From 6146c50f4ae9ef7b0887ee4abff66b5b62a6da9d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:06:35 +0200 Subject: added submoule interfaces, from git://github.com/x-way/puppet-interfaces.git --- .gitmodules | 3 +++ puppet/modules/interfaces | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/interfaces diff --git a/.gitmodules b/.gitmodules index 10a21c03..e3e8d6db 100644 --- a/.gitmodules +++ b/.gitmodules @@ -34,3 +34,6 @@ [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb url = git://code.leap.se/puppet_couchdb +[submodule "puppet/modules/interfaces"] + path = puppet/modules/interfaces + url = git://github.com/x-way/puppet-interfaces.git diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces new file mode 160000 index 00000000..1d7dc717 --- /dev/null +++ b/puppet/modules/interfaces @@ -0,0 +1 @@ +Subproject commit 1d7dc7178881c56102c043e96763176f66445c1e -- cgit v1.2.3 From 8128fd27d9d3637654ebf924c860a701a4a08911 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:14:37 +0200 Subject: beginning config of main interface --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index df17771a..0077137b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,9 +5,25 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - $openvpn_config = hiera('openvpn') - $interface = hiera('interface') - $gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + $gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + + include interfaces + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", + 'netmask 255.255.255.0', + "gateway $gateway", + "up ip addr add $openvpn_gateway_address/24 dev eth0 label", + "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + ], + auto => 1, + allow_hotplug => 1 } + site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 92368db363406ebf47419814e1ac1bfc9f17c44a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:08:15 +0200 Subject: linted, variable updated --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 0077137b..57b6d831 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -12,16 +12,16 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", 'netmask 255.255.255.0', - "gateway $gateway", + "gateway $gateway_address", "up ip addr add $openvpn_gateway_address/24 dev eth0 label", "down ip addr del $openvpn_gateway_address/24 dev eth0 label", - ], - auto => 1, + ], + auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From 8253e3ebeb88ba33131365a1b584878a12bbd225 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:14:23 +0200 Subject: removed label for ip addr --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 57b6d831..1beea9ce 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,8 +18,8 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0 label", - "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + "up ip addr add $openvpn_gateway_address/24 dev eth0", + "down ip addr del $openvpn_gateway_address/24 dev eth0", ], auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From c40a1bce442aab4ba8baf062ffcb65e006ad13e0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:53:06 +0100 Subject: use script to add second ip --- puppet/modules/site_config/manifests/eip.pp | 47 +++++++++++++++++++---------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 1beea9ce..c81ad33a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,29 +18,44 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0", - "down ip addr del $openvpn_gateway_address/24 dev eth0", + "up ip addr add $openvpn_gateway_address/24 dev $interface", + "down ip addr del $openvpn_gateway_address/24 dev $interface", ], auto => 1, allow_hotplug => 1 } - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', - management => '127.0.0.1 1000' + #site_openvpn::server_config { 'tcp_config': + # port => '1194', + # proto => 'tcp', + # local => $gateway_address, + # server => '10.1.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.1.0.1"', + # management => '127.0.0.1 1000' + #} + #site_openvpn::server_config { 'udp_config': + # port => '1194', + # proto => 'udp', + # local => $gateway_address, + # server => '10.2.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.2.0.1"', + # management => '127.0.0.1 1001' + #} + + file { '/usr/local/bin/leap_add_second_ip.sh': + content => '#!/bin/sh + ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + mode => '0755', } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', - management => '127.0.0.1 1001' + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } + #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": + # path => '/usr/bin:/sbin', + # unless => "ip addr show dev $interface | grep -q '$interface/24'" + #} + include site_shorewall::eip } -- cgit v1.2.3 From 189e8957c23fb09ef8c130f64e53f58c9da7d3ec Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:58:55 +0100 Subject: pass variable to leap_add_second_ip.sh --- puppet/modules/site_config/manifests/eip.pp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c81ad33a..ed1d395b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -11,19 +11,18 @@ class site_config::eip { $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", - 'netmask 255.255.255.0', - "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev $interface", - "down ip addr del $openvpn_gateway_address/24 dev $interface", - ], - auto => 1, - allow_hotplug => 1 } - + #include interfaces + #interfaces::iface { $interface: + # family => 'inet', + # method => 'static', + # options => [ "address $ip_address", + # 'netmask 255.255.255.0', + # "gateway $gateway_address", + # "up ip addr add $openvpn_gateway_address/24 dev $interface", + # "down ip addr del $openvpn_gateway_address/24 dev $interface", + # ], + # auto => 1, + # allow_hotplug => 1 } #site_openvpn::server_config { 'tcp_config': # port => '1194', @@ -43,8 +42,8 @@ class site_config::eip { #} file { '/usr/local/bin/leap_add_second_ip.sh': - content => '#!/bin/sh - ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + content => "#!/bin/sh +ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", mode => '0755', } -- cgit v1.2.3 From 7c7c3f6ff9806febe903a9cfdef97c36e3743587 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 18:34:51 +0100 Subject: double double quoting solved --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ed1d395b..59889a92 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -43,7 +43,7 @@ class site_config::eip { file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", mode => '0755', } -- cgit v1.2.3 From 8d2b6978e809004f4bca38d4fef27149497ad309 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:01:48 +0100 Subject: linted --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 31ee3e6c..54f3ea6e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $interface = hiera('interface') # define macro - file { "/etc/shorewall/macro.leap_eip": + file { '/etc/shorewall/macro.leap_eip': content => 'PARAM - - tcp 53,80,443,1194 PARAM - - udp 53,80,443,1194 ', } -- cgit v1.2.3 From 7f82917633ad444e1a303df5bd02ebe29aa05921 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:02:05 +0100 Subject: no need for server-up.sh right now --- puppet/modules/site_openvpn/manifests/server_config.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..f4c5237e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -92,10 +92,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', -- cgit v1.2.3 From 372797b1f0b2a65698e8f4cd52fdf5d93a274965 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:04:23 +0100 Subject: reenabled site_openvpn::server_config, leap_add_second_ip.sh @reboot --- puppet/modules/site_config/manifests/eip.pp | 57 +++++++++++------------------ 1 file changed, 21 insertions(+), 36 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 59889a92..498d7eed 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,44 +2,28 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - #$tor=hiera('tor') - #notice("Tor enabled: $tor") - $ip_address = hiera('ip_address') $interface = hiera('interface') $gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - #include interfaces - #interfaces::iface { $interface: - # family => 'inet', - # method => 'static', - # options => [ "address $ip_address", - # 'netmask 255.255.255.0', - # "gateway $gateway_address", - # "up ip addr add $openvpn_gateway_address/24 dev $interface", - # "down ip addr del $openvpn_gateway_address/24 dev $interface", - # ], - # auto => 1, - # allow_hotplug => 1 } - - #site_openvpn::server_config { 'tcp_config': - # port => '1194', - # proto => 'tcp', - # local => $gateway_address, - # server => '10.1.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.1.0.1"', - # management => '127.0.0.1 1000' - #} - #site_openvpn::server_config { 'udp_config': - # port => '1194', - # proto => 'udp', - # local => $gateway_address, - # server => '10.2.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.2.0.1"', - # management => '127.0.0.1 1001' - #} + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_gateway_address, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => '127.0.0.1 1001' + } file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh @@ -51,10 +35,11 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } - #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": - # path => '/usr/bin:/sbin', - # unless => "ip addr show dev $interface | grep -q '$interface/24'" - #} + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } include site_shorewall::eip } -- cgit v1.2.3 From 7361c79e1e864c16450455a3ae374393a04f9eb7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:27:52 +0100 Subject: no need for gateway_address --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 498d7eed..15bf8be2 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,7 @@ class site_config::eip { $ip_address = hiera('ip_address') $interface = hiera('interface') - $gateway_address = hiera('gateway_address') + #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From c72160f993345c184ce01d7e4c14c9923fc194e9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:48:02 +0100 Subject: move interface definition for eth0 to eip.pp, use variable --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 ---- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 54f3ea6e..0c9bfa9c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,6 +13,13 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } + + # define interfaces + shorewall::interface {"$interface": + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -20,6 +27,7 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } -- cgit v1.2.3 From fa31e200b5cbf4ac9b01a864410d535cbf84420d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:07:07 +0100 Subject: put in double quotes --- puppet/modules/site_shorewall/manifests/eip.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0c9bfa9c..87e1e16f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,9 +13,9 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } - + # define interfaces - shorewall::interface {"$interface": + shorewall::interface { $interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } @@ -31,11 +31,12 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'$interface': - interface => '$interface'; } + shorewall::routestopped { $interface: + interface => $interface; } + - shorewall::masq {'$interface': - interface => '$interface', + shorewall::masq {"$interface": + interface => $interface, source => ''; } shorewall::policy { -- cgit v1.2.3 From d235cd5292783722653ff34b35ce28ff31d30935 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:57:34 +0100 Subject: pass ssh_port to shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 87e1e16f..230752dc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,15 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] # define macro file { '/etc/shorewall/macro.leap_eip': - content => 'PARAM - - tcp 53,80,443,1194 + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } # define interfaces -- cgit v1.2.3 From c26c2c18d0abb7dec76a748bf0c2c2f9000298da Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:17:26 +0100 Subject: openvpn_tcp/udp_network_prefix and openvpn_tcp/udp_netmask variables --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 15bf8be2..ecac446b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,26 +2,30 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", local => $openvpn_gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } -- cgit v1.2.3 From 1e3e9658a2309569e73d6bef72d441a6851d2653 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:22:37 +0100 Subject: also provide openvpn_tcp/udp_cidr variable --- puppet/modules/site_config/manifests/eip.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ecac446b..d7a59157 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,8 +9,10 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 1f7dbac75c5c2a610ca4e6763109fd3e06c9072a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:25:11 +0100 Subject: configure tcp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 230752dc..0849d711 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,9 +37,9 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq {"$interface": + shorewall::masq { $interface: interface => $interface, - source => ''; } + source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d89ea18da5dd520bf71df42e15b813b706e2189 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:46:04 +0100 Subject: configure tcp+udp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0849d711..5105b85a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -39,7 +39,11 @@ PARAM - - udp 53,80,443,1194 shorewall::masq { $interface: interface => $interface, - source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + + shorewall::masq { $interface: + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 04d324a61cb33ff282e2dc3228e25723b564ea1f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:49:14 +0100 Subject: differentiate masq definition names --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 5105b85a..a5af0dde 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,11 +37,11 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_tcp": interface => $interface, source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_udp": interface => $interface, source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } -- cgit v1.2.3 From 2f747b961a1fd5f7197e63dde58b64ab465ac39d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:16:49 +0100 Subject: commenting --- puppet/modules/site_config/manifests/eip.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index d7a59157..4280fb67 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,7 +1,6 @@ class site_config::eip { - include site_openvpn - include site_openvpn::keys + # parse hiera config $ip_address = hiera('ip_address') $interface = hiera('interface') #$gateway_address = hiera('gateway_address') @@ -14,6 +13,12 @@ class site_config::eip { $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', @@ -31,6 +36,7 @@ class site_config::eip { management => '127.0.0.1 1001' } + # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", -- cgit v1.2.3 From 038380e042289a9586141d7154febea2a2a6a56c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:18:06 +0100 Subject: prettyfying --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index f4c5237e..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, -- cgit v1.2.3