summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2012-10-12 22:07:19 +0200
committervarac <varacanero@zeromail.org>2012-10-12 22:07:19 +0200
commit3e11ce4c43282448b032f9ad8e31667fb4b85ccb (patch)
tree3bc95d3d627d00fbf496b157ec3a3593821b1879 /puppet
parentb8f727635254453503bd1d9b22e20d69cc23630a (diff)
parent0eff2049fa8d846dffee3236824b8bc42e581467 (diff)
Merge branch 'feature/eip' into develop
Diffstat (limited to 'puppet')
-rw-r--r--puppet/hiera.yaml16
-rw-r--r--puppet/manifests/site.pp20
-rw-r--r--puppet/modules/site_config/manifests/eip.pp27
-rw-r--r--puppet/modules/site_config/manifests/init.pp11
-rw-r--r--puppet/modules/site_config/manifests/resolvconf.pp17
-rw-r--r--puppet/modules/site_config/manifests/sshd.pp8
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp59
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp28
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp190
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp17
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp85
m---------puppet/modules/sysctl0
12 files changed, 328 insertions, 150 deletions
diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
index a992c057..4194c6c9 100644
--- a/puppet/hiera.yaml
+++ b/puppet/hiera.yaml
@@ -6,18 +6,20 @@
:logger: console
:hierarchy:
- - hosts/%{fqdn}
- - ca/%{fqdn}
- - ca/defaults
- - eip/%{fqdn}
- - eip/defaults
+ - %{fqdn}
+#former hierarchy, not used anymore
+# - hosts/%{fqdn}
+# - ca/%{fqdn}
+# - ca/defaults
+# - eip/%{fqdn}
+# - eip/defaults
# more services following
- - defaults
+# - defaults
# relative from where puppet is run, so we need to run puppet
# from the root dir of the leap_platform repo
:yaml:
- :datadir: config
+ :datadir: ../config
:puppet:
:datasource: data
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 3ae9ebea..d451bdf5 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,23 +1,17 @@
node 'default' {
+ # prerequisites
+ import 'common'
+ include concat::setup
# include some basic classes
- # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ?
- include concat::setup
- include apt, lsb, git
- import 'common'
+ #include site_config
+ # parse services for host
$services=hiera_array('services')
notice("Services for $fqdn: $services")
- # configure ssh and inculde ssh-keys
- #include sshd
- $ssh_keys=hiera_hash('ssh_keys')
- include site_sshd
- notice($ssh_keys)
- create_resources('site_sshd::ssh_key', $ssh_keys)
-
-
- if 'eip' in $services {
+ # configure eip
+ if 'openvpn' in $services {
include site_config::eip
}
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
index 56eb1452..95f9dbf4 100644
--- a/puppet/modules/site_config/manifests/eip.pp
+++ b/puppet/modules/site_config/manifests/eip.pp
@@ -1,10 +1,29 @@
class site_config::eip {
include site_openvpn
+ include site_openvpn::keys
- $tor=hiera('tor')
- notice("Tor enabled: $tor")
+ #$tor=hiera('tor')
+ #notice("Tor enabled: $tor")
- $openvpn_configs=hiera('openvpn_server_configs')
- create_resources('site_openvpn::server_config', $openvpn_configs)
+ #$openvpn_configs=hiera('openvpn_server_configs')
+ #create_resources('site_openvpn::server_config', $openvpn_configs)
+
+ site_openvpn::server_config { 'tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $::ipaddress_eth0_1,
+ server => '10.1.0.0 255.255.248.0',
+ push => '"dhcp-option DNS 10.1.0.1"',
+ management => '127.0.0.1 1000'
+ }
+ site_openvpn::server_config { 'udp_config':
+ port => '1194',
+ proto => 'udp',
+ local => $::ipaddress_eth0_1,
+ server => '10.2.0.0 255.255.248.0',
+ push => '"dhcp-option DNS 10.2.0.1"',
+ management => '127.0.0.1 1001'
+ }
+ include site_shorewall::eip
}
diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp
new file mode 100644
index 00000000..8aa1b54d
--- /dev/null
+++ b/puppet/modules/site_config/manifests/init.pp
@@ -0,0 +1,11 @@
+class site_config {
+ # default class, use by all hosts
+
+ include apt, lsb, git
+
+ # configure ssh and inculde ssh-keys
+ include site_config::sshd
+
+ # configure /etc/resolv.conf
+ include site_config::resolvconf
+}
diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp
new file mode 100644
index 00000000..bd0539b9
--- /dev/null
+++ b/puppet/modules/site_config/manifests/resolvconf.pp
@@ -0,0 +1,17 @@
+class site_config::resolvconf {
+ package { 'bind9':
+ ensure => installed,
+ }
+
+ $domain_hash = hiera('domain')
+ $domain_public = $domain_hash['public']
+
+ # 127.0.0.1: caching-only local bind
+ # 87.118.100.175: http://server.privacyfoundation.de
+ # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html
+ class { '::resolvconf':
+ domain => $domain_public,
+ search => $domain_public,
+ nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ]
+ }
+}
diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp
new file mode 100644
index 00000000..4834bb6f
--- /dev/null
+++ b/puppet/modules/site_config/manifests/sshd.pp
@@ -0,0 +1,8 @@
+class site_config::sshd {
+ # configure ssh and inculde ssh-keys
+ include sshd
+ $ssh_pubkeys=hiera_hash('ssh_pubkeys')
+ include site_sshd
+ notice($ssh_pubkeys)
+ create_resources('site_sshd::ssh_key', $ssh_pubkeys)
+}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index c83b98c7..e95e67d5 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,43 +1,48 @@
class site_openvpn {
package {
- "openvpn":
- ensure => installed;
+ 'openvpn':
+ ensure => installed;
}
service {
- "openvpn":
- ensure => running,
- hasrestart => true,
- hasstatus => true,
- require => Exec["concat_/etc/default/openvpn"];
+ 'openvpn':
+ ensure => running,
+ hasrestart => true,
+ hasstatus => true,
+ require => Exec['concat_/etc/default/openvpn'];
}
+
file {
- "/etc/openvpn":
- ensure => directory,
- require => Package["openvpn"];
+ '/etc/openvpn':
+ ensure => directory,
+ require => Package['openvpn'];
}
- include concat::setup
+ file {
+ '/etc/openvpn/keys':
+ ensure => directory,
+ require => Package['openvpn'];
+ }
concat {
- "/etc/default/openvpn":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- notify => Service["openvpn"];
+ '/etc/default/openvpn':
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service['openvpn'];
}
concat::fragment {
- "openvpn.default.header":
- content => template("openvpn/etc-default-openvpn.erb"),
- target => "/etc/default/openvpn",
- order => 01;
+ 'openvpn.default.header':
+ content => template('openvpn/etc-default-openvpn.erb'),
+ target => '/etc/default/openvpn',
+ order => 01;
}
- concat::fragment {
- "openvpn.default.autostart.${name}":
- content => "AUTOSTART=all",
- target => "/etc/default/openvpn",
- order => 10;
- }
+ concat::fragment {
+ "openvpn.default.autostart.${name}":
+ content => 'AUTOSTART=all',
+ target => '/etc/default/openvpn',
+ order => 10;
+ }
}
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
new file mode 100644
index 00000000..d029fbac
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -0,0 +1,28 @@
+class site_openvpn::keys {
+ $openvpn_keys = hiera_hash('openvpn')
+
+ file { '/etc/openvpn/keys/ca.key':
+ content => $openvpn_keys['ca_key'],
+ mode => '0600',
+ }
+
+ file { '/etc/openvpn/keys/ca.crt':
+ content => $openvpn_keys['ca_crt'],
+ mode => '0644',
+ }
+
+ file { '/etc/openvpn/keys/dh.pem':
+ content => $openvpn_keys['dh_key'],
+ mode => '0644',
+ }
+
+ file { '/etc/openvpn/keys/server.key':
+ content => $openvpn_keys['server_key'],
+ mode => '0600',
+ }
+
+ file { '/etc/openvpn/keys/server.crt':
+ content => $openvpn_keys['server_crt'],
+ mode => '0644',
+ }
+}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 4a130d13..441a21e3 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -1,112 +1,104 @@
-define site_openvpn::server_config($port, $proto) {
- $openvpn_configname=$name
- notice("Creating OpenVPN $openvpn_configname:
- Port: $port, Protocol: $proto")
+define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
- file {
- "/etc/openvpn/${name}":
- ensure => directory,
- require => Package["openvpn"];
- }
+ $openvpn_configname = $name
- concat {
- "/etc/openvpn/${openvpn_configname}.conf":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- require => File["/etc/openvpn"],
- notify => Service["openvpn"];
- }
+ #notice("Creating OpenVPN $openvpn_configname:
+ # Port: $port, Protocol: $proto")
+ concat {
+ "/etc/openvpn/$openvpn_configname.conf":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File['/etc/openvpn'],
+ notify => Service['openvpn'];
+ }
openvpn::option {
- "ca ${openvpn_configname}":
- key => "ca",
- value => "/etc/openvpn/ca.crt",
- #require => Exec["initca ${openvpn_configname}"],
- server => "${openvpn_configname}";
- "cert ${openvpn_configname}":
- key => "cert",
- value => "/etc/openvpn/${openvpn_configname}/server.crt",
- #require => Exec["generate server cert ${openvpn_configname}"],
- server => "${openvpn_configname}";
- "key ${openvpn_configname}":
- key => "key",
- value => "/etc/openvpn/${openvpn_configname}/server.key",
- #require => Exec["generate server cert ${openvpn_configname}"],
- server => "${openvpn_configname}";
- "dh ${openvpn_configname}":
- key => "dh",
- value => "/etc/openvpn/dh1024.pem",
- #require => Exec["generate dh param ${openvpn_configname}"],
- server => "${openvpn_configname}";
+ "ca $openvpn_configname":
+ key => 'ca',
+ value => '/etc/openvpn/keys/ca.crt',
+ server => $openvpn_configname;
+ "cert $openvpn_configname":
+ key => 'cert',
+ value => '/etc/openvpn/keys/server.crt',
+ server => $openvpn_configname;
+ "key $openvpn_configname":
+ key => 'key',
+ value => '/etc/openvpn/keys/server.key',
+ server => $openvpn_configname;
+ "dh $openvpn_configname":
+ key => 'dh',
+ value => '/etc/openvpn/keys/dh.pem',
+ server => $openvpn_configname;
+
"dev $openvpn_configname":
- key => "dev",
- value => "tun",
- server => "$openvpn_configname";
- "mode ${openvpn_configname}":
- key => 'mode',
- value => 'server',
- server => $openvpn_configname;
- "script-security $openvpn_configname":
- key => "script-security",
- value => "3",
- server => "$openvpn_configname";
- "daemon $openvpn_configname":
- key => "daemon",
- server => "$openvpn_configname";
+ key => 'dev',
+ value => 'tun',
+ server => $openvpn_configname;
+ "duplicate-cn $openvpn_configname":
+ key => 'duplicate-cn',
+ server => $openvpn_configname;
"keepalive $openvpn_configname":
- key => "keepalive",
- value => "10 60",
- server => "$openvpn_configname";
- "ping-timer-rem $openvpn_configname":
- key => "ping-timer-rem",
- server => "$openvpn_configname";
- "persist-tun $openvpn_configname":
- key => "persist-tun",
- server => "$openvpn_configname";
- "persist-key $openvpn_configname":
- key => "persist-key",
- server => "$openvpn_configname";
- "proto $openvpn_configname":
- key => "proto",
- value => "$proto",
- server => "$openvpn_configname";
- "cipher $openvpn_configname":
- key => "cipher",
- value => "BF-CBC",
- server => "$openvpn_configname";
+ key => 'keepalive',
+ value => '5 20',
+ server => $openvpn_configname;
"local $openvpn_configname":
- key => "local",
- value => $ipaddress,
- server => "$openvpn_configname";
- "tls-server $openvpn_configname":
- key => "tls-server",
- server => "$openvpn_configname";
- #"server $openvpn_configname":
- # key => "server",
- # value => "$server",
- # server => "$openvpn_configname";
- "lport $openvpn_configname":
- key => "lport",
- value => "$port",
- server => "$openvpn_configname";
+ key => 'local',
+ value => $local,
+ server => $openvpn_configname;
+ "mute $openvpn_configname":
+ key => 'mute',
+ value => '5',
+ server => $openvpn_configname;
+ "mute-replay-warnings $openvpn_configname":
+ key => 'mute-replay-warnings',
+ server => $openvpn_configname;
"management $openvpn_configname":
- key => "management",
- value => "/var/run/openvpn-$openvpn_configname.sock unix",
- server => "$openvpn_configname";
- "comp-lzo $openvpn_configname":
- key => "comp-lzo",
- server => "$openvpn_configname";
+ key => 'management',
+ value => $management,
+ server => $openvpn_configname;
+ "proto $openvpn_configname":
+ key => 'proto',
+ value => $proto,
+ server => $openvpn_configname;
+ "push1 $openvpn_configname":
+ key => 'push',
+ value => $push,
+ server => $openvpn_configname;
+ "push2 $openvpn_configname":
+ key => 'push',
+ value => '"redirect-gateway def1"',
+ server => $openvpn_configname;
+ "script-security $openvpn_configname":
+ key => 'script-security',
+ value => '2',
+ server => $openvpn_configname;
+ "server $openvpn_configname":
+ key => 'server',
+ value => "$server",
+ server => $openvpn_configname;
+ "status $openvpn_configname":
+ key => 'status',
+ value => '/var/run/openvpn-status 10',
+ server => $openvpn_configname;
+ "status-version $openvpn_configname":
+ key => 'status-version',
+ value => '3',
+ server => $openvpn_configname;
"topology $openvpn_configname":
- key => "topology",
- value => "subnet",
- server => "$openvpn_configname";
- #"client-to-client $openvpn_configname":
- # key => "client-to-client",
- # server => "$openvpn_configname";
+ key => 'topology',
+ value => 'subnet',
+ server => $openvpn_configname;
+ "up $openvpn_configname":
+ key => 'up',
+ value => '/etc/openvpn/server-up.sh',
+ server => $openvpn_configname;
+ "verb $openvpn_configname":
+ key => 'verb',
+ value => '3',
+ server => $openvpn_configname;
}
-
}
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
new file mode 100644
index 00000000..c68b8370
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -0,0 +1,17 @@
+class site_shorewall::defaults {
+ include shorewall
+
+ # If you want logging:
+ shorewall::params {
+ 'LOG': value => 'debug';
+ }
+
+ shorewall::zone {'net': type => 'ipv4'; }
+
+ shorewall::rule_section { 'NEW': order => 10; }
+
+ shorewall::interface {'eth0':
+ zone => 'net',
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
new file mode 100644
index 00000000..0902039c
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -0,0 +1,85 @@
+class site_shorewall::eip {
+
+ # be safe for development
+ $shorewall_startup='0'
+
+ include site_shorewall::defaults
+
+ # define macro
+ file { "/etc/shorewall/macro.leap_eip":
+ content => 'PARAM - - tcp 53,80,443,1194
+PARAM - - udp 53,80,443,1194
+', }
+
+ shorewall::interface {'tun0':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs'; }
+ shorewall::interface {'tun1':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs'; }
+
+ shorewall::zone {'eip':
+ type => 'ipv4'; }
+
+ shorewall::routestopped {'eth0':
+ interface => 'eth0'; }
+
+ shorewall::masq {'eth0':
+ interface => 'eth0',
+ source => ''; }
+
+ shorewall::policy {
+ 'eip-to-all':
+ sourcezone => 'eip',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => 100;
+ 'all-to-all':
+ sourcezone => 'all',
+ destinationzone => 'all',
+ policy => 'DROP',
+ order => 200;
+ }
+
+ shorewall::rule {
+ 'all2all-ping':
+ source => 'all',
+ destination => 'all',
+ action => 'Ping(ACCEPT)',
+ order => 200;
+
+ 'net2fw-ssh':
+ source => 'net',
+ destination => '$FW',
+ action => 'SSH(ACCEPT)',
+ order => 200;
+ 'net2fw-openvpn':
+ source => 'net',
+ destination => '$FW',
+ action => 'leap_eip(ACCEPT)',
+ order => 200;
+
+ # eip gw itself to outside
+ 'fw2all-http':
+ source => '$FW',
+ destination => 'all',
+ action => 'HTTP(ACCEPT)',
+ order => 200;
+ 'fw2all-DNS':
+ source => '$FW',
+ destination => 'all',
+ action => 'DNS(ACCEPT)',
+ order => 200;
+ 'fw2all-git':
+ source => '$FW',
+ destination => 'all',
+ action => 'Git(ACCEPT)',
+ order => 200;
+
+ 'eip2fw-https':
+ source => 'eip',
+ destination => '$FW',
+ action => 'HTTPS(ACCEPT)',
+ order => 200;
+ }
+}
diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl
new file mode 160000
+Subproject 6ad210b3f90f24878cfccd61c758275e2ab022b