summaryrefslogtreecommitdiff
path: root/puppet/modules/openvpn/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/openvpn/manifests')
m---------puppet/modules/openvpn8
-rw-r--r--puppet/modules/openvpn/manifests/client.pp142
-rw-r--r--puppet/modules/openvpn/manifests/init.pp45
-rw-r--r--puppet/modules/openvpn/manifests/option.pp24
-rw-r--r--puppet/modules/openvpn/manifests/server.pp153
5 files changed, 364 insertions, 8 deletions
diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn
deleted file mode 160000
-Subproject 25f1fe8d813f6128068d890a40f5e24be78fb47
diff --git a/puppet/modules/openvpn/manifests/client.pp b/puppet/modules/openvpn/manifests/client.pp
new file mode 100644
index 00000000..ed11b3a9
--- /dev/null
+++ b/puppet/modules/openvpn/manifests/client.pp
@@ -0,0 +1,142 @@
+# client.pp
+
+define openvpn::client($server, $remote_host = $::fqdn) {
+ exec {
+ "generate certificate for ${name} in context of ${server}":
+ command => ". ./vars && ./pkitool ${name}",
+ cwd => "/etc/openvpn/${server}/easy-rsa",
+ creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
+ provider => 'shell',
+ require => Exec["generate server cert ${server}"];
+ }
+
+ file {
+ "/etc/openvpn/${server}/download-configs/${name}":
+ ensure => directory,
+ require => File["/etc/openvpn/${server}/download-configs"];
+
+ "/etc/openvpn/${server}/download-configs/${name}/keys":
+ ensure => directory,
+ require => File["/etc/openvpn/${server}/download-configs/${name}"];
+
+ "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt":
+ ensure => link,
+ target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
+ require => [ Exec["generate certificate for ${name} in context of ${server}"],
+ File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+
+ "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key":
+ ensure => link,
+ target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key",
+ require => [ Exec["generate certificate for ${name} in context of ${server}"],
+ File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+
+ "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt":
+ ensure => link,
+ target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt",
+ require => [ Exec["generate certificate for ${name} in context of ${server}"],
+ File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+ }
+
+
+ openvpn::option {
+ "ca ${server} with ${name}":
+ key => 'ca',
+ value => 'keys/ca.crt',
+ client => $name,
+ server => $server;
+ "cert ${server} with ${name}":
+ key => 'cert',
+ value => "keys/${name}.crt",
+ client => $name,
+ server => $server;
+ "key ${server} with ${name}":
+ key => 'key',
+ value => "keys/${name}.key",
+ client => $name,
+ server => $server;
+ "client ${server} with ${name}":
+ key => 'client',
+ client => $name,
+ server => $server;
+ "dev ${server} with ${name}":
+ key => 'dev',
+ value => 'tun',
+ client => $name,
+ server => $server;
+ "proto ${server} with ${name}":
+ key => 'proto',
+ value => 'tcp',
+ client => $name,
+ server => $server;
+ "remote ${server} with ${name}":
+ key => 'remote',
+ value => "${remote_host} 1194",
+ client => $name,
+ server => $server;
+ "resolv-retry ${server} with ${name}":
+ key => 'resolv-retry',
+ value => 'infinite',
+ client => $name,
+ server => $server;
+ "nobind ${server} with ${name}":
+ key => 'nobind',
+ client => $name,
+ server => $server;
+ "persist-key ${server} with ${name}":
+ key => 'persist-key',
+ client => $name,
+ server => $server;
+ "persist-tun ${server} with ${name}":
+ key => 'persist-tun',
+ client => $name,
+ server => $server;
+ "mute-replay-warnings ${server} with ${name}":
+ key => 'mute-replay-warnings',
+ client => $name,
+ server => $server;
+ "ns-cert-type ${server} with ${name}":
+ key => 'ns-cert-type',
+ value => 'server',
+ client => $name,
+ server => $server;
+ "comp-lzo ${server} with ${name}":
+ key => 'comp-lzo',
+ client => $name,
+ server => $server;
+ "verb ${server} with ${name}":
+ key => 'verb',
+ value => '3',
+ client => $name,
+ server => $server;
+ "mute ${server} with ${name}":
+ key => 'mute',
+ value => '20',
+ client => $name,
+ server => $server;
+ }
+
+ exec {
+ "tar the thing ${server} with ${name}":
+ cwd => "/etc/openvpn/${server}/download-configs/",
+ command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}",
+ refreshonly => true,
+ require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"],
+ File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"],
+ File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"],
+ File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] ];
+ }
+
+
+ concat {
+ [ "/etc/openvpn/${server}/client-configs/${name}", "/etc/openvpn/${server}/download-configs/${name}/${name}.conf" ]:
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ force => true,
+ notify => Exec["tar the thing ${server} with ${name}"],
+ require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ];
+ }
+
+}
diff --git a/puppet/modules/openvpn/manifests/init.pp b/puppet/modules/openvpn/manifests/init.pp
new file mode 100644
index 00000000..a3dd70c0
--- /dev/null
+++ b/puppet/modules/openvpn/manifests/init.pp
@@ -0,0 +1,45 @@
+# openvpn.pp
+
+class openvpn {
+ package {
+ 'openvpn':
+ ensure => installed;
+ }
+ service {
+ 'openvpn':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => Exec['concat_/etc/default/openvpn'];
+ }
+ file {
+ '/etc/openvpn':
+ ensure => directory,
+ require => Package['openvpn'];
+ }
+ file {
+ '/etc/openvpn/keys':
+ ensure => directory,
+ require => File['/etc/openvpn'];
+ }
+
+ include concat::setup
+
+ concat {
+ '/etc/default/openvpn':
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service['openvpn'];
+ }
+
+ concat::fragment {
+ 'openvpn.default.header':
+ content => template('openvpn/etc-default-openvpn.erb'),
+ target => '/etc/default/openvpn',
+ order => 01;
+ }
+
+}
diff --git a/puppet/modules/openvpn/manifests/option.pp b/puppet/modules/openvpn/manifests/option.pp
new file mode 100644
index 00000000..eb3d5a72
--- /dev/null
+++ b/puppet/modules/openvpn/manifests/option.pp
@@ -0,0 +1,24 @@
+# option.pp
+
+define openvpn::option($key, $server, $value = '', $client = '', $csc = false) {
+ $content = $value ? {
+ '' => $key,
+ default => "${key} ${value}"
+ }
+
+ if $client == '' {
+ $path = "/etc/openvpn/${server}.conf"
+ } else {
+ if $csc {
+ $path = "/etc/openvpn/${server}/client-configs/${client}"
+ } else {
+ $path = "/etc/openvpn/${server}/download-configs/${client}/${client}.conf"
+ }
+ }
+
+ concat::fragment {
+ "openvpn.${server}.${client}.${name}":
+ target => $path,
+ content => "${content}\n";
+ }
+}
diff --git a/puppet/modules/openvpn/manifests/server.pp b/puppet/modules/openvpn/manifests/server.pp
new file mode 100644
index 00000000..bfcaad83
--- /dev/null
+++ b/puppet/modules/openvpn/manifests/server.pp
@@ -0,0 +1,153 @@
+# server.pp
+
+define openvpn::server($country, $province, $city, $organization, $email) {
+ include openvpn
+
+ $easyrsa_source = $::osfamily ? {
+ 'RedHat' => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0',
+ default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
+ }
+
+ $link_openssl_cnf = $::osfamily ? {
+ /(Debian|RedHat)/ => true,
+ default => false
+ }
+
+ file {
+ "/etc/openvpn/${name}":
+ ensure => directory,
+ require => Package['openvpn'];
+ }
+ file {
+ "/etc/openvpn/${name}/client-configs":
+ ensure => directory,
+ require => File["/etc/openvpn/${name}"];
+ "/etc/openvpn/${name}/download-configs":
+ ensure => directory,
+ require => File["/etc/openvpn/${name}"];
+ }
+
+ openvpn::option {
+ "client-config-dir ${name}":
+ key => 'client-config-dir',
+ value => "/etc/openvpn/${name}/client-configs",
+ server => $name,
+ require => File["/etc/openvpn/${name}"];
+ "mode ${name}":
+ key => 'mode',
+ value => 'server',
+ server => $name;
+ }
+
+ exec {
+ "copy easy-rsa to openvpn config folder ${name}":
+ command => "/bin/cp -r ${easyrsa_source} /etc/openvpn/${name}/easy-rsa",
+ creates => "/etc/openvpn/${name}/easy-rsa",
+ notify => Exec['fix_easyrsa_file_permissions'],
+ require => File["/etc/openvpn/${name}"];
+ }
+ exec {
+ 'fix_easyrsa_file_permissions':
+ refreshonly => true,
+ command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*";
+ }
+ file {
+ "/etc/openvpn/${name}/easy-rsa/vars":
+ ensure => present,
+ content => template('openvpn/vars.erb'),
+ require => Exec["copy easy-rsa to openvpn config folder ${name}"];
+ }
+
+ file {
+ "/etc/openvpn/${name}/easy-rsa/openssl.cnf":
+ require => Exec["copy easy-rsa to openvpn config folder ${name}"];
+ }
+ if $link_openssl_cnf == true {
+ File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] {
+ ensure => link,
+ target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf"
+ }
+ }
+
+ exec {
+ "generate dh param ${name}":
+ command => '. ./vars && ./clean-all && ./build-dh',
+ cwd => "/etc/openvpn/${name}/easy-rsa",
+ creates => "/etc/openvpn/${name}/easy-rsa/keys/dh1024.pem",
+ provider => 'shell',
+ require => File["/etc/openvpn/${name}/easy-rsa/vars"];
+
+ "initca ${name}":
+ command => '. ./vars && ./pkitool --initca',
+ cwd => "/etc/openvpn/${name}/easy-rsa",
+ creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key",
+ provider => 'shell',
+ require => [ Exec["generate dh param ${name}"], File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ];
+
+ "generate server cert ${name}":
+ command => '. ./vars && ./pkitool --server server',
+ cwd => "/etc/openvpn/${name}/easy-rsa",
+ creates => "/etc/openvpn/${name}/easy-rsa/keys/server.key",
+ provider => 'shell',
+ require => Exec["initca ${name}"];
+ }
+
+ file {
+ "/etc/openvpn/${name}/keys":
+ ensure => link,
+ target => "/etc/openvpn/${name}/easy-rsa/keys",
+ require => Exec["copy easy-rsa to openvpn config folder ${name}"];
+ }
+
+ openvpn::option {
+ "ca ${name}":
+ key => 'ca',
+ value => "/etc/openvpn/${name}/keys/ca.crt",
+ require => Exec["initca ${name}"],
+ server => $name;
+ "cert ${name}":
+ key => 'cert',
+ value => "/etc/openvpn/${name}/keys/server.crt",
+ require => Exec["generate server cert ${name}"],
+ server => $name;
+ "key ${name}":
+ key => 'key',
+ value => "/etc/openvpn/${name}/keys/server.key",
+ require => Exec["generate server cert ${name}"],
+ server => $name;
+ "dh ${name}":
+ key => 'dh',
+ value => "/etc/openvpn/${name}/keys/dh1024.pem",
+ require => Exec["generate dh param ${name}"],
+ server => $name;
+
+ "proto ${name}":
+ key => 'proto',
+ value => 'tcp',
+ require => Exec["generate dh param ${name}"],
+ server => $name;
+
+ "comp-lzo ${name}":
+ key => 'comp-lzo',
+ require => Exec["generate dh param ${name}"],
+ server => $name;
+ }
+
+ concat::fragment {
+ "openvpn.default.autostart.${name}":
+ content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n",
+ target => '/etc/default/openvpn',
+ order => 10;
+ }
+
+ concat {
+ "/etc/openvpn/${name}.conf":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File['/etc/openvpn'],
+ notify => Service['openvpn'];
+ }
+
+}