Promote OpenVPN CRL fix to global modules

[akuzminsky]

Summary

Promote the OpenVPN CRL regeneration fix from environment-specific modules to global modules/profile/ after sandbox validation.

Background

The encrypted CA support and CRL auto-regeneration fix has been:

• ✅ Implemented in environments/development/
• ✅ Tested in development
• ✅ Promoted to environments/sandbox/
• ⏳ Awaiting sandbox validation (1 week)

Changes to Promote

From environments/sandbox/modules/profile/ to modules/profile/:

• manifests/openvpn_server/config.pp - CRL fix with encrypted CA, cron job, MAILTO
• templates/openvpn_server/regenerate-crl.sh.erb - CRL regeneration script
• templates/openvpn_server/README.erb - Operational documentation
• templates/openvpn_server/vars.erb - Remove EASYRSA_NO_PASS

Validation Checklist

Before promoting, verify in sandbox:

• CRL regeneration script works: /etc/openvpn/regenerate-crl.sh
• Syslog logging works: journalctl -t openvpn-crl
• VPN connections still work after CRL regeneration
• README deployed to /etc/openvpn/README

Target Date

Promote after ~1 week of sandbox validation (around 2026-01-27).

Related

• PR GTID: Extra transaction on slave before replication setup #240: Fix OpenVPN CRL regeneration with encrypted CA
• Issue Add CRL file age monitoring for OpenVPN server #241: Add CRL file age monitoring (future enhancement)