Merge branch 'feature/interfaces' into develop

author: varac <varacanero@zeromail.org> 2012-10-30 12:37:47 +0100
committer: varac <varacanero@zeromail.org> 2012-10-30 12:37:47 +0100
commit: 38bb67fa4238dda60e1a140f38f4450a4f8a8ca9 (patch)
tree: 024ba24cb0ff118eb16c1e79d6c17a9c6b15d6b5
parent: 76bbc01eae893206a8ed0d8d248ee565e3acdc61 (diff)
parent: 038380e042289a9586141d7154febea2a2a6a56c (diff)
6 files changed, 72 insertions, 34 deletions
diff --git a/.gitmodules b/.gitmodules
index 10a21c03..e3e8d6db 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -34,3 +34,6 @@
 [submodule "puppet/modules/couchdb"]
 	path = puppet/modules/couchdb
 	url = git://code.leap.se/puppet_couchdb 
+[submodule "puppet/modules/interfaces"]
+	path = puppet/modules/interfaces
+	url = git://github.com/x-way/puppet-interfaces.git
diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces
new file mode 160000
+Subproject 1d7dc7178881c56102c043e96763176f66445c1
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
index df17771a..4280fb67 100644
--- a/puppet/modules/site_config/manifests/eip.pp
+++ b/puppet/modules/site_config/manifests/eip.pp
@@ -1,30 +1,57 @@
 class site_config::eip {
-  include site_openvpn
-  include site_openvpn::keys
 
-  #$tor=hiera('tor')
-  #notice("Tor enabled: $tor")
+  # parse hiera config
+  $ip_address                 = hiera('ip_address')
+  $interface                  = hiera('interface')
+  #$gateway_address           = hiera('gateway_address')
+  $openvpn_config             = hiera('openvpn')
+  $openvpn_gateway_address    = $openvpn_config['gateway_address']
+  $openvpn_tcp_network_prefix = '10.1.0'
+  $openvpn_tcp_netmask        = '255.255.248.0'
+  $openvpn_tcp_cidr           = '21'
+  $openvpn_udp_network_prefix = '10.2.0'
+  $openvpn_udp_netmask        = '255.255.248.0'
+  $openvpn_udp_cidr           = '21'
 
-  $openvpn_config     = hiera('openvpn')
-  $interface          = hiera('interface')
-  $gateway_address    = $openvpn_config['gateway_address']
+  include site_openvpn
+  
+  # deploy ca + server keys
+  include site_openvpn::keys
 
+  # create 2 openvpn config files, one for tcp, one for udp
   site_openvpn::server_config { 'tcp_config':
     port        => '1194',
     proto       => 'tcp',
-    local       => $gateway_address,
-    server      => '10.1.0.0 255.255.248.0',
-    push        => '"dhcp-option DNS 10.1.0.1"',
+    local       => $openvpn_gateway_address,
+    server      => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
+    push        => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
     management  => '127.0.0.1 1000'
   }
   site_openvpn::server_config { 'udp_config':
     port        => '1194',
     proto       => 'udp',
-    local       => $gateway_address,
-    server      => '10.2.0.0 255.255.248.0',
-    push        => '"dhcp-option DNS 10.2.0.1"',
+    server      => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
+    push        => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
+    local       => $openvpn_gateway_address,
     management  => '127.0.0.1 1001'
   }
 
+  # add second IP on given interface
+  file { '/usr/local/bin/leap_add_second_ip.sh':
+    content => "#!/bin/sh
+ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface",
+    mode    => '0755',
+  }
+
+  exec { '/usr/local/bin/leap_add_second_ip.sh':
+    subscribe   => File['/usr/local/bin/leap_add_second_ip.sh'],
+  }
+
+  cron { 'leap_add_second_ip.sh':
+    command => "/usr/local/bin/leap_add_second_ip.sh",
+    user    => 'root',
+    special => 'reboot',
+  }
+
   include site_shorewall::eip
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 441a21e3..482c6ab7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
 
   $openvpn_configname = $name
 
-
-  #notice("Creating OpenVPN $openvpn_configname:
-  #  Port: $port, Protocol: $proto")
-
   concat {
     "/etc/openvpn/$openvpn_configname.conf":
         owner   => root,
@@ -92,10 +88,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
         key    => 'topology',
         value  => 'subnet',
         server => $openvpn_configname;
-    "up $openvpn_configname":
-        key    => 'up',
-        value  => '/etc/openvpn/server-up.sh',
-        server => $openvpn_configname;
+    # no need for server-up.sh right now
+    #"up $openvpn_configname":
+    #    key    => 'up',
+    #    value  => '/etc/openvpn/server-up.sh',
+    #    server => $openvpn_configname;
     "verb $openvpn_configname":
         key    => 'verb',
         value  => '3',
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index c68b8370..88981e5f 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -10,8 +10,4 @@ class site_shorewall::defaults {
 
   shorewall::rule_section { 'NEW': order => 10; }
 
-  shorewall::interface {'eth0':
-    zone      => 'net',
-    options   => 'tcpflags,blacklist,nosmurfs';
-  }
 }
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 31ee3e6c..a5af0dde 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -5,13 +5,22 @@ class site_shorewall::eip {
 
   include site_shorewall::defaults
 
-  $interface = hiera('interface')
+  $interface  = hiera('interface')
+  $ssh_config = hiera('ssh')
+  $ssh_port   = $ssh_config['port']  
 
   # define macro
-  file { "/etc/shorewall/macro.leap_eip":
-    content => 'PARAM   -       -       tcp     53,80,443,1194
+  file { '/etc/shorewall/macro.leap_eip':
+    content => "PARAM   -       -       tcp     53,80,443,1194,$ssh_port
 PARAM   -       -       udp     53,80,443,1194
-', }
+", }
+
+
+  # define interfaces
+  shorewall::interface { $interface:
+    zone      => 'net',
+    options   => 'tcpflags,blacklist,nosmurfs';
+  }
 
   shorewall::interface    {'tun0':
     zone    => 'eip',
@@ -20,15 +29,21 @@ PARAM   -       -       udp     53,80,443,1194
     zone    => 'eip',
     options => 'tcpflags,blacklist,nosmurfs'; }
 
+
   shorewall::zone         {'eip':
     type => 'ipv4'; }
 
-  shorewall::routestopped {'$interface':
-    interface => '$interface'; }
+  shorewall::routestopped { $interface:
+    interface => $interface; }
+
+
+  shorewall::masq { "${interface}_tcp":
+    interface => $interface,
+    source    => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; }
 
-  shorewall::masq {'$interface':
-    interface => '$interface',
-    source    => ''; }
+  shorewall::masq { "${interface}_udp":
+    interface => $interface,
+    source    => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; }
 
   shorewall::policy {
     'eip-to-all':
author	varac <varacanero@zeromail.org>	2012-10-30 12:37:47 +0100
committer	varac <varacanero@zeromail.org>	2012-10-30 12:37:47 +0100
commit	38bb67fa4238dda60e1a140f38f4450a4f8a8ca9 (patch)
tree	024ba24cb0ff118eb16c1e79d6c17a9c6b15d6b5
parent	76bbc01eae893206a8ed0d8d248ee565e3acdc61 (diff)
parent	038380e042289a9586141d7154febea2a2a6a56c (diff)