summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/hiera.yaml23
-rw-r--r--puppet/manifests/site.pp31
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp43
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp112
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp1
-rw-r--r--puppet/modules/site_sshd/manifests/ssh_key.pp3
6 files changed, 211 insertions, 2 deletions
diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
new file mode 100644
index 00000000..a992c057
--- /dev/null
+++ b/puppet/hiera.yaml
@@ -0,0 +1,23 @@
+---
+:backends:
+ - yaml
+ - puppet
+
+:logger: console
+
+:hierarchy:
+ - hosts/%{fqdn}
+ - ca/%{fqdn}
+ - ca/defaults
+ - eip/%{fqdn}
+ - eip/defaults
+# more services following
+ - defaults
+
+# relative from where puppet is run, so we need to run puppet
+# from the root dir of the leap_platform repo
+:yaml:
+ :datadir: config
+
+:puppet:
+ :datasource: data
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 3a136015..f70c0673 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,3 +1,30 @@
-node "default" {
- notify {'Hello World':}
+node 'default' {
+
+ # include some basic classes
+ # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ?
+ include concat::setup
+ include apt,git,lsb
+
+
+ $services=hiera_array('services')
+ notice("Services for $fqdn: $services")
+
+ # configure ssh and inculde ssh-keys
+ #include sshd
+ $ssh_keys=hiera_hash('ssh_keys')
+ include site_sshd
+ notice($ssh_keys)
+ create_resources('site_sshd::ssh_key', $ssh_keys)
+
+
+ if 'eip' in $services {
+ include site_openvpn
+
+ $tor=hiera('tor')
+ notice("Tor enabled: $tor")
+
+ $openvpn_configs=hiera('openvpn_server_configs')
+ create_resources('site_openvpn::server_config', $openvpn_configs)
+ }
+
}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
new file mode 100644
index 00000000..c83b98c7
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -0,0 +1,43 @@
+class site_openvpn {
+ package {
+ "openvpn":
+ ensure => installed;
+ }
+ service {
+ "openvpn":
+ ensure => running,
+ hasrestart => true,
+ hasstatus => true,
+ require => Exec["concat_/etc/default/openvpn"];
+ }
+ file {
+ "/etc/openvpn":
+ ensure => directory,
+ require => Package["openvpn"];
+ }
+
+ include concat::setup
+
+ concat {
+ "/etc/default/openvpn":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service["openvpn"];
+ }
+
+ concat::fragment {
+ "openvpn.default.header":
+ content => template("openvpn/etc-default-openvpn.erb"),
+ target => "/etc/default/openvpn",
+ order => 01;
+ }
+
+ concat::fragment {
+ "openvpn.default.autostart.${name}":
+ content => "AUTOSTART=all",
+ target => "/etc/default/openvpn",
+ order => 10;
+ }
+}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
new file mode 100644
index 00000000..4a130d13
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -0,0 +1,112 @@
+define site_openvpn::server_config($port, $proto) {
+ $openvpn_configname=$name
+ notice("Creating OpenVPN $openvpn_configname:
+ Port: $port, Protocol: $proto")
+
+ file {
+ "/etc/openvpn/${name}":
+ ensure => directory,
+ require => Package["openvpn"];
+ }
+
+ concat {
+ "/etc/openvpn/${openvpn_configname}.conf":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File["/etc/openvpn"],
+ notify => Service["openvpn"];
+ }
+
+
+
+ openvpn::option {
+ "ca ${openvpn_configname}":
+ key => "ca",
+ value => "/etc/openvpn/ca.crt",
+ #require => Exec["initca ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "cert ${openvpn_configname}":
+ key => "cert",
+ value => "/etc/openvpn/${openvpn_configname}/server.crt",
+ #require => Exec["generate server cert ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "key ${openvpn_configname}":
+ key => "key",
+ value => "/etc/openvpn/${openvpn_configname}/server.key",
+ #require => Exec["generate server cert ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "dh ${openvpn_configname}":
+ key => "dh",
+ value => "/etc/openvpn/dh1024.pem",
+ #require => Exec["generate dh param ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "dev $openvpn_configname":
+ key => "dev",
+ value => "tun",
+ server => "$openvpn_configname";
+ "mode ${openvpn_configname}":
+ key => 'mode',
+ value => 'server',
+ server => $openvpn_configname;
+ "script-security $openvpn_configname":
+ key => "script-security",
+ value => "3",
+ server => "$openvpn_configname";
+ "daemon $openvpn_configname":
+ key => "daemon",
+ server => "$openvpn_configname";
+ "keepalive $openvpn_configname":
+ key => "keepalive",
+ value => "10 60",
+ server => "$openvpn_configname";
+ "ping-timer-rem $openvpn_configname":
+ key => "ping-timer-rem",
+ server => "$openvpn_configname";
+ "persist-tun $openvpn_configname":
+ key => "persist-tun",
+ server => "$openvpn_configname";
+ "persist-key $openvpn_configname":
+ key => "persist-key",
+ server => "$openvpn_configname";
+ "proto $openvpn_configname":
+ key => "proto",
+ value => "$proto",
+ server => "$openvpn_configname";
+ "cipher $openvpn_configname":
+ key => "cipher",
+ value => "BF-CBC",
+ server => "$openvpn_configname";
+ "local $openvpn_configname":
+ key => "local",
+ value => $ipaddress,
+ server => "$openvpn_configname";
+ "tls-server $openvpn_configname":
+ key => "tls-server",
+ server => "$openvpn_configname";
+ #"server $openvpn_configname":
+ # key => "server",
+ # value => "$server",
+ # server => "$openvpn_configname";
+ "lport $openvpn_configname":
+ key => "lport",
+ value => "$port",
+ server => "$openvpn_configname";
+ "management $openvpn_configname":
+ key => "management",
+ value => "/var/run/openvpn-$openvpn_configname.sock unix",
+ server => "$openvpn_configname";
+ "comp-lzo $openvpn_configname":
+ key => "comp-lzo",
+ server => "$openvpn_configname";
+ "topology $openvpn_configname":
+ key => "topology",
+ value => "subnet",
+ server => "$openvpn_configname";
+ #"client-to-client $openvpn_configname":
+ # key => "client-to-client",
+ # server => "$openvpn_configname";
+ }
+
+}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
new file mode 100644
index 00000000..630e9bdf
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -0,0 +1 @@
+class site_sshd {}
diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp
new file mode 100644
index 00000000..b47b2ebd
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/ssh_key.pp
@@ -0,0 +1,3 @@
+define site_sshd::ssh_key($key) {
+ # ... todo: deploy ssh_key
+}