diff options
Diffstat (limited to 'puppet/modules/openvpn/manifests')
m--------- | puppet/modules/openvpn | 8 | ||||
-rw-r--r-- | puppet/modules/openvpn/manifests/client.pp | 142 | ||||
-rw-r--r-- | puppet/modules/openvpn/manifests/init.pp | 45 | ||||
-rw-r--r-- | puppet/modules/openvpn/manifests/option.pp | 24 | ||||
-rw-r--r-- | puppet/modules/openvpn/manifests/server.pp | 153 |
5 files changed, 364 insertions, 8 deletions
diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn deleted file mode 160000 -Subproject 25f1fe8d813f6128068d890a40f5e24be78fb47 diff --git a/puppet/modules/openvpn/manifests/client.pp b/puppet/modules/openvpn/manifests/client.pp new file mode 100644 index 00000000..ed11b3a9 --- /dev/null +++ b/puppet/modules/openvpn/manifests/client.pp @@ -0,0 +1,142 @@ +# client.pp + +define openvpn::client($server, $remote_host = $::fqdn) { + exec { + "generate certificate for ${name} in context of ${server}": + command => ". ./vars && ./pkitool ${name}", + cwd => "/etc/openvpn/${server}/easy-rsa", + creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + provider => 'shell', + require => Exec["generate server cert ${server}"]; + } + + file { + "/etc/openvpn/${server}/download-configs/${name}": + ensure => directory, + require => File["/etc/openvpn/${server}/download-configs"]; + + "/etc/openvpn/${server}/download-configs/${name}/keys": + ensure => directory, + require => File["/etc/openvpn/${server}/download-configs/${name}"]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + require => [ Exec["generate certificate for ${name} in context of ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", + require => [ Exec["generate certificate for ${name} in context of ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", + require => [ Exec["generate certificate for ${name} in context of ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + } + + + openvpn::option { + "ca ${server} with ${name}": + key => 'ca', + value => 'keys/ca.crt', + client => $name, + server => $server; + "cert ${server} with ${name}": + key => 'cert', + value => "keys/${name}.crt", + client => $name, + server => $server; + "key ${server} with ${name}": + key => 'key', + value => "keys/${name}.key", + client => $name, + server => $server; + "client ${server} with ${name}": + key => 'client', + client => $name, + server => $server; + "dev ${server} with ${name}": + key => 'dev', + value => 'tun', + client => $name, + server => $server; + "proto ${server} with ${name}": + key => 'proto', + value => 'tcp', + client => $name, + server => $server; + "remote ${server} with ${name}": + key => 'remote', + value => "${remote_host} 1194", + client => $name, + server => $server; + "resolv-retry ${server} with ${name}": + key => 'resolv-retry', + value => 'infinite', + client => $name, + server => $server; + "nobind ${server} with ${name}": + key => 'nobind', + client => $name, + server => $server; + "persist-key ${server} with ${name}": + key => 'persist-key', + client => $name, + server => $server; + "persist-tun ${server} with ${name}": + key => 'persist-tun', + client => $name, + server => $server; + "mute-replay-warnings ${server} with ${name}": + key => 'mute-replay-warnings', + client => $name, + server => $server; + "ns-cert-type ${server} with ${name}": + key => 'ns-cert-type', + value => 'server', + client => $name, + server => $server; + "comp-lzo ${server} with ${name}": + key => 'comp-lzo', + client => $name, + server => $server; + "verb ${server} with ${name}": + key => 'verb', + value => '3', + client => $name, + server => $server; + "mute ${server} with ${name}": + key => 'mute', + value => '20', + client => $name, + server => $server; + } + + exec { + "tar the thing ${server} with ${name}": + cwd => "/etc/openvpn/${server}/download-configs/", + command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", + refreshonly => true, + require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] ]; + } + + + concat { + [ "/etc/openvpn/${server}/client-configs/${name}", "/etc/openvpn/${server}/download-configs/${name}/${name}.conf" ]: + owner => root, + group => root, + mode => 644, + warn => true, + force => true, + notify => Exec["tar the thing ${server} with ${name}"], + require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ]; + } + +} diff --git a/puppet/modules/openvpn/manifests/init.pp b/puppet/modules/openvpn/manifests/init.pp new file mode 100644 index 00000000..a3dd70c0 --- /dev/null +++ b/puppet/modules/openvpn/manifests/init.pp @@ -0,0 +1,45 @@ +# openvpn.pp + +class openvpn { + package { + 'openvpn': + ensure => installed; + } + service { + 'openvpn': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; + } + file { + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; + } + file { + '/etc/openvpn/keys': + ensure => directory, + require => File['/etc/openvpn']; + } + + include concat::setup + + concat { + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; + } + +} diff --git a/puppet/modules/openvpn/manifests/option.pp b/puppet/modules/openvpn/manifests/option.pp new file mode 100644 index 00000000..eb3d5a72 --- /dev/null +++ b/puppet/modules/openvpn/manifests/option.pp @@ -0,0 +1,24 @@ +# option.pp + +define openvpn::option($key, $server, $value = '', $client = '', $csc = false) { + $content = $value ? { + '' => $key, + default => "${key} ${value}" + } + + if $client == '' { + $path = "/etc/openvpn/${server}.conf" + } else { + if $csc { + $path = "/etc/openvpn/${server}/client-configs/${client}" + } else { + $path = "/etc/openvpn/${server}/download-configs/${client}/${client}.conf" + } + } + + concat::fragment { + "openvpn.${server}.${client}.${name}": + target => $path, + content => "${content}\n"; + } +} diff --git a/puppet/modules/openvpn/manifests/server.pp b/puppet/modules/openvpn/manifests/server.pp new file mode 100644 index 00000000..bfcaad83 --- /dev/null +++ b/puppet/modules/openvpn/manifests/server.pp @@ -0,0 +1,153 @@ +# server.pp + +define openvpn::server($country, $province, $city, $organization, $email) { + include openvpn + + $easyrsa_source = $::osfamily ? { + 'RedHat' => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0', + default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + } + + $link_openssl_cnf = $::osfamily ? { + /(Debian|RedHat)/ => true, + default => false + } + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } + file { + "/etc/openvpn/${name}/client-configs": + ensure => directory, + require => File["/etc/openvpn/${name}"]; + "/etc/openvpn/${name}/download-configs": + ensure => directory, + require => File["/etc/openvpn/${name}"]; + } + + openvpn::option { + "client-config-dir ${name}": + key => 'client-config-dir', + value => "/etc/openvpn/${name}/client-configs", + server => $name, + require => File["/etc/openvpn/${name}"]; + "mode ${name}": + key => 'mode', + value => 'server', + server => $name; + } + + exec { + "copy easy-rsa to openvpn config folder ${name}": + command => "/bin/cp -r ${easyrsa_source} /etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa", + notify => Exec['fix_easyrsa_file_permissions'], + require => File["/etc/openvpn/${name}"]; + } + exec { + 'fix_easyrsa_file_permissions': + refreshonly => true, + command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; + } + file { + "/etc/openvpn/${name}/easy-rsa/vars": + ensure => present, + content => template('openvpn/vars.erb'), + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + file { + "/etc/openvpn/${name}/easy-rsa/openssl.cnf": + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + if $link_openssl_cnf == true { + File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] { + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf" + } + } + + exec { + "generate dh param ${name}": + command => '. ./vars && ./clean-all && ./build-dh', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/dh1024.pem", + provider => 'shell', + require => File["/etc/openvpn/${name}/easy-rsa/vars"]; + + "initca ${name}": + command => '. ./vars && ./pkitool --initca', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", + provider => 'shell', + require => [ Exec["generate dh param ${name}"], File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ]; + + "generate server cert ${name}": + command => '. ./vars && ./pkitool --server server', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/server.key", + provider => 'shell', + require => Exec["initca ${name}"]; + } + + file { + "/etc/openvpn/${name}/keys": + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/keys", + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + openvpn::option { + "ca ${name}": + key => 'ca', + value => "/etc/openvpn/${name}/keys/ca.crt", + require => Exec["initca ${name}"], + server => $name; + "cert ${name}": + key => 'cert', + value => "/etc/openvpn/${name}/keys/server.crt", + require => Exec["generate server cert ${name}"], + server => $name; + "key ${name}": + key => 'key', + value => "/etc/openvpn/${name}/keys/server.key", + require => Exec["generate server cert ${name}"], + server => $name; + "dh ${name}": + key => 'dh', + value => "/etc/openvpn/${name}/keys/dh1024.pem", + require => Exec["generate dh param ${name}"], + server => $name; + + "proto ${name}": + key => 'proto', + value => 'tcp', + require => Exec["generate dh param ${name}"], + server => $name; + + "comp-lzo ${name}": + key => 'comp-lzo', + require => Exec["generate dh param ${name}"], + server => $name; + } + + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", + target => '/etc/default/openvpn', + order => 10; + } + + concat { + "/etc/openvpn/${name}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } + +} |