summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp2
-rw-r--r--puppet/modules/site_config/manifests/eip.pp57
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp1
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp58
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp14
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp67
-rw-r--r--puppet/modules/site_shorewall/manifests/dnat_rule.pp4
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp6
8 files changed, 135 insertions, 74 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 70c97030..9da2174c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -12,7 +12,7 @@ node 'default' {
# configure eip
if 'openvpn' in $services {
- include site_config::eip
+ include site_openvpn
}
if 'couchdb' in $services {
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp
deleted file mode 100644
index 4280fb67..00000000
--- a/puppet/modules/site_config/manifests/eip.pp
+++ /dev/null
@@ -1,57 +0,0 @@
-class site_config::eip {
-
- # parse hiera config
- $ip_address = hiera('ip_address')
- $interface = hiera('interface')
- #$gateway_address = hiera('gateway_address')
- $openvpn_config = hiera('openvpn')
- $openvpn_gateway_address = $openvpn_config['gateway_address']
- $openvpn_tcp_network_prefix = '10.1.0'
- $openvpn_tcp_netmask = '255.255.248.0'
- $openvpn_tcp_cidr = '21'
- $openvpn_udp_network_prefix = '10.2.0'
- $openvpn_udp_netmask = '255.255.248.0'
- $openvpn_udp_cidr = '21'
-
- include site_openvpn
-
- # deploy ca + server keys
- include site_openvpn::keys
-
- # create 2 openvpn config files, one for tcp, one for udp
- site_openvpn::server_config { 'tcp_config':
- port => '1194',
- proto => 'tcp',
- local => $openvpn_gateway_address,
- server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
- push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
- management => '127.0.0.1 1000'
- }
- site_openvpn::server_config { 'udp_config':
- port => '1194',
- proto => 'udp',
- server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
- push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
- local => $openvpn_gateway_address,
- management => '127.0.0.1 1001'
- }
-
- # add second IP on given interface
- file { '/usr/local/bin/leap_add_second_ip.sh':
- content => "#!/bin/sh
-ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface",
- mode => '0755',
- }
-
- exec { '/usr/local/bin/leap_add_second_ip.sh':
- subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
- }
-
- cron { 'leap_add_second_ip.sh':
- command => "/usr/local/bin/leap_add_second_ip.sh",
- user => 'root',
- special => 'reboot',
- }
-
- include site_shorewall::eip
-}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 30ce7f54..10408094 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -16,6 +16,7 @@ class site_couchdb {
$couchdb_ca_daemon_pw = $couchdb_ca_daemon['password']
Class['site_couchdb::package']
+ -> Exec['refresh_apt']
-> Package ['couchdb']
-> File['/etc/init.d/couchdb']
-> File['/etc/couchdb/local.ini']
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e95e67d5..548d1df2 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,4 +1,62 @@
class site_openvpn {
+ # parse hiera config
+ $ip_address = hiera('ip_address')
+ $interface = hiera('interface')
+ #$gateway_address = hiera('gateway_address')
+ $openvpn_config = hiera('openvpn')
+ $openvpn_gateway_address = $openvpn_config['gateway_address']
+ $openvpn_tcp_network_prefix = '10.1.0'
+ $openvpn_tcp_netmask = '255.255.248.0'
+ $openvpn_tcp_cidr = '21'
+ $openvpn_udp_network_prefix = '10.2.0'
+ $openvpn_udp_netmask = '255.255.248.0'
+ $openvpn_udp_cidr = '21'
+ $x509_config = hiera('x509')
+
+ include site_openvpn
+
+ # deploy ca + server keys
+ include site_openvpn::keys
+
+ # create 2 openvpn config files, one for tcp, one for udp
+ site_openvpn::server_config { 'tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $openvpn_gateway_address,
+ server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask",
+ push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"",
+ management => '127.0.0.1 1000'
+ }
+ site_openvpn::server_config { 'udp_config':
+ port => '1194',
+ proto => 'udp',
+ server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask",
+ push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"",
+ local => $openvpn_gateway_address,
+ management => '127.0.0.1 1001'
+ }
+
+ # add second IP on given interface
+ file { '/usr/local/bin/leap_add_second_ip.sh':
+ content => "#!/bin/sh
+ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface
+/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
+",
+ mode => '0755',
+ }
+
+ exec { '/usr/local/bin/leap_add_second_ip.sh':
+ subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
+ }
+
+ cron { 'leap_add_second_ip.sh':
+ command => "/usr/local/bin/leap_add_second_ip.sh",
+ user => 'root',
+ special => 'reboot',
+ }
+
+ include site_shorewall::eip
+
package {
'openvpn':
ensure => installed;
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index d029fbac..12c1bd8f 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -1,28 +1,22 @@
class site_openvpn::keys {
- $openvpn_keys = hiera_hash('openvpn')
-
- file { '/etc/openvpn/keys/ca.key':
- content => $openvpn_keys['ca_key'],
- mode => '0600',
- }
file { '/etc/openvpn/keys/ca.crt':
- content => $openvpn_keys['ca_crt'],
+ content => $site_openvpn::x509_config['ca_cert'],
mode => '0644',
}
file { '/etc/openvpn/keys/dh.pem':
- content => $openvpn_keys['dh_key'],
+ content => $site_openvpn::x509_config['dh'],
mode => '0644',
}
file { '/etc/openvpn/keys/server.key':
- content => $openvpn_keys['server_key'],
+ content => $site_openvpn::x509_config['key'],
mode => '0600',
}
file { '/etc/openvpn/keys/server.crt':
- content => $openvpn_keys['server_crt'],
+ content => $site_openvpn::x509_config['cert'],
mode => '0644',
}
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 482c6ab7..6fc3a3c2 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -1,3 +1,57 @@
+#
+# Cipher discussion
+# ================================
+#
+# We want to specify explicit values for the crypto options to prevent a MiTM from forcing
+# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher'
+# MUST be the same on both ends or no data will get transmitted).
+#
+# tls-cipher DHE-RSA-AES128-SHA
+#
+# dkg: For the TLS control channel, we want to make sure we choose a
+# key exchange mechanism that has PFS (meaning probably some form of ephemeral
+# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher
+# (I recommend AES, and 128 bits is probably fine, since there are some known
+# weaknesses in the 192- and 256-bit key schedules). That leaves us with the
+# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE |
+# grep AES128 | grep GCM.
+#
+# elijah:
+# I could not get any of these working:
+# * openvpn --show-tls | grep GCM
+# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256
+# so, i went with this:
+# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM
+# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how
+# our cert generation interacts with the tls-cipher algorithms.
+#
+# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set.
+#
+# auth SHA1
+#
+# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists
+# a number of “digest” with names like “RSA-SHA256”, but this are legacy and
+# should be avoided.
+#
+# elijah: i am not so sure that the digest algo matters for 'auth' option, because
+# i think an attacker would have to forge the digest in real time, which is still far from
+# a possibility for SHA1. So, i am leaving the default for now (SHA1).
+#
+# cipher AES-128-CBC
+#
+# dkg: For the choice of cipher, we need to select an algorithm and a
+# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but
+# our control channel is already relying on AES not being broken; if the
+# control channel is cracked, then the key material for the tunnel is exposed,
+# and the choice of algorithm is moot. So it makes more sense to me to rely on
+# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to
+# me, but CBC is more well-tested, and the OpenVPN man page (at least as of
+# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered
+# advanced modes.”
+#
+# note: the default is BF-CBC (blowfish)
+#
+
define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
$openvpn_configname = $name
@@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
key => 'dh',
value => '/etc/openvpn/keys/dh.pem',
server => $openvpn_configname;
-
+ "tls-cipher $openvpn_configname":
+ key => 'tls-cipher',
+ value => 'DHE-RSA-AES128-SHA',
+ server => $openvpn_configname;
+ "auth $openvpn_configname":
+ key => 'auth',
+ value => 'SHA1',
+ server => $openvpn_configname;
+ "cipher $openvpn_configname":
+ key => 'cipher',
+ value => 'AES-128-CBC',
+ server => $openvpn_configname;
"dev $openvpn_configname":
key => 'dev',
value => 'tun',
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
index 4fc62f85..68f480d8 100644
--- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -6,7 +6,7 @@ define site_shorewall::dnat_rule {
"dnat_tcp_port_$port":
action => 'DNAT',
source => 'net',
- destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194",
+ destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
proto => 'tcp',
destinationport => $port,
order => 100;
@@ -16,7 +16,7 @@ define site_shorewall::dnat_rule {
"dnat_udp_port_$port":
action => 'DNAT',
source => 'net',
- destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194",
+ destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
proto => 'udp',
destinationport => $port,
order => 100;
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 086bf75a..57dc17e9 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -10,7 +10,7 @@ class site_shorewall::eip {
$ssh_port = $ssh_config['port']
$openvpn_config = hiera('openvpn')
$openvpn_ports = $openvpn_config['ports']
- $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address
+ $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
# define macro for incoming services
file { '/etc/shorewall/macro.leap_eip':
@@ -42,11 +42,11 @@ PARAM - - udp 1194
shorewall::masq { "${interface}_tcp":
interface => $interface,
- source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; }
+ source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; }
shorewall::masq { "${interface}_udp":
interface => $interface,
- source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; }
+ source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; }
shorewall::policy {
'eip-to-all':
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-26 13:56:48 +0000