diff options
-rw-r--r-- | .gitmodules | 3 | ||||
-rw-r--r-- | config/defaults.yaml | 7 | ||||
-rw-r--r-- | config/eip/cougar.leap.se.yaml | 10 | ||||
-rw-r--r-- | config/eip/defaults.yaml | 4 | ||||
-rw-r--r-- | config/hosts/cougar.leap.se.yaml | 8 | ||||
-rwxr-xr-x | deploy.sh | 21 | ||||
-rw-r--r-- | puppet/hiera.yaml | 16 | ||||
-rw-r--r-- | puppet/manifests/site.pp | 20 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/eip.pp | 27 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/init.pp | 11 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/resolvconf.pp | 17 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/sshd.pp | 8 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/init.pp | 59 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/keys.pp | 28 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 190 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/defaults.pp | 17 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 85 | ||||
m--------- | puppet/modules/sysctl | 0 |
18 files changed, 346 insertions, 185 deletions
diff --git a/.gitmodules b/.gitmodules index c95048d9..c151aaf7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -28,3 +28,6 @@ [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf url = git://git.puppet.immerda.ch/module-resolvconf.git +[submodule "puppet/modules/sysctl"] + path = puppet/modules/sysctl + url = git://github.com/luxflux/puppet-sysctl.git diff --git a/config/defaults.yaml b/config/defaults.yaml deleted file mode 100644 index 44fae3d2..00000000 --- a/config/defaults.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -testpw: secret - -# as hashes will get aggregated, this ssh-key would always be present, in addition to others specified in hosts/{fqdn} -ssh_keys: - default_key: - key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml deleted file mode 100644 index c051d30b..00000000 --- a/config/eip/cougar.leap.se.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -openvpn_server_configs: - port80_tcp: - port: 80 - proto: tcp-server - port1194_udp: - port: 1194 - proto: udp - -tor: 'true' diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml deleted file mode 100644 index 07846fdd..00000000 --- a/config/eip/defaults.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# make shure 'false' is quoted -tor: 'false' - diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml deleted file mode 100644 index 758e96a3..00000000 --- a/config/hosts/cougar.leap.se.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -services: - - eip - - couchdb -ssh_keys: - second_key: - key: ssh-rsa more_random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ - @@ -5,19 +5,28 @@ PUPPET_ENV='--confdir=puppet' install_prerequisites () { - apt-get update - apt-get install puppet git + PACKAGES='git puppet ruby-hiera-puppet' + dpkg -l $PACKAGES > /dev/null 2>&1 + if [ ! $? -eq 0 ] + then + apt-get update + apt-get install $PACKAGES + fi # lsb is needed for a first puppet run puppet apply $PUPPET_ENV --execute 'include lsb' - git submodule init - git submodule update } # main # commented for testing purposes -install_prerequisites +# this should be run once on every host on setup +#install_prerequisites -puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ +# keep repository up to date +git pull +git submodule init +git submodule update +# run puppet without irritating deprecation warnings +puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ | grep -v 'warning:.*is deprecated' diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index a992c057..4194c6c9 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -6,18 +6,20 @@ :logger: console :hierarchy: - - hosts/%{fqdn} - - ca/%{fqdn} - - ca/defaults - - eip/%{fqdn} - - eip/defaults + - %{fqdn} +#former hierarchy, not used anymore +# - hosts/%{fqdn} +# - ca/%{fqdn} +# - ca/defaults +# - eip/%{fqdn} +# - eip/defaults # more services following - - defaults +# - defaults # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo :yaml: - :datadir: config + :datadir: ../config :puppet: :datasource: data diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 3ae9ebea..d451bdf5 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,23 +1,17 @@ node 'default' { + # prerequisites + import 'common' + include concat::setup # include some basic classes - # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? - include concat::setup - include apt, lsb, git - import 'common' + #include site_config + # parse services for host $services=hiera_array('services') notice("Services for $fqdn: $services") - # configure ssh and inculde ssh-keys - #include sshd - $ssh_keys=hiera_hash('ssh_keys') - include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) - - - if 'eip' in $services { + # configure eip + if 'openvpn' in $services { include site_config::eip } diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 56eb1452..95f9dbf4 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,10 +1,29 @@ class site_config::eip { include site_openvpn + include site_openvpn::keys - $tor=hiera('tor') - notice("Tor enabled: $tor") + #$tor=hiera('tor') + #notice("Tor enabled: $tor") - $openvpn_configs=hiera('openvpn_server_configs') - create_resources('site_openvpn::server_config', $openvpn_configs) + #$openvpn_configs=hiera('openvpn_server_configs') + #create_resources('site_openvpn::server_config', $openvpn_configs) + + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => '127.0.0.1 1001' + } + include site_shorewall::eip } diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp new file mode 100644 index 00000000..8aa1b54d --- /dev/null +++ b/puppet/modules/site_config/manifests/init.pp @@ -0,0 +1,11 @@ +class site_config { + # default class, use by all hosts + + include apt, lsb, git + + # configure ssh and inculde ssh-keys + include site_config::sshd + + # configure /etc/resolv.conf + include site_config::resolvconf +} diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp new file mode 100644 index 00000000..bd0539b9 --- /dev/null +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -0,0 +1,17 @@ +class site_config::resolvconf { + package { 'bind9': + ensure => installed, + } + + $domain_hash = hiera('domain') + $domain_public = $domain_hash['public'] + + # 127.0.0.1: caching-only local bind + # 87.118.100.175: http://server.privacyfoundation.de + # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html + class { '::resolvconf': + domain => $domain_public, + search => $domain_public, + nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] + } +} diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp new file mode 100644 index 00000000..4834bb6f --- /dev/null +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -0,0 +1,8 @@ +class site_config::sshd { + # configure ssh and inculde ssh-keys + include sshd + $ssh_pubkeys=hiera_hash('ssh_pubkeys') + include site_sshd + notice($ssh_pubkeys) + create_resources('site_sshd::ssh_key', $ssh_pubkeys) +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c83b98c7..e95e67d5 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,43 +1,48 @@ class site_openvpn { package { - "openvpn": - ensure => installed; + 'openvpn': + ensure => installed; } service { - "openvpn": - ensure => running, - hasrestart => true, - hasstatus => true, - require => Exec["concat_/etc/default/openvpn"]; + 'openvpn': + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; } + file { - "/etc/openvpn": - ensure => directory, - require => Package["openvpn"]; + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; } - include concat::setup + file { + '/etc/openvpn/keys': + ensure => directory, + require => Package['openvpn']; + } concat { - "/etc/default/openvpn": - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service["openvpn"]; + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; } concat::fragment { - "openvpn.default.header": - content => template("openvpn/etc-default-openvpn.erb"), - target => "/etc/default/openvpn", - order => 01; + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; } - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=all", - target => "/etc/default/openvpn", - order => 10; - } + concat::fragment { + "openvpn.default.autostart.${name}": + content => 'AUTOSTART=all', + target => '/etc/default/openvpn', + order => 10; + } } diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp new file mode 100644 index 00000000..d029fbac --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -0,0 +1,28 @@ +class site_openvpn::keys { + $openvpn_keys = hiera_hash('openvpn') + + file { '/etc/openvpn/keys/ca.key': + content => $openvpn_keys['ca_key'], + mode => '0600', + } + + file { '/etc/openvpn/keys/ca.crt': + content => $openvpn_keys['ca_crt'], + mode => '0644', + } + + file { '/etc/openvpn/keys/dh.pem': + content => $openvpn_keys['dh_key'], + mode => '0644', + } + + file { '/etc/openvpn/keys/server.key': + content => $openvpn_keys['server_key'], + mode => '0600', + } + + file { '/etc/openvpn/keys/server.crt': + content => $openvpn_keys['server_crt'], + mode => '0644', + } +} diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 4a130d13..441a21e3 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,112 +1,104 @@ -define site_openvpn::server_config($port, $proto) { - $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $proto") +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package["openvpn"]; - } + $openvpn_configname = $name - concat { - "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File["/etc/openvpn"], - notify => Service["openvpn"]; - } + #notice("Creating OpenVPN $openvpn_configname: + # Port: $port, Protocol: $proto") + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } openvpn::option { - "ca ${openvpn_configname}": - key => "ca", - value => "/etc/openvpn/ca.crt", - #require => Exec["initca ${openvpn_configname}"], - server => "${openvpn_configname}"; - "cert ${openvpn_configname}": - key => "cert", - value => "/etc/openvpn/${openvpn_configname}/server.crt", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "key ${openvpn_configname}": - key => "key", - value => "/etc/openvpn/${openvpn_configname}/server.key", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "dh ${openvpn_configname}": - key => "dh", - value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param ${openvpn_configname}"], - server => "${openvpn_configname}"; + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/keys/ca.crt', + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => '/etc/openvpn/keys/server.crt', + server => $openvpn_configname; + "key $openvpn_configname": + key => 'key', + value => '/etc/openvpn/keys/server.key', + server => $openvpn_configname; + "dh $openvpn_configname": + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; + "dev $openvpn_configname": - key => "dev", - value => "tun", - server => "$openvpn_configname"; - "mode ${openvpn_configname}": - key => 'mode', - value => 'server', - server => $openvpn_configname; - "script-security $openvpn_configname": - key => "script-security", - value => "3", - server => "$openvpn_configname"; - "daemon $openvpn_configname": - key => "daemon", - server => "$openvpn_configname"; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive $openvpn_configname": - key => "keepalive", - value => "10 60", - server => "$openvpn_configname"; - "ping-timer-rem $openvpn_configname": - key => "ping-timer-rem", - server => "$openvpn_configname"; - "persist-tun $openvpn_configname": - key => "persist-tun", - server => "$openvpn_configname"; - "persist-key $openvpn_configname": - key => "persist-key", - server => "$openvpn_configname"; - "proto $openvpn_configname": - key => "proto", - value => "$proto", - server => "$openvpn_configname"; - "cipher $openvpn_configname": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_configname"; + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; "local $openvpn_configname": - key => "local", - value => $ipaddress, - server => "$openvpn_configname"; - "tls-server $openvpn_configname": - key => "tls-server", - server => "$openvpn_configname"; - #"server $openvpn_configname": - # key => "server", - # value => "$server", - # server => "$openvpn_configname"; - "lport $openvpn_configname": - key => "lport", - value => "$port", - server => "$openvpn_configname"; + key => 'local', + value => $local, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; "management $openvpn_configname": - key => "management", - value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_configname"; - "comp-lzo $openvpn_configname": - key => "comp-lzo", - server => "$openvpn_configname"; + key => 'management', + value => $management, + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => "$server", + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology $openvpn_configname": - key => "topology", - value => "subnet", - server => "$openvpn_configname"; - #"client-to-client $openvpn_configname": - # key => "client-to-client", - # server => "$openvpn_configname"; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + "up $openvpn_configname": + key => 'up', + value => '/etc/openvpn/server-up.sh', + server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; } - } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..c68b8370 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,17 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + shorewall::interface {'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..0902039c --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,85 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } + + shorewall::interface {'tun0': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + + shorewall::zone {'eip': + type => 'ipv4'; } + + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::masq {'eth0': + interface => 'eth0', + source => ''; } + + shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'SSH(ACCEPT)', + order => 200; + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', + order => 200; + + # eip gw itself to outside + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; + 'fw2all-git': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } +} diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 +Subproject 6ad210b3f90f24878cfccd61c758275e2ab022b |