feat(contributing): tls_crypt_v2 added to common_opts

openvpn/config.sls

@@ -115,7 +115,17 @@ openvpn_config_{{ type }}_{{ name }}_passwd_file:
       - service: {{ service_id }}
 {% endif %}
 
-{% if config.ta_content is defined and config.tls_crypt is defined %}
+{% if config.ta_content is defined and config.tls_crypt_v2 is defined %}
+# Deploy {{ type }} {{ name }} TLS key file
+openvpn_config_{{ type }}_{{ name }}_tls_crypt_v2:
+  file.managed:
+    - name: {{ config.tls_crypt_v2 }}
+    {{ _permissions(600, 'root') }}
+    - contents_pillar: openvpn:{{ type }}:{{ name }}:ta_content
+    - makedirs: True
+    - watch_in:
+      - service: {{ service_id }}
+{% elif config.ta_content is defined and config.tls_crypt is defined %}
 # Deploy {{ type }} {{ name }} TLS key file
 openvpn_config_{{ type }}_{{ name }}_tls_crypt_file:
   file.managed:

openvpn/files/common_opts.jinja

@@ -182,12 +182,15 @@ dh {{ config.dh }}
 dh dh1024.pem
 {%- endif %}
 
-{%- if config.tls_crypt is defined %}
+{%- if config.tls_crypt_v2 %}
+tls-crypt-v2 {{ config.tls_crypt_v2 }}
+{%- elif config.tls_crypt is defined %}
 tls-crypt {{ config.tls_crypt }}
 {%- elif config.tls_auth is defined %}
 tls-auth {{ multipart_param(config.tls_auth) }}
 {%- endif %}
 
+
 {%- if config.reneg_sec is defined %}
 reneg-sec {{ config.reneg_sec }}
 {%- endif %}

pillar.example

@@ -172,6 +172,18 @@ openvpn:
       username_as_common_name: ~
       plugins:
         - '/usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf'
+    tls-server-v2:
+      server: '10.8.0.0 255.255.255.0'
+      ifconfig_ipv6: 2001:db8::1/64 2001:db8::1
+      ifconfig_ipv6_pool: 2001:db8::2/64
+      ca: /path/to/mycacert.pem
+      cert: /path/to/mycert.pem
+      key: /path/to/mykey.pem
+      tls_crypt_v2: /path/to/tlsv2key.key
+      ta_content: |
+        -----BEGIN OpenVPN tls-crypt-v2 server key-----
+        ...
+        -----END OpenVPN tls-crypt-v2 server key-----
     mysitetosite1:
       dev: tun
       ifconfig: '10.8.0.1 10.8.0.2'