diff options
author | varac <varacanero@zeromail.org> | 2012-10-30 15:03:55 +0100 |
---|---|---|
committer | varac <varacanero@zeromail.org> | 2012-10-30 15:03:55 +0100 |
commit | f066f7a99a8d15f5b80c5bbf9117606c723ab352 (patch) | |
tree | 961439bb37e8fa8442759987c0dcad0369145ed7 | |
parent | 06a1546a36698dd75fb500ad2a12e9bbf9b43f03 (diff) | |
parent | 9586f6ec95b6bdba7ca3df4135055f2cced9e972 (diff) |
Merge branch 'develop' into feature/couchdb
-rw-r--r-- | .gitmodules | 3 | ||||
-rw-r--r-- | README.md | 76 | ||||
-rw-r--r-- | puppet/hiera.yaml | 19 | ||||
m--------- | puppet/modules/interfaces | 0 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/eip.pp | 52 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 13 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/defaults.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 35 |
8 files changed, 154 insertions, 48 deletions
diff --git a/.gitmodules b/.gitmodules index 10a21c03..e3e8d6db 100644 --- a/.gitmodules +++ b/.gitmodules @@ -34,3 +34,6 @@ [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb url = git://code.leap.se/puppet_couchdb +[submodule "puppet/modules/interfaces"] + path = puppet/modules/interfaces + url = git://github.com/x-way/puppet-interfaces.git @@ -1,3 +1,79 @@ Leap Platform ============= +What is it? +----------- + +The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary packages and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. + +The LEAP Platform is essentially a git repository of puppet recipes, with a few scripts to help with bootstrapping and deployment. A service provider who wants to deploy LEAP services will clone or fork this repository, edit the main configuration file to specify which services should run on which hosts, and run scripts to deploy this configuration. + +Documentation +------------- +Most of the current documentation can be found in Readme files of the different pieces. Eventually this will be consolidated on the website https://leap.se + +Requirements +------------ +This highly depends on your (expected) user base. For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. You could use Vagrant or KVM to simulate a live deployment. + +For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. In it's initial release you can deploy OpenVPN, DNS, CouchDB and a webapp to administer your users (billing, help tickets,...). + +To get started you will need to have git, ruby1.8, rails, rubygems, bundler, ruby1.8-dev, libgpgme-ruby. + +Configuration +------------- +Edit config/ + + +Installation +------------ + +- Edit /etc/leap/hieradata/common.yaml for your needs +- Run the deploy.sh script as root + +git clone git://code.leap.se/leap_platform +git clone git://code.leap.se/leap_cli + + cd leap_cli + + bundle + + cd .. + +git clone git://code.leap.se/leap_testprovider +ln -s /home/me/dev/leap_cli/bin ~/bin # or whatever to have leap_cli/bin/leap in your path. +cd leap_testprovider +ln -s ../leap_platform . +cd leap_testprovider/provider +leap help +leap clean +leap compile +leap add-user --self + +More Information +---------------- +For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. + + +Following needs to be written: + +Copyright/License +----------------- + +Read LICENSE + +Known bugs +---------- + +Troubleshooting +--------------- + +Changelog +--------- + + +Authors and Credits +------------------ + +a file manifest + diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index af448d57..93448e23 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -5,22 +5,11 @@ :logger: console -:hierarchy: - - %{fqdn} - - defaults -#former hierarchy, not used anymore -# - hosts/%{fqdn} -# - ca/%{fqdn} -# - ca/defaults -# - eip/%{fqdn} -# - eip/defaults -# more services following -# - defaults - -# relative from where puppet is run, so we need to run puppet -# from the root dir of the leap_platform repo :yaml: - :datadir: ../config + :datadir: /etc/leap +:hierarchy: + - hiera + :puppet: :datasource: data diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces new file mode 160000 +Subproject 1d7dc7178881c56102c043e96763176f66445c1 diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 95f9dbf4..4280fb67 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,29 +1,57 @@ class site_config::eip { + + # parse hiera config + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' + include site_openvpn + + # deploy ca + server keys include site_openvpn::keys - #$tor=hiera('tor') - #notice("Tor enabled: $tor") - - #$openvpn_configs=hiera('openvpn_server_configs') - #create_resources('site_openvpn::server_config', $openvpn_configs) - + # create 2 openvpn config files, one for tcp, one for udp site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', - local => $::ipaddress_eth0_1, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', + local => $openvpn_gateway_address, + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - local => $::ipaddress_eth0_1, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + local => $openvpn_gateway_address, management => '127.0.0.1 1001' } + # add second IP on given interface + file { '/usr/local/bin/leap_add_second_ip.sh': + content => "#!/bin/sh +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", + mode => '0755', + } + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + } + + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } + include site_shorewall::eip } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, @@ -92,10 +88,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0902039c..34268125 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,15 +1,26 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + #$shorewall_startup='0' include site_shorewall::defaults + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + # define macro - file { "/etc/shorewall/macro.leap_eip": - content => 'PARAM - - tcp 53,80,443,1194 + file { '/etc/shorewall/macro.leap_eip': + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } + + + # define interfaces + shorewall::interface { $interface: + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } shorewall::interface {'tun0': zone => 'eip', @@ -18,15 +29,21 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'eth0': - interface => 'eth0'; } + shorewall::routestopped { $interface: + interface => $interface; } + + + shorewall::masq { "${interface}_tcp": + interface => $interface, + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq {'eth0': - interface => 'eth0', - source => ''; } + shorewall::masq { "${interface}_udp": + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': |