summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2012-10-30 15:03:55 +0100
committervarac <varacanero@zeromail.org>2012-10-30 15:03:55 +0100
commitf066f7a99a8d15f5b80c5bbf9117606c723ab352 (patch)
tree961439bb37e8fa8442759987c0dcad0369145ed7 /puppet
parent06a1546a36698dd75fb500ad2a12e9bbf9b43f03 (diff)
parent9586f6ec95b6bdba7ca3df4135055f2cced9e972 (diff)
Merge branch 'develop' into feature/couchdb
Diffstat (limited to 'puppet')
-rw-r--r--puppet/hiera.yaml19
m---------puppet/modules/interfaces0
-rw-r--r--puppet/modules/site_config/manifests/eip.pp52
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp13
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp4
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp35
6 files changed, 75 insertions, 48 deletions
diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
index af448d57..93448e23 100644
--- a/puppet/hiera.yaml
+++ b/puppet/hiera.yaml
@@ -5,22 +5,11 @@
:logger: console
-:hierarchy:
- - %{fqdn}
- - defaults
-#former hierarchy, not used anymore
-# - hosts/%{fqdn}
-# - ca/%{fqdn}
-# - ca/defaults
-# - eip/%{fqdn}
-# - eip/defaults
-# more services following
-# - defaults
-
-# relative from where puppet is run, so we need to run puppet
-# from the root dir of the leap_platform repo
:yaml:
- :datadir: ../config
+ :datadir: /etc/leap
+:hierarchy:
+ - hiera
+
:puppet:
:datasource: data
diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces
new file mode 160000
+Subproject 1d7dc7178881c56102c043e96763176f66445c1
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
index 95f9dbf4..4280fb67 100644
--- a/puppet/modules/site_config/manifests/eip.pp
+++ b/puppet/modules/site_config/manifests/eip.pp
@@ -1,29 +1,57 @@
class site_config::eip {
+
+ # parse hiera config
+ $ip_address = hiera('ip_address')
+ $interface = hiera('interface')
+ #$gateway_address = hiera('gateway_address')
+ $openvpn_config = hiera('openvpn')
+ $openvpn_gateway_address = $openvpn_config['gateway_address']
+ $openvpn_tcp_network_prefix = '10.1.0'
+ $openvpn_tcp_netmask = '255.255.248.0'
+ $openvpn_tcp_cidr = '21'
+ $openvpn_udp_network_prefix = '10.2.0'
+ $openvpn_udp_netmask = '255.255.248.0'
+ $openvpn_udp_cidr = '21'
+
include site_openvpn
+
+ # deploy ca + server keys
include site_openvpn::keys
- #$tor=hiera('tor')
- #notice("Tor enabled: $tor")
-
- #$openvpn_configs=hiera('openvpn_server_configs')
- #create_resources('site_openvpn::server_config', $openvpn_configs)
-
+ # create 2 openvpn config files, one for tcp, one for udp
site_openvpn::server_config { 'tcp_config':
port => '1194',
proto => 'tcp',
- local => $::ipaddress_eth0_1,
- server => '10.1.0.0 255.255.248.0',
- push => '"dhcp-option DNS 10.1.0.1"',
+ local => $openvpn_gateway_address,
+ server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
+ push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
management => '127.0.0.1 1000'
}
site_openvpn::server_config { 'udp_config':
port => '1194',
proto => 'udp',
- local => $::ipaddress_eth0_1,
- server => '10.2.0.0 255.255.248.0',
- push => '"dhcp-option DNS 10.2.0.1"',
+ server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
+ push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
+ local => $openvpn_gateway_address,
management => '127.0.0.1 1001'
}
+ # add second IP on given interface
+ file { '/usr/local/bin/leap_add_second_ip.sh':
+ content => "#!/bin/sh
+ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface",
+ mode => '0755',
+ }
+
+ exec { '/usr/local/bin/leap_add_second_ip.sh':
+ subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
+ }
+
+ cron { 'leap_add_second_ip.sh':
+ command => "/usr/local/bin/leap_add_second_ip.sh",
+ user => 'root',
+ special => 'reboot',
+ }
+
include site_shorewall::eip
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 441a21e3..482c6ab7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
$openvpn_configname = $name
-
- #notice("Creating OpenVPN $openvpn_configname:
- # Port: $port, Protocol: $proto")
-
concat {
"/etc/openvpn/$openvpn_configname.conf":
owner => root,
@@ -92,10 +88,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
key => 'topology',
value => 'subnet',
server => $openvpn_configname;
- "up $openvpn_configname":
- key => 'up',
- value => '/etc/openvpn/server-up.sh',
- server => $openvpn_configname;
+ # no need for server-up.sh right now
+ #"up $openvpn_configname":
+ # key => 'up',
+ # value => '/etc/openvpn/server-up.sh',
+ # server => $openvpn_configname;
"verb $openvpn_configname":
key => 'verb',
value => '3',
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index c68b8370..88981e5f 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -10,8 +10,4 @@ class site_shorewall::defaults {
shorewall::rule_section { 'NEW': order => 10; }
- shorewall::interface {'eth0':
- zone => 'net',
- options => 'tcpflags,blacklist,nosmurfs';
- }
}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 0902039c..34268125 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,15 +1,26 @@
class site_shorewall::eip {
# be safe for development
- $shorewall_startup='0'
+ #$shorewall_startup='0'
include site_shorewall::defaults
+ $interface = hiera('interface')
+ $ssh_config = hiera('ssh')
+ $ssh_port = $ssh_config['port']
+
# define macro
- file { "/etc/shorewall/macro.leap_eip":
- content => 'PARAM - - tcp 53,80,443,1194
+ file { '/etc/shorewall/macro.leap_eip':
+ content => "PARAM - - tcp 53,80,443,1194,$ssh_port
PARAM - - udp 53,80,443,1194
-', }
+", }
+
+
+ # define interfaces
+ shorewall::interface { $interface:
+ zone => 'net',
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
shorewall::interface {'tun0':
zone => 'eip',
@@ -18,15 +29,21 @@ PARAM - - udp 53,80,443,1194
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs'; }
+
shorewall::zone {'eip':
type => 'ipv4'; }
- shorewall::routestopped {'eth0':
- interface => 'eth0'; }
+ shorewall::routestopped { $interface:
+ interface => $interface; }
+
+
+ shorewall::masq { "${interface}_tcp":
+ interface => $interface,
+ source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; }
- shorewall::masq {'eth0':
- interface => 'eth0',
- source => ''; }
+ shorewall::masq { "${interface}_udp":
+ interface => $interface,
+ source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; }
shorewall::policy {
'eip-to-all':