437
+65653830333938363734376465343433336134393933366163303862653566393863363864333033
+33383830373639303433393066313062313634323135666139386334623038343363363164363130
+64313164643132633639653030336131396337653339616331393461663632646235636237393837
+66633466633666343036346330386639613835633964383738313861363934306634356462633461
+31393731326665633935306266353734303137626539343636363931613534643337646666633835
+62376662356364343238643564383761613263313364363763656561333138623464326531643863
+37316562626362383861626161333037363332306463306638356630323631333637316439306233
+35323035656534323761626433343163343063656235653537626463666365363335346539666239
+33663039646430366631313365636537636338623939373334633730343032646132616134363832
+66646533363139306433663037623932353636356530656437373165623632393134383530316366
+38333363363332373131646364633433303933663463623962633931613937643463616332633237
+31363431353032373638663636353135393766353362656130333138353032346665356366393562
+31306438316533326234
--- a/files/radicale/radicale_htpasswd
+++ b/files/radicale/radicale_htpasswd
@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+39333463653766333336373030633535653336383435346539653838363466616637323163353663
+3934363237313063326638636335383936653936303864350a333139306161346638353039353163
+39323935643330323930333039306565653138343832613061373534616361386665383534626464
+3333303431326366360a386330653666393939636630623233626235616532666634383461363137
+31643439336563623965623535643664303232653765383961643332663762336134396331653134
+3736633939323131376561666564333763626532313361626330
--- a/files/radicale/radicale_users
+++ b/files/radicale/radicale_users
@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33316361623866386530336263326364616535383436633832623230313064353163653438383235
+3766616334333262333861393362303137393531356666650a353636303961353434656535623064
+34663534363432393734313761323231323436633861616166653734363934326336613966613562
+3662343063623836310a643335616532306162353063643361316431363966636665643233353735
+33343462613835663463356530633135643565326535373738373536313862626336376565623437
+61343132626466346361643833333963376136326263393765363438333161643633343133626139
+34616330386661363866393737353239303066353466306534613836613064333533616438373030
+39303736646330383733
--- a/playbook.yml
+++ b/playbook.yml
@ -8,11 +8,14 @@
    - common
  tasks:
    # TODO add ssh setup
-    # TODO add nginx setup
    - import_tasks: 'tasks/setup.yml'
-    - import_tasks: 'tasks/wireguard.yml'
+    - import_tasks: 'tasks/openvpn.yml'
    - import_tasks: 'tasks/radicale.yml'
    - import_tasks: 'tasks/syncthing.yml'
    - import_tasks: 'tasks/transmission.yml'
+    - import_tasks: 'tasks/nginx.yml'
  vars_files:
-    - 'vars.yml'
+    - 'vars/main.yml'
+    - 'vars/nginx.yml'
+    - 'vars/network.yml'
+    - 'vars/vpn.yml'
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -0,0 +1,50 @@
+- name: copy nginx configuration files
+  become: true
+  template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop:
+    - {
+        src: 'templates/nginx/default.j2',
+        dest: '/etc/nginx/sites-available/default',
+      }
+    - {
+        src: 'templates/nginx/gitlab.j2',
+        dest: '/etc/nginx/sites-available/gitlab',
+      }
+    - {
+        src: 'templates/nginx/sentry.j2',
+        dest: '/etc/nginx/sites-available/sentry',
+      }
+    - {
+        src: 'templates/nginx/vpn.j2',
+        dest: '/etc/nginx/sites-available/vpn',
+      }
+
+- name: create configuration links
+  become: true
+  file:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    state: link
+  loop:
+    - {
+        src: '/etc/nginx/sites-available/default',
+        dest: '/etc/nginx/sites-enabled/default',
+      }
+    - {
+        src: '/etc/nginx/sites-available/gitlab',
+        dest: '/etc/nginx/sites-enabled/gitlab',
+      }
+    - {
+        src: '/etc/nginx/sites-available/sentry',
+        dest: '/etc/nginx/sites-enabled/sentry',
+      }
+    - {
+        src: '/etc/nginx/sites-available/vpn',
+        dest: '/etc/nginx/sites-enabled/vpn',
+      }
+  notify: restart nginx
--- a/tasks/openvpn.yml
+++ b/tasks/openvpn.yml
@ -0,0 +1,112 @@
+- name: create openvpn server directory
+  become: true
+  file:
+    path: '{{ item }}'
+    state: directory
+    mode: '{{ item.mode }}'
+    owner: root
+    group: root
+  loop:
+    - {
+        path: '/etc/openvpn/server',
+        mode: '0744',
+      }
+    - {
+        path: '/etc/openvpn/client',
+        mode: '0744'
+      }
+    - {
+        path: '/etc/openvpn/easy-rsa',
+        mode: '0744',
+      }
+    - {
+        path: '/etc/openvpn/easy-rsa/keys',
+        mode: '0700',
+      }
+
+- name: copy openvpn credentials
+  become: true
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    mode: '{{ item.mode }}'
+    owner: root
+    group: root
+  loop:
+    - {
+        src: 'files/openvpn/ca.crt',
+        dest: '/etc/openvpn/easy-rsa/keys/ca.crt',
+        mode: '0644'
+      }
+    - {
+        src: 'files/openvpn/server.crt',
+        dest: '/etc/openvpn/easy-rsa/keys/server.crt',
+        mode: '0644'
+      }
+    - {
+        src: 'files/openvpn/server.csr',
+        dest: '/etc/openvpn/easy-rsa/keys/server.csr',
+        mode: '0644'
+      }
+    - {
+        src: 'files/openvpn/server.key',
+        dest: '/etc/openvpn/easy-rsa/keys/server.key',
+        mode: '0600'
+      }
+    - {
+        src: 'files/openvpn/dh2048.pem',
+        dest: '/etc/openvpn/easy-rsa/keys/dh2048.pem',
+        mode: '0644'
+      }
+    - {
+        src: 'files/openvpn/ta.key',
+        dest: '/etc/openvpn/easy-rsa/keys/ta.key',
+        mode: '0600'
+      }
+
+- name: copy openvpn configuration files
+  become: true
+  template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: root
+  loop:
+    - {
+        src: 'templates/openvpn/server-lan.j2',
+        dest: '/etc/openvpn/server/server-lan.conf',
+      }
+    - {
+        src: 'templates/openvpn/server-mobile.j2',
+        dest: '/etc/openvpn/server/server-mobile.conf',
+      }
+
+- name: link openvpn configuration files
+  become: true
+  file:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    state: link
+  loop:
+    - {
+        src: '/etc/openvpn/server/server-lan.conf',
+        dest: '/etc/openvpn/server-lan.conf',
+      }
+    - {
+        src: '/etc/openvpn/server/server-mobile.conf',
+        dest: '/etc/openvpn/server-mobile.conf',
+      }
+
+- name: restart openvpn lan server
+  become: true
+  systemd:
+    name: openvpn@server-lan
+    state: restarted
+    enabled: true
+
+- name: restart openvpn mobile server
+  become: true
+  systemd:
+    name: openvpn@server-mobile
+    state: restarted
+    enabled: true
--- a/tasks/radicale.yml
+++ b/tasks/radicale.yml
@ -0,0 +1,47 @@
+- name: install radicale
+  pip:
+    name: radicale
+    state: present
+    extra_args: --user
+
+- name: copy radicale password file
+  become: true
+  copy:
+    src: 'files/radicale/radicale_users'
+    dest: '/etc/radicale/users'
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: create radicale nginx directory
+  become: true
+  file:
+    path: '/etc/nginx/radicale'
+    state: directory
+    owner: root
+    group: root
+
+- name: copy radicale nginx password file
+  become: true
+  copy:
+    src: 'files/radicale/radicale_htpasswd'
+    dest: '/etc/nginx/radicale/htpasswd'
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: copy radicale template
+  become: true
+  template:
+    src: 'templates/radicale.j2'
+    dest: '/etc/radicale/config'
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: restart radicale service
+  become: true
+  systemd:
+    name: radicale
+    state: restarted
+    enabled: true
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@ -1,8 +1,9 @@
 - name: copy firewall template
+  become: true
  template:
    src: 'templates/nftables.j2'
    dest: '/etc/nftables.conf'
    owner: root
    group: root
-    mode: '0600'
+    mode: '0644'
  notify: restart nftables
--- a/tasks/wireguard.yml
+++ b/tasks/wireguard.yml
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@ -0,0 +1,35 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+table ip filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+
+    iifname "br0" tcp dport {{ ssh_port }} accept comment "SSH"
+    iifname "br0" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
+
+    iifname "br0" tcp dport {{ vpn_mobile_port }} accept comment "OpenVPN TCP"
+    iifname "br0" udp dport {{ vpn_mobile_port }} accept comment "OpenVPN UDP"
+    iifname "br0" tcp dport {{ vpn_lan_port }} accept comment "OpenVPN LAN TCP"
+    iifname "br0" udp dport {{ vpn_lan_port }} accept comment "OpenVPN LAN UDP"
+
+    iifname { "tun0", "tun1" } tcp dport { {{ http_port }}, {{ https_port }} } ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "HTTP/HTTPS"
+    iifname { "tun0", "tun1" } tcp dport {{ transmission_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "Transmission"
+    iifname { "tun0", "tun1" } tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "Syncthing"
+    iifname { "tun0", "tun1" } tcp dport {{ mpd_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "MPD"
+    iifname { "tun0", "tun1" } tcp dport {{ nfs_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "NFS"
+  }
+}
--- a/templates/nginx/default.j2
+++ b/templates/nginx/default.j2
@ -0,0 +1,53 @@
+##
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	# HTTP configuration
+	listen {{ http_port }} default_server;
+
+	# SSL configuration
+	listen {{ https_port }} ssl;
+	server_name {{ domain_name }} www.{{ domain_name }};
+
+	include snippets/certificates.conf;
+	include snippets/ssl-params.conf;
+
+	root /var/www/html;
+
+	index index.html index.htm index.nginx-debian.html;
+
+	error_log /var/log/nginx/error.log;
+	access_log /var/log/nginx/access.log;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location = /robots.txt {
+		add_header Content-Type text/plain;
+		return 200 "User-agent: *\nDisallow: /\n";
+	}
+
+	if ($scheme != "https") {
+		return 301 https://$host$request_uri;
+	}
+}
--- a/templates/nginx/gitlab.j2
+++ b/templates/nginx/gitlab.j2
@ -0,0 +1,29 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+server {
+	listen {{ https_port }} ssl;
+	server_name {{ gitlab_domain }};
+
+	include snippets/certificates.conf;
+	include snippets/ssl-params.conf;
+
+	access_log /var/log/nginx/gitlab.log;
+	error_log /var/log/nginx/gitlab.log;
+
+	location / {
+		gzip off;
+
+		proxy_read_timeout      90;
+		proxy_connect_timeout   90;
+		proxy_redirect          off;
+
+		proxy_set_header Host 			$host;
+		proxy_set_header X-Real-IP 		$remote_addr;
+		proxy_set_header X-Forwarded-For   	$proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Ssl     	on;
+		proxy_set_header X-Forwarded-Proto 	$scheme;
+		proxy_set_header X-Frame-Options 	SAMEORIGIN;
+
+		proxy_pass 				https://{{ gitlab_ip }};
+	}
+}
--- a/templates/nginx/sentry.j2
+++ b/templates/nginx/sentry.j2
@ -0,0 +1,29 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+server {
+	listen {{ https_port }} ssl;
+	server_name {{ sentry_domain }};
+
+	include snippets/certificates.conf;
+	include snippets/ssl-params.conf;
+
+	access_log /var/log/nginx/sentry.log;
+	error_log /var/log/nginx/sentry.log;
+
+	location / {
+		gzip off;
+
+		proxy_read_timeout      90;
+		proxy_connect_timeout   90;
+		proxy_redirect          off;
+
+		proxy_set_header Host 			$host;
+		proxy_set_header X-Real-IP 		$remote_addr;
+		proxy_set_header X-Forwarded-For   	$proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Ssl     	on;
+		proxy_set_header X-Forwarded-Proto 	$scheme;
+		proxy_set_header X-Frame-Options 	SAMEORIGIN;
+
+		proxy_pass 				https://{{ sentry_ip }};
+	}
+}
--- a/templates/nginx/vpn.j2
+++ b/templates/nginx/vpn.j2
@ -0,0 +1,32 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+server {
+	listen {{ vpn_listen_address }}:{{ https_port }} ssl;
+	ssl_certificate /etc/ssl/localcerts/nginx.pem;
+	ssl_certificate_key /etc/ssl/localcerts/nginx.key;
+	ssl_protocols TLSv1.2;
+	ssl_ciphers HIGH:!aNULL:!MD5;
+
+	access_log /var/log/nginx/vpn.log;
+	error_log /var/log/nginx/vpn_error.log;
+
+	location /radicale/ {
+		proxy_pass https://127.0.0.1:{{ radicale_port }}/;
+
+		proxy_set_header     X-Script-Name /radicale;
+		proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header     X-Remote-User $remote_user;
+		proxy_pass_header    Authorization;
+
+		auth_basic           "Radicale - Password Required";
+		auth_basic_user_file /etc/nginx/radicale/htpasswd;
+
+		proxy_ssl_certificate /etc/ssl/localcerts/radicale/client_cert.pem;
+		proxy_ssl_certificate_key /etc/ssl/localcerts/radicale/client_key.pem;
+		proxy_ssl_trusted_certificate /etc/ssl/localcerts/radicale/server_cert.pem;
+	}
+
+	location /transmission/ {
+		proxy_pass http://127.0.0.1:{{ transmission_port }}/transmission/;
+	}
+}
--- a/templates/openvpn/server-lan.j2
+++ b/templates/openvpn/server-lan.j2
@ -0,0 +1,317 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+local {{ vpn_local_ip }}
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port {{ vpn_lan_port }}
+
+# TCP or UDP server?
+proto {{ vpn_protocol }}
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca /etc/openvpn/easy-rsa/keys/ca.crt
+cert /etc/openvpn/easy-rsa/keys/server.crt
+key /etc/openvpn/easy-rsa/keys/server.key
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh2048.pem 2048
+dh /etc/openvpn/easy-rsa/keys/dh2048.pem
+
+# Network topology
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+;topology subnet
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.8.0.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses.  You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.10.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# try forever to resolve peer name
+resolv-retry infinite
+
+# Don't ping until connected to remote
+ping-timer-rem
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
+auth SHA512
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+cipher AES-256-CBC
+tls-version-min 1.2
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+;comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 1
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status openvpn-lan-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log         openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+# Disable the internal fragmentation alghorithm
+# this can be done by the kernel network driver from the OS
+fragment 0
+mssfix 0
+
+# Enable jumbo frames, note that this could lead to problems on bad connections
+# e.g. mobile users or laptop users see https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux#Tweakedsetup
+tun-mtu 24000
--- a/templates/openvpn/server-mobile.j2
+++ b/templates/openvpn/server-mobile.j2
@ -0,0 +1,316 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+local {{ vpn_local_ip }}
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port {{ vpn_mobile_port }}
+
+# TCP or UDP server?
+proto {{ vpn_protocol }}
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca /etc/openvpn/easy-rsa/keys/ca.crt
+cert /etc/openvpn/easy-rsa/keys/server.crt
+key /etc/openvpn/easy-rsa/keys/server.key
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh2048.pem 2048
+dh /etc/openvpn/easy-rsa/keys/dh2048.pem
+
+# Network topology
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+;topology subnet
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.8.1.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses.  You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+push "route 10.8.0.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# try forever to resolve peer name
+resolv-retry infinite
+
+# Don't ping until connected to remote
+ping-timer-rem
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
+auth SHA512
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+cipher AES-256-CBC
+tls-version-min 1.2
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+# Disabled as advised on https://openvpn.net/security-advisories/
+#compress lz4
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+max-clients 10
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status openvpn-mobile-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log         openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+mute 5
+
+# Disable the internal fragmentation alghorithm
+# this can be done by the kernel network driver from the OS
+fragment 0
+mssfix 0
+
+txqueuelen 1000
--- a/templates/radicale.j2
+++ b/templates/radicale.j2
@ -0,0 +1,16 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+
+[server]
+ssl = True
+certificate = /etc/ssl/localcerts/radicale/server_cert.pem
+key = /etc/ssl/localcerts/radicale/server_key.pem
+certificate_authority = /etc/ssl/localcerts/radicale/client_cert.pem
+hosts = {{ radicale_listen_addres }}:{{ radicale_port }}
+
+[storage]
+filesystem_folder = /etc/radicale/collections
+
+[auth]
+type = http_x_remote_user
+
--- a/vars/main.yml
+++ b/vars/main.yml
@ -3,3 +3,6 @@ packages:
  - wireguard
  - syncthing
  - transmission
+  - openvpn
+
+ssh_port: 39901
--- a/vars/network.yml
+++ b/vars/network.yml
@ -0,0 +1,16 @@
+http_port: 80
+https_port: 443
+ssh_port: 39901
+
+transmission_port: 9091
+mpd_port: 21000
+nfs_port: 2049
+
+gitlab_ip: '192.168.178.88'
+sentry_ip: '192.168.178.73'
+
+syncthing_gui_port: 8384
+syncthing_protocol_port: 22000
+
+radicale_listen_addres: '127.0.0.1'
+radicale_port: 5232
--- a/vars/nginx.yml
+++ b/vars/nginx.yml
@ -0,0 +1,3 @@
+domain_name: 'fudiggity.nl'
+gitlab_domain: 'git.fudiggity.nl'
+sentry_domain: 'sentry.fudiggity.nl'
--- a/vars/vpn.yml
+++ b/vars/vpn.yml
@ -0,0 +1,7 @@
+vpn_listen_address: '10.8.0.1'
+vpn_local_ip: '192.168.178.185'
+
+vpn_mobile_port: '1194'
+vpn_lan_port: '20000'
+
+vpn_protocol: 'udp'