6 files changed, 75 insertions, 48 deletions

diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
index af448d57..93448e23 100644
--- a/puppet/hiera.yaml
+++ b/puppet/hiera.yaml
@@ -5,22 +5,11 @@
 
 :logger: console
 
-:hierarchy:
-  - %{fqdn}
-  - defaults
-#former hierarchy, not used anymore
-#  - hosts/%{fqdn}
-#  - ca/%{fqdn}
-#  - ca/defaults
-#  - eip/%{fqdn}
-#  - eip/defaults
-# more services following
-#  - defaults
-
-# relative from where puppet is run, so we need to run puppet 
-# from the root dir of the leap_platform repo
 :yaml:
-   :datadir: ../config
+   :datadir: /etc/leap 
 
+:hierarchy:
+  - hiera
+ 
 :puppet:
    :datasource: data
diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces
new file mode 160000
+Subproject 1d7dc7178881c56102c043e96763176f66445c1
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
index 95f9dbf4..4280fb67 100644
--- a/puppet/modules/site_config/manifests/eip.pp
+++ b/puppet/modules/site_config/manifests/eip.pp
@@ -1,29 +1,57 @@
 class site_config::eip {
+
+  # parse hiera config
+  $ip_address                 = hiera('ip_address')
+  $interface                  = hiera('interface')
+  #$gateway_address           = hiera('gateway_address')
+  $openvpn_config             = hiera('openvpn')
+  $openvpn_gateway_address    = $openvpn_config['gateway_address']
+  $openvpn_tcp_network_prefix = '10.1.0'
+  $openvpn_tcp_netmask        = '255.255.248.0'
+  $openvpn_tcp_cidr           = '21'
+  $openvpn_udp_network_prefix = '10.2.0'
+  $openvpn_udp_netmask        = '255.255.248.0'
+  $openvpn_udp_cidr           = '21'
+
   include site_openvpn
+  
+  # deploy ca + server keys
   include site_openvpn::keys
 
-  #$tor=hiera('tor')
-  #notice("Tor enabled: $tor")
-
-  #$openvpn_configs=hiera('openvpn_server_configs')
-  #create_resources('site_openvpn::server_config', $openvpn_configs)
- 
+  # create 2 openvpn config files, one for tcp, one for udp
   site_openvpn::server_config { 'tcp_config':
     port        => '1194',
     proto       => 'tcp',
-    local       => $::ipaddress_eth0_1,
-    server      => '10.1.0.0 255.255.248.0',
-    push        => '"dhcp-option DNS 10.1.0.1"',
+    local       => $openvpn_gateway_address,
+    server      => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
+    push        => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
     management  => '127.0.0.1 1000'
   }
   site_openvpn::server_config { 'udp_config':
     port        => '1194',
     proto       => 'udp',
-    local       => $::ipaddress_eth0_1,
-    server      => '10.2.0.0 255.255.248.0',
-    push        => '"dhcp-option DNS 10.2.0.1"',
+    server      => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
+    push        => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
+    local       => $openvpn_gateway_address,
     management  => '127.0.0.1 1001'
   }
 
+  # add second IP on given interface
+  file { '/usr/local/bin/leap_add_second_ip.sh':
+    content => "#!/bin/sh
+ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface",
+    mode    => '0755',
+  }
+
+  exec { '/usr/local/bin/leap_add_second_ip.sh':
+    subscribe   => File['/usr/local/bin/leap_add_second_ip.sh'],
+  }
+
+  cron { 'leap_add_second_ip.sh':
+    command => "/usr/local/bin/leap_add_second_ip.sh",
+    user    => 'root',
+    special => 'reboot',
+  }
+
   include site_shorewall::eip
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 441a21e3..482c6ab7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
 
   $openvpn_configname = $name
 
-
-  #notice("Creating OpenVPN $openvpn_configname:
-  #  Port: $port, Protocol: $proto")
-
   concat {
     "/etc/openvpn/$openvpn_configname.conf":
         owner   => root,
@@ -92,10 +88,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
         key    => 'topology',
         value  => 'subnet',
         server => $openvpn_configname;
-    "up $openvpn_configname":
-        key    => 'up',
-        value  => '/etc/openvpn/server-up.sh',
-        server => $openvpn_configname;
+    # no need for server-up.sh right now
+    #"up $openvpn_configname":
+    #    key    => 'up',
+    #    value  => '/etc/openvpn/server-up.sh',
+    #    server => $openvpn_configname;
     "verb $openvpn_configname":
         key    => 'verb',
         value  => '3',
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index c68b8370..88981e5f 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -10,8 +10,4 @@ class site_shorewall::defaults {
 
   shorewall::rule_section { 'NEW': order => 10; }
 
-  shorewall::interface {'eth0':
-    zone      => 'net',
-    options   => 'tcpflags,blacklist,nosmurfs';
-  }
 }
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 0902039c..34268125 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,15 +1,26 @@
 class site_shorewall::eip {
 
   # be safe for development
-  $shorewall_startup='0'
+  #$shorewall_startup='0'
 
   include site_shorewall::defaults
 
+  $interface  = hiera('interface')
+  $ssh_config = hiera('ssh')
+  $ssh_port   = $ssh_config['port']  
+
   # define macro
-  file { "/etc/shorewall/macro.leap_eip":
-    content => 'PARAM   -       -       tcp     53,80,443,1194
+  file { '/etc/shorewall/macro.leap_eip':
+    content => "PARAM   -       -       tcp     53,80,443,1194,$ssh_port
 PARAM   -       -       udp     53,80,443,1194
-', }
+", }
+
+
+  # define interfaces
+  shorewall::interface { $interface:
+    zone      => 'net',
+    options   => 'tcpflags,blacklist,nosmurfs';
+  }
 
   shorewall::interface    {'tun0':
     zone    => 'eip',
@@ -18,15 +29,21 @@ PARAM   -       -       udp     53,80,443,1194
     zone    => 'eip',
     options => 'tcpflags,blacklist,nosmurfs'; }
 
+
   shorewall::zone         {'eip':
     type => 'ipv4'; }
 
-  shorewall::routestopped {'eth0':
-    interface => 'eth0'; }
+  shorewall::routestopped { $interface:
+    interface => $interface; }
+
+
+  shorewall::masq { "${interface}_tcp":
+    interface => $interface,
+    source    => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; }
 
-  shorewall::masq {'eth0':
-    interface => 'eth0',
-    source    => ''; }
+  shorewall::masq { "${interface}_udp":
+    interface => $interface,
+    source    => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; }
 
   shorewall::policy {
     'eip-to-all':