summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules3
m---------puppet/modules/interfaces0
-rw-r--r--puppet/modules/site_config/manifests/eip.pp53
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp13
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp4
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp33
6 files changed, 72 insertions, 34 deletions
diff --git a/.gitmodules b/.gitmodules
index 10a21c03..e3e8d6db 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -34,3 +34,6 @@
[submodule "puppet/modules/couchdb"]
path = puppet/modules/couchdb
url = git://code.leap.se/puppet_couchdb
+[submodule "puppet/modules/interfaces"]
+ path = puppet/modules/interfaces
+ url = git://github.com/x-way/puppet-interfaces.git
diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces
new file mode 160000
+Subproject 1d7dc7178881c56102c043e96763176f66445c1
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
index df17771a..4280fb67 100644
--- a/puppet/modules/site_config/manifests/eip.pp
+++ b/puppet/modules/site_config/manifests/eip.pp
@@ -1,30 +1,57 @@
class site_config::eip {
- include site_openvpn
- include site_openvpn::keys
- #$tor=hiera('tor')
- #notice("Tor enabled: $tor")
+ # parse hiera config
+ $ip_address = hiera('ip_address')
+ $interface = hiera('interface')
+ #$gateway_address = hiera('gateway_address')
+ $openvpn_config = hiera('openvpn')
+ $openvpn_gateway_address = $openvpn_config['gateway_address']
+ $openvpn_tcp_network_prefix = '10.1.0'
+ $openvpn_tcp_netmask = '255.255.248.0'
+ $openvpn_tcp_cidr = '21'
+ $openvpn_udp_network_prefix = '10.2.0'
+ $openvpn_udp_netmask = '255.255.248.0'
+ $openvpn_udp_cidr = '21'
- $openvpn_config = hiera('openvpn')
- $interface = hiera('interface')
- $gateway_address = $openvpn_config['gateway_address']
+ include site_openvpn
+
+ # deploy ca + server keys
+ include site_openvpn::keys
+ # create 2 openvpn config files, one for tcp, one for udp
site_openvpn::server_config { 'tcp_config':
port => '1194',
proto => 'tcp',
- local => $gateway_address,
- server => '10.1.0.0 255.255.248.0',
- push => '"dhcp-option DNS 10.1.0.1"',
+ local => $openvpn_gateway_address,
+ server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
+ push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
management => '127.0.0.1 1000'
}
site_openvpn::server_config { 'udp_config':
port => '1194',
proto => 'udp',
- local => $gateway_address,
- server => '10.2.0.0 255.255.248.0',
- push => '"dhcp-option DNS 10.2.0.1"',
+ server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
+ push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
+ local => $openvpn_gateway_address,
management => '127.0.0.1 1001'
}
+ # add second IP on given interface
+ file { '/usr/local/bin/leap_add_second_ip.sh':
+ content => "#!/bin/sh
+ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface",
+ mode => '0755',
+ }
+
+ exec { '/usr/local/bin/leap_add_second_ip.sh':
+ subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
+ }
+
+ cron { 'leap_add_second_ip.sh':
+ command => "/usr/local/bin/leap_add_second_ip.sh",
+ user => 'root',
+ special => 'reboot',
+ }
+
include site_shorewall::eip
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 441a21e3..482c6ab7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
$openvpn_configname = $name
-
- #notice("Creating OpenVPN $openvpn_configname:
- # Port: $port, Protocol: $proto")
-
concat {
"/etc/openvpn/$openvpn_configname.conf":
owner => root,
@@ -92,10 +88,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
key => 'topology',
value => 'subnet',
server => $openvpn_configname;
- "up $openvpn_configname":
- key => 'up',
- value => '/etc/openvpn/server-up.sh',
- server => $openvpn_configname;
+ # no need for server-up.sh right now
+ #"up $openvpn_configname":
+ # key => 'up',
+ # value => '/etc/openvpn/server-up.sh',
+ # server => $openvpn_configname;
"verb $openvpn_configname":
key => 'verb',
value => '3',
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index c68b8370..88981e5f 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -10,8 +10,4 @@ class site_shorewall::defaults {
shorewall::rule_section { 'NEW': order => 10; }
- shorewall::interface {'eth0':
- zone => 'net',
- options => 'tcpflags,blacklist,nosmurfs';
- }
}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 31ee3e6c..a5af0dde 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -5,13 +5,22 @@ class site_shorewall::eip {
include site_shorewall::defaults
- $interface = hiera('interface')
+ $interface = hiera('interface')
+ $ssh_config = hiera('ssh')
+ $ssh_port = $ssh_config['port']
# define macro
- file { "/etc/shorewall/macro.leap_eip":
- content => 'PARAM - - tcp 53,80,443,1194
+ file { '/etc/shorewall/macro.leap_eip':
+ content => "PARAM - - tcp 53,80,443,1194,$ssh_port
PARAM - - udp 53,80,443,1194
-', }
+", }
+
+
+ # define interfaces
+ shorewall::interface { $interface:
+ zone => 'net',
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
shorewall::interface {'tun0':
zone => 'eip',
@@ -20,15 +29,21 @@ PARAM - - udp 53,80,443,1194
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs'; }
+
shorewall::zone {'eip':
type => 'ipv4'; }
- shorewall::routestopped {'$interface':
- interface => '$interface'; }
+ shorewall::routestopped { $interface:
+ interface => $interface; }
+
+
+ shorewall::masq { "${interface}_tcp":
+ interface => $interface,
+ source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; }
- shorewall::masq {'$interface':
- interface => '$interface',
- source => ''; }
+ shorewall::masq { "${interface}_udp":
+ interface => $interface,
+ source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; }
shorewall::policy {
'eip-to-all':