summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_openvpn')
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp59
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp28
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp190
3 files changed, 151 insertions, 126 deletions
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index c83b98c7..e95e67d5 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,43 +1,48 @@
class site_openvpn {
package {
- "openvpn":
- ensure => installed;
+ 'openvpn':
+ ensure => installed;
}
service {
- "openvpn":
- ensure => running,
- hasrestart => true,
- hasstatus => true,
- require => Exec["concat_/etc/default/openvpn"];
+ 'openvpn':
+ ensure => running,
+ hasrestart => true,
+ hasstatus => true,
+ require => Exec['concat_/etc/default/openvpn'];
}
+
file {
- "/etc/openvpn":
- ensure => directory,
- require => Package["openvpn"];
+ '/etc/openvpn':
+ ensure => directory,
+ require => Package['openvpn'];
}
- include concat::setup
+ file {
+ '/etc/openvpn/keys':
+ ensure => directory,
+ require => Package['openvpn'];
+ }
concat {
- "/etc/default/openvpn":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- notify => Service["openvpn"];
+ '/etc/default/openvpn':
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service['openvpn'];
}
concat::fragment {
- "openvpn.default.header":
- content => template("openvpn/etc-default-openvpn.erb"),
- target => "/etc/default/openvpn",
- order => 01;
+ 'openvpn.default.header':
+ content => template('openvpn/etc-default-openvpn.erb'),
+ target => '/etc/default/openvpn',
+ order => 01;
}
- concat::fragment {
- "openvpn.default.autostart.${name}":
- content => "AUTOSTART=all",
- target => "/etc/default/openvpn",
- order => 10;
- }
+ concat::fragment {
+ "openvpn.default.autostart.${name}":
+ content => 'AUTOSTART=all',
+ target => '/etc/default/openvpn',
+ order => 10;
+ }
}
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
new file mode 100644
index 00000000..d029fbac
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -0,0 +1,28 @@
+class site_openvpn::keys {
+ $openvpn_keys = hiera_hash('openvpn')
+
+ file { '/etc/openvpn/keys/ca.key':
+ content => $openvpn_keys['ca_key'],
+ mode => '0600',
+ }
+
+ file { '/etc/openvpn/keys/ca.crt':
+ content => $openvpn_keys['ca_crt'],
+ mode => '0644',
+ }
+
+ file { '/etc/openvpn/keys/dh.pem':
+ content => $openvpn_keys['dh_key'],
+ mode => '0644',
+ }
+
+ file { '/etc/openvpn/keys/server.key':
+ content => $openvpn_keys['server_key'],
+ mode => '0600',
+ }
+
+ file { '/etc/openvpn/keys/server.crt':
+ content => $openvpn_keys['server_crt'],
+ mode => '0644',
+ }
+}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 4a130d13..441a21e3 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -1,112 +1,104 @@
-define site_openvpn::server_config($port, $proto) {
- $openvpn_configname=$name
- notice("Creating OpenVPN $openvpn_configname:
- Port: $port, Protocol: $proto")
+define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
- file {
- "/etc/openvpn/${name}":
- ensure => directory,
- require => Package["openvpn"];
- }
+ $openvpn_configname = $name
- concat {
- "/etc/openvpn/${openvpn_configname}.conf":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- require => File["/etc/openvpn"],
- notify => Service["openvpn"];
- }
+ #notice("Creating OpenVPN $openvpn_configname:
+ # Port: $port, Protocol: $proto")
+ concat {
+ "/etc/openvpn/$openvpn_configname.conf":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File['/etc/openvpn'],
+ notify => Service['openvpn'];
+ }
openvpn::option {
- "ca ${openvpn_configname}":
- key => "ca",
- value => "/etc/openvpn/ca.crt",
- #require => Exec["initca ${openvpn_configname}"],
- server => "${openvpn_configname}";
- "cert ${openvpn_configname}":
- key => "cert",
- value => "/etc/openvpn/${openvpn_configname}/server.crt",
- #require => Exec["generate server cert ${openvpn_configname}"],
- server => "${openvpn_configname}";
- "key ${openvpn_configname}":
- key => "key",
- value => "/etc/openvpn/${openvpn_configname}/server.key",
- #require => Exec["generate server cert ${openvpn_configname}"],
- server => "${openvpn_configname}";
- "dh ${openvpn_configname}":
- key => "dh",
- value => "/etc/openvpn/dh1024.pem",
- #require => Exec["generate dh param ${openvpn_configname}"],
- server => "${openvpn_configname}";
+ "ca $openvpn_configname":
+ key => 'ca',
+ value => '/etc/openvpn/keys/ca.crt',
+ server => $openvpn_configname;
+ "cert $openvpn_configname":
+ key => 'cert',
+ value => '/etc/openvpn/keys/server.crt',
+ server => $openvpn_configname;
+ "key $openvpn_configname":
+ key => 'key',
+ value => '/etc/openvpn/keys/server.key',
+ server => $openvpn_configname;
+ "dh $openvpn_configname":
+ key => 'dh',
+ value => '/etc/openvpn/keys/dh.pem',
+ server => $openvpn_configname;
+
"dev $openvpn_configname":
- key => "dev",
- value => "tun",
- server => "$openvpn_configname";
- "mode ${openvpn_configname}":
- key => 'mode',
- value => 'server',
- server => $openvpn_configname;
- "script-security $openvpn_configname":
- key => "script-security",
- value => "3",
- server => "$openvpn_configname";
- "daemon $openvpn_configname":
- key => "daemon",
- server => "$openvpn_configname";
+ key => 'dev',
+ value => 'tun',
+ server => $openvpn_configname;
+ "duplicate-cn $openvpn_configname":
+ key => 'duplicate-cn',
+ server => $openvpn_configname;
"keepalive $openvpn_configname":
- key => "keepalive",
- value => "10 60",
- server => "$openvpn_configname";
- "ping-timer-rem $openvpn_configname":
- key => "ping-timer-rem",
- server => "$openvpn_configname";
- "persist-tun $openvpn_configname":
- key => "persist-tun",
- server => "$openvpn_configname";
- "persist-key $openvpn_configname":
- key => "persist-key",
- server => "$openvpn_configname";
- "proto $openvpn_configname":
- key => "proto",
- value => "$proto",
- server => "$openvpn_configname";
- "cipher $openvpn_configname":
- key => "cipher",
- value => "BF-CBC",
- server => "$openvpn_configname";
+ key => 'keepalive',
+ value => '5 20',
+ server => $openvpn_configname;
"local $openvpn_configname":
- key => "local",
- value => $ipaddress,
- server => "$openvpn_configname";
- "tls-server $openvpn_configname":
- key => "tls-server",
- server => "$openvpn_configname";
- #"server $openvpn_configname":
- # key => "server",
- # value => "$server",
- # server => "$openvpn_configname";
- "lport $openvpn_configname":
- key => "lport",
- value => "$port",
- server => "$openvpn_configname";
+ key => 'local',
+ value => $local,
+ server => $openvpn_configname;
+ "mute $openvpn_configname":
+ key => 'mute',
+ value => '5',
+ server => $openvpn_configname;
+ "mute-replay-warnings $openvpn_configname":
+ key => 'mute-replay-warnings',
+ server => $openvpn_configname;
"management $openvpn_configname":
- key => "management",
- value => "/var/run/openvpn-$openvpn_configname.sock unix",
- server => "$openvpn_configname";
- "comp-lzo $openvpn_configname":
- key => "comp-lzo",
- server => "$openvpn_configname";
+ key => 'management',
+ value => $management,
+ server => $openvpn_configname;
+ "proto $openvpn_configname":
+ key => 'proto',
+ value => $proto,
+ server => $openvpn_configname;
+ "push1 $openvpn_configname":
+ key => 'push',
+ value => $push,
+ server => $openvpn_configname;
+ "push2 $openvpn_configname":
+ key => 'push',
+ value => '"redirect-gateway def1"',
+ server => $openvpn_configname;
+ "script-security $openvpn_configname":
+ key => 'script-security',
+ value => '2',
+ server => $openvpn_configname;
+ "server $openvpn_configname":
+ key => 'server',
+ value => "$server",
+ server => $openvpn_configname;
+ "status $openvpn_configname":
+ key => 'status',
+ value => '/var/run/openvpn-status 10',
+ server => $openvpn_configname;
+ "status-version $openvpn_configname":
+ key => 'status-version',
+ value => '3',
+ server => $openvpn_configname;
"topology $openvpn_configname":
- key => "topology",
- value => "subnet",
- server => "$openvpn_configname";
- #"client-to-client $openvpn_configname":
- # key => "client-to-client",
- # server => "$openvpn_configname";
+ key => 'topology',
+ value => 'subnet',
+ server => $openvpn_configname;
+ "up $openvpn_configname":
+ key => 'up',
+ value => '/etc/openvpn/server-up.sh',
+ server => $openvpn_configname;
+ "verb $openvpn_configname":
+ key => 'verb',
+ value => '3',
+ server => $openvpn_configname;
}
-
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 19:33:51 +0000