diff options
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/manifests/site.pp | 2 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/eip.pp | 57 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/init.pp | 55 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/dnat_rule.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 6 |
5 files changed, 61 insertions, 63 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 6abf9b48..0ae86f8e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -12,7 +12,7 @@ node 'default' { # configure eip if 'openvpn' in $services { - include site_config::eip + include site_openvpn } if 'couchdb' in $services { diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp deleted file mode 100644 index 4280fb67..00000000 --- a/puppet/modules/site_config/manifests/eip.pp +++ /dev/null @@ -1,57 +0,0 @@ -class site_config::eip { - - # parse hiera config - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - - include site_openvpn - - # deploy ca + server keys - include site_openvpn::keys - - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", - management => '127.0.0.1 1000' - } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", - local => $openvpn_gateway_address, - management => '127.0.0.1 1001' - } - - # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", - mode => '0755', - } - - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], - } - - cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", - user => 'root', - special => 'reboot', - } - - include site_shorewall::eip -} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e95e67d5..7268fe76 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,59 @@ class site_openvpn { + # parse hiera config + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' + + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + local => $openvpn_gateway_address, + management => '127.0.0.1 1001' + } + + # add second IP on given interface + file { '/usr/local/bin/leap_add_second_ip.sh': + content => "#!/bin/sh +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", + mode => '0755', + } + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + } + + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } + + include site_shorewall::eip + package { 'openvpn': ensure => installed; diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 4fc62f85..68f480d8 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -6,7 +6,7 @@ define site_shorewall::dnat_rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,7 +16,7 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 086bf75a..57dc17e9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,7 +10,7 @@ class site_shorewall::eip { $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address + $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': @@ -42,11 +42,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } + source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': |