vpn-server:
  pkg.installed:
    - name: openvpn

#generate diff-hellman param files
#build only
gen-dh-param:
  cmd.run:
    - name: "openssl dhparam -out /etc/openvpn/server/dh.pem 2048"
    - onlyif: 'test ! -e /etc/openvpn/server/dh.pem'

#generate hmac key
#build only
gen-hmac-key:
  cmd.run:
    - name: "openvpn --genkey --secret /etc/openvpn/server/ta.key"
    - onlyif: 'test ! -e /etc/openvpn/server/ta.key'

vpn-server-conf:
  file.managed:
    - name: /etc/openvpn/server/server.conf
    - source: salt://roles/maintain/vpnserver/server.conf
    - user: root
    - group: root
    - mode: 644

vpn-client-conf:
  file.managed:
    - name: /etc/openvpn/client/client.conf
    - source: salt://roles/maintain/vpnserver/client.conf
    - user: root
    - group: root
    - mode: 644

vpn-ca-cert:
  file.managed:
    - name: /etc/openvpn/server/ca.crt
    - source: salt://secure/ca/ca.crt
    - user: root
    - group: root
    - mode: 644

vpn-server-service:
  service.running:
    - name: openvpn-server@server.service
    - enable: true
    - watch:
      - file: vpn-server-conf