From 14305e553c4f71fbeec997d585383c4c6211c1a5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:29:26 +0200 Subject: don't pull openvpn config from hiera --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 56eb1452..c8677696 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,15 @@ class site_config::eip { $tor=hiera('tor') notice("Tor enabled: $tor") - $openvpn_configs=hiera('openvpn_server_configs') - create_resources('site_openvpn::server_config', $openvpn_configs) - + #$openvpn_configs=hiera('openvpn_server_configs') + #create_resources('site_openvpn::server_config', $openvpn_configs) + + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp' + } } -- cgit v1.2.3 From 05fcb0db28279ae7c08b8c76c887f633f78a2947 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:38:01 +0200 Subject: cosmetics for server_config.pp --- .../site_openvpn/manifests/server_config.pp | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 4a130d13..1af08b4a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,52 +1,52 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package["openvpn"]; - } + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } - concat { - "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File["/etc/openvpn"], - notify => Service["openvpn"]; - } + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } openvpn::option { - "ca ${openvpn_configname}": - key => "ca", - value => "/etc/openvpn/ca.crt", - #require => Exec["initca ${openvpn_configname}"], - server => "${openvpn_configname}"; - "cert ${openvpn_configname}": - key => "cert", - value => "/etc/openvpn/${openvpn_configname}/server.crt", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "key ${openvpn_configname}": + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/ca.crt', + #require => Exec["initca $openvpn_configname"], + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => "/etc/openvpn/$openvpn_configname/server.crt", + #require => Exec["generate server cert $openvpn_configname"], + server => $openvpn_configname; + "key $openvpn_configname": key => "key", - value => "/etc/openvpn/${openvpn_configname}/server.key", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "dh ${openvpn_configname}": + value => "/etc/openvpn/$openvpn_configname/server.key", + #require => Exec["generate server cert $openvpn_configname"], + server => "$openvpn_configname"; + "dh $openvpn_configname": key => "dh", value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param ${openvpn_configname}"], - server => "${openvpn_configname}"; + #require => Exec["generate dh param $openvpn_configname"], + server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", value => "tun", server => "$openvpn_configname"; - "mode ${openvpn_configname}": + "mode $openvpn_configname": key => 'mode', value => 'server', server => $openvpn_configname; -- cgit v1.2.3 From df5fa56faa60d743acc1d8351b738a279263b62d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:48:44 +0200 Subject: deploy.sh testing --- deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy.sh b/deploy.sh index 6a582637..7754f91c 100755 --- a/deploy.sh +++ b/deploy.sh @@ -17,7 +17,7 @@ install_prerequisites () { # main # commented for testing purposes -install_prerequisites +#install_prerequisites puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ -- cgit v1.2.3 From ad018cb7c6b85252783e0f8ae5ce26afcc37d9e8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:58:04 +0200 Subject: seperate config from leap_platform --- config/defaults.yaml | 7 ------- config/eip/cougar.leap.se.yaml | 10 ---------- config/eip/defaults.yaml | 4 ---- config/hosts/cougar.leap.se.yaml | 8 -------- puppet/hiera.yaml | 2 +- 5 files changed, 1 insertion(+), 30 deletions(-) delete mode 100644 config/defaults.yaml delete mode 100644 config/eip/cougar.leap.se.yaml delete mode 100644 config/eip/defaults.yaml delete mode 100644 config/hosts/cougar.leap.se.yaml diff --git a/config/defaults.yaml b/config/defaults.yaml deleted file mode 100644 index 44fae3d2..00000000 --- a/config/defaults.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -testpw: secret - -# as hashes will get aggregated, this ssh-key would always be present, in addition to others specified in hosts/{fqdn} -ssh_keys: - default_key: - key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml deleted file mode 100644 index c051d30b..00000000 --- a/config/eip/cougar.leap.se.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -openvpn_server_configs: - port80_tcp: - port: 80 - proto: tcp-server - port1194_udp: - port: 1194 - proto: udp - -tor: 'true' diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml deleted file mode 100644 index 07846fdd..00000000 --- a/config/eip/defaults.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# make shure 'false' is quoted -tor: 'false' - diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml deleted file mode 100644 index 758e96a3..00000000 --- a/config/hosts/cougar.leap.se.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -services: - - eip - - couchdb -ssh_keys: - second_key: - key: ssh-rsa more_random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ - diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index a992c057..95283394 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -17,7 +17,7 @@ # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo :yaml: - :datadir: config + :datadir: ../config :puppet: :datasource: data -- cgit v1.2.3 From b7277a8c666248a2a134f1d5b84c994df9904b7c Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:34:20 +0200 Subject: moved most includes to site_config --- puppet/manifests/site.pp | 18 ++++++------------ puppet/modules/site_config/manifests/init.pp | 7 +++++++ 2 files changed, 13 insertions(+), 12 deletions(-) create mode 100644 puppet/modules/site_config/manifests/init.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 3ae9ebea..89c97888 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,22 +1,16 @@ node 'default' { + # prerequisites + import 'common' + include concat::setup # include some basic classes - # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? - include concat::setup - include apt, lsb, git - import 'common' + #include site_config + # parse services for host $services=hiera_array('services') notice("Services for $fqdn: $services") - # configure ssh and inculde ssh-keys - #include sshd - $ssh_keys=hiera_hash('ssh_keys') - include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) - - + # configure eip if 'eip' in $services { include site_config::eip } diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp new file mode 100644 index 00000000..64eb06f4 --- /dev/null +++ b/puppet/modules/site_config/manifests/init.pp @@ -0,0 +1,7 @@ +class site_config { + include apt, lsb, git + + # configure ssh and inculde ssh-keys + include site_config::sshd + +} -- cgit v1.2.3 From fc72260f601fb77b90d9f2f2afd2a43c4d5916f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:35:16 +0200 Subject: + site_openvpn::keys --- puppet/modules/site_config/manifests/eip.pp | 5 +++-- puppet/modules/site_openvpn/manifests/keys.pp | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/keys.pp diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c8677696..6e866b1c 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,8 +1,9 @@ class site_config::eip { include site_openvpn + include site_openvpn::keys - $tor=hiera('tor') - notice("Tor enabled: $tor") + #$tor=hiera('tor') + #notice("Tor enabled: $tor") #$openvpn_configs=hiera('openvpn_server_configs') #create_resources('site_openvpn::server_config', $openvpn_configs) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp new file mode 100644 index 00000000..b31369c9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -0,0 +1,23 @@ +class site_openvpn::keys { + $openvpn_keys = hiera_hash('openvpn_keys') + + file { '/etc/openvpn/keys/ca.crt': + content => $openvpn_keys['ca'], + mode => '0644', + } + + file { '/etc/openvpn/keys/dh.pem': + content => $openvpn_keys['dh'], + mode => '0644', + } + + file { '/etc/openvpn/keys/server.key': + content => $openvpn_keys['server_key'], + mode => '0600', + } + + file { '/etc/openvpn/keys/server.crt': + content => $openvpn_keys['server_cert'], + mode => '0644', + } +} -- cgit v1.2.3 From e89082114be280c7fd3c7b62863e19ff5c89df26 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:12 +0200 Subject: cosmetics --- puppet/modules/site_openvpn/manifests/init.pp | 59 +++++++++++++++------------ 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c83b98c7..e95e67d5 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,43 +1,48 @@ class site_openvpn { package { - "openvpn": - ensure => installed; + 'openvpn': + ensure => installed; } service { - "openvpn": - ensure => running, - hasrestart => true, - hasstatus => true, - require => Exec["concat_/etc/default/openvpn"]; + 'openvpn': + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; } + file { - "/etc/openvpn": - ensure => directory, - require => Package["openvpn"]; + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; } - include concat::setup + file { + '/etc/openvpn/keys': + ensure => directory, + require => Package['openvpn']; + } concat { - "/etc/default/openvpn": - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service["openvpn"]; + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; } concat::fragment { - "openvpn.default.header": - content => template("openvpn/etc-default-openvpn.erb"), - target => "/etc/default/openvpn", - order => 01; + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; } - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=all", - target => "/etc/default/openvpn", - order => 10; - } + concat::fragment { + "openvpn.default.autostart.${name}": + content => 'AUTOSTART=all', + target => '/etc/default/openvpn', + order => 10; + } } -- cgit v1.2.3 From c067421f34d375c2b39e88a5994353c71ac4c9af Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:48 +0200 Subject: include openvpn keys --- .../site_openvpn/manifests/server_config.pp | 23 ++++++---------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1af08b4a..5a47954a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,14 +1,9 @@ define site_openvpn::server_config($port, $proto) { - $openvpn_configname=$name + $openvpn_configname = $name + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package['openvpn']; - } - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, @@ -19,28 +14,22 @@ define site_openvpn::server_config($port, $proto) { notify => Service['openvpn']; } - - openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/ca.crt', - #require => Exec["initca $openvpn_configname"], + value => '/etc/openvpn/keys/ca.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/$openvpn_configname/server.crt", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.crt", server => $openvpn_configname; "key $openvpn_configname": key => "key", - value => "/etc/openvpn/$openvpn_configname/server.key", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.key", server => "$openvpn_configname"; "dh $openvpn_configname": key => "dh", - value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param $openvpn_configname"], + value => "/etc/openvpn/keys/dh1024.pem", server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", -- cgit v1.2.3 From 9fb0bcc2901bf5cf79d3ac0a46c610d302e0df7b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:38:15 +0200 Subject: + site_config::sshd --- puppet/modules/site_config/manifests/sshd.pp | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 puppet/modules/site_config/manifests/sshd.pp diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp new file mode 100644 index 00000000..8e33ca7f --- /dev/null +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -0,0 +1,8 @@ +class site_config::sshd { + # configure ssh and inculde ssh-keys + include sshd + $ssh_keys=hiera_hash('ssh_keys') + include site_sshd + notice($ssh_keys) + create_resources('site_sshd::ssh_key', $ssh_keys) +} -- cgit v1.2.3 From b59ce36a29a770847368773db543b38c62ea55cf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:05:32 +0200 Subject: adopted most static parameters --- .../site_openvpn/manifests/server_config.pp | 137 ++++++++++----------- 1 file changed, 67 insertions(+), 70 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5a47954a..320a4add 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,8 +1,8 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname = $name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $proto") + #notice("Creating OpenVPN $openvpn_configname: + # Port: $port, Protocol: $proto") concat { "/etc/openvpn/$openvpn_configname.conf": @@ -21,81 +21,78 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/keys/server.crt", + value => '/etc/openvpn/keys/server.crt', server => $openvpn_configname; "key $openvpn_configname": - key => "key", - value => "/etc/openvpn/keys/server.key", - server => "$openvpn_configname"; + key => 'key', + value => '/etc/openvpn/keys/server.key', + server => $openvpn_configname; "dh $openvpn_configname": - key => "dh", - value => "/etc/openvpn/keys/dh1024.pem", - server => "$openvpn_configname"; + key => 'dh', + value => '/etc/openvpn/keys/dh1024.pem', + server => $openvpn_configname; + "dev $openvpn_configname": - key => "dev", - value => "tun", - server => "$openvpn_configname"; - "mode $openvpn_configname": - key => 'mode', - value => 'server', - server => $openvpn_configname; - "script-security $openvpn_configname": - key => "script-security", - value => "3", - server => "$openvpn_configname"; - "daemon $openvpn_configname": - key => "daemon", - server => "$openvpn_configname"; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive $openvpn_configname": - key => "keepalive", - value => "10 60", - server => "$openvpn_configname"; - "ping-timer-rem $openvpn_configname": - key => "ping-timer-rem", - server => "$openvpn_configname"; - "persist-tun $openvpn_configname": - key => "persist-tun", - server => "$openvpn_configname"; - "persist-key $openvpn_configname": - key => "persist-key", - server => "$openvpn_configname"; - "proto $openvpn_configname": - key => "proto", - value => "$proto", - server => "$openvpn_configname"; - "cipher $openvpn_configname": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_configname"; + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; "local $openvpn_configname": - key => "local", - value => $ipaddress, - server => "$openvpn_configname"; - "tls-server $openvpn_configname": - key => "tls-server", - server => "$openvpn_configname"; - #"server $openvpn_configname": - # key => "server", - # value => "$server", - # server => "$openvpn_configname"; - "lport $openvpn_configname": - key => "lport", - value => "$port", - server => "$openvpn_configname"; + key => 'local', + value => $::ipaddress, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; "management $openvpn_configname": - key => "management", - value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_configname"; - "comp-lzo $openvpn_configname": - key => "comp-lzo", - server => "$openvpn_configname"; + key => 'management', + value => '127.0.0.1 1000', + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push $openvpn_configname": + key => 'push', + value => "\"redirect-gateway def1\"", + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => "10.42.0.0 255.255.248.0", + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology $openvpn_configname": - key => "topology", - value => "subnet", - server => "$openvpn_configname"; - #"client-to-client $openvpn_configname": - # key => "client-to-client", - # server => "$openvpn_configname"; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + "up $openvpn_configname": + key => 'up', + value => '/etc/openvpn/server-up.sh', + server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; } - } -- cgit v1.2.3 From 1ec1b9b56bc821b81f3797ea158846b41cc03853 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:38:57 +0200 Subject: finished site_openvpn::server_config --- puppet/modules/site_config/manifests/eip.pp | 16 +++++++++++----- puppet/modules/site_openvpn/manifests/server_config.pp | 16 +++++++++++----- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 6e866b1c..e6f80d25 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -7,13 +7,19 @@ class site_config::eip { #$openvpn_configs=hiera('openvpn_server_configs') #create_resources('site_openvpn::server_config', $openvpn_configs) - + site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp' + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.42.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.42.0.1"', } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp' + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.43.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.43.0.1"', } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 320a4add..784152b7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,6 +1,8 @@ -define site_openvpn::server_config($port, $proto) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { + $openvpn_configname = $name + #notice("Creating OpenVPN $openvpn_configname: # Port: $port, Protocol: $proto") @@ -45,7 +47,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "local $openvpn_configname": key => 'local', - value => $::ipaddress, + value => $local, server => $openvpn_configname; "mute $openvpn_configname": key => 'mute', @@ -62,9 +64,13 @@ define site_openvpn::server_config($port, $proto) { key => 'proto', value => $proto, server => $openvpn_configname; - "push $openvpn_configname": + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": key => 'push', - value => "\"redirect-gateway def1\"", + value => '"redirect-gateway def1"', server => $openvpn_configname; "script-security $openvpn_configname": key => 'script-security', @@ -72,7 +78,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "10.42.0.0 255.255.248.0", + value => "$server", server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From c9b2c36a5e9327c011af1345bdf54a9c4b84d857 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:47:40 +0200 Subject: dh1204.pem -> dh.pen --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 784152b7..d8a8bc0b 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -31,7 +31,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', - value => '/etc/openvpn/keys/dh1024.pem', + value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; "dev $openvpn_configname": -- cgit v1.2.3 From 97e5a3270df10b8fe699a13966ee6b34b864735e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:54:37 +0200 Subject: different parameter for each config --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d8a8bc0b..441a21e3 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,4 +1,4 @@ -define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -58,7 +58,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "management $openvpn_configname": key => 'management', - value => '127.0.0.1 1000', + value => $management, server => $openvpn_configname; "proto $openvpn_configname": key => 'proto', -- cgit v1.2.3 From b49ab6a1a06bcc31984e09a5371510643eef3c87 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:55:03 +0200 Subject: use different parameter for each config --- puppet/modules/site_config/manifests/eip.pp | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index e6f80d25..9f1c205c 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,17 +9,19 @@ class site_config::eip { #create_resources('site_openvpn::server_config', $openvpn_configs) site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $::ipaddress_eth0_1, - server => '10.42.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.42.0.1"', + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => 'management 127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $::ipaddress_eth0_1, - server => '10.43.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.43.0.1"', + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => 'management 127.0.0.1 1001' } } -- cgit v1.2.3 From 76f15950d637a79604f6472ba19f662069e59dc8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:56:36 +0200 Subject: typo in eip.pp --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 9f1c205c..2c696d21 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -14,7 +14,7 @@ class site_config::eip { local => $::ipaddress_eth0_1, server => '10.1.0.0 255.255.248.0', push => '"dhcp-option DNS 10.1.0.1"', - management => 'management 127.0.0.1 1000' + management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', @@ -22,6 +22,6 @@ class site_config::eip { local => $::ipaddress_eth0_1, server => '10.2.0.0 255.255.248.0', push => '"dhcp-option DNS 10.2.0.1"', - management => 'management 127.0.0.1 1001' + management => '127.0.0.1 1001' } } -- cgit v1.2.3 From c5196bcd0f1e93a1f56cd9b5387577c0e438eda6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 5 Oct 2012 23:14:15 +0200 Subject: flatten hiera hierarchy --- puppet/hiera.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 95283394..4194c6c9 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -6,13 +6,15 @@ :logger: console :hierarchy: - - hosts/%{fqdn} - - ca/%{fqdn} - - ca/defaults - - eip/%{fqdn} - - eip/defaults + - %{fqdn} +#former hierarchy, not used anymore +# - hosts/%{fqdn} +# - ca/%{fqdn} +# - ca/defaults +# - eip/%{fqdn} +# - eip/defaults # more services following - - defaults +# - defaults # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo -- cgit v1.2.3 From a2fdea96778a01acabf9f1e40cc8cc295520cd61 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 6 Oct 2012 09:06:20 +0200 Subject: added submodule sysctl --- .gitmodules | 3 +++ puppet/modules/sysctl | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/sysctl diff --git a/.gitmodules b/.gitmodules index c95048d9..c151aaf7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -28,3 +28,6 @@ [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf url = git://git.puppet.immerda.ch/module-resolvconf.git +[submodule "puppet/modules/sysctl"] + path = puppet/modules/sysctl + url = git://github.com/luxflux/puppet-sysctl.git diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 index 00000000..6ad210b3 --- /dev/null +++ b/puppet/modules/sysctl @@ -0,0 +1 @@ +Subproject commit 6ad210b3f90f24878cfccd61c758275e2ab022bd -- cgit v1.2.3 From e373def213a4e55c37c7940195ea9cd33e604f2d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 21:54:34 +0200 Subject: + site_shorewall::eip --- puppet/modules/site_config/manifests/eip.pp | 2 ++ .../modules/site_shorewall/manifests/defaults.pp | 26 ++++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/defaults.pp create mode 100644 puppet/modules/site_shorewall/manifests/eip.pp diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 2c696d21..95f9dbf4 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -24,4 +24,6 @@ class site_config::eip { push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } + + include site_shorewall::eip } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..cfe7bae2 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,26 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {$shorewall_main_interface: + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..bfa77206 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,42 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + shorewall::interface {'tun0': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': + type => 'ipv4'; } + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + 'all2all-ssh': + source => 'all', + destination => 'all', + action => 'SSH(ACCEPT)', + order => 200; + 'all2all-openvpn': + source => 'all', + destination => 'all', + action => 'OpenVPN(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 208ba98de3ab459d49303497587927fddcc30f12 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:00:01 +0200 Subject: second if for site_shorewall::eip --- puppet/modules/site_shorewall/manifests/eip.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index bfa77206..1ef0c48f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,8 +9,14 @@ class site_shorewall::eip { zone => 'eip', rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } + shorewall::routestopped {'eth0': interface => 'eth0'; } -- cgit v1.2.3 From 949ab1afa57771f44371da6da5e510056ada6d3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:03:06 +0200 Subject: shorewall: + dns,http --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1ef0c48f..1e458b1a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -44,5 +44,15 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 492280a9d097fde4c1a9e43d7b0a079d1fe4e10f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:12:51 +0200 Subject: shorewall: + https, masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1e458b1a..9a4454f9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -20,6 +20,9 @@ class site_shorewall::eip { shorewall::routestopped {'eth0': interface => 'eth0'; } + shorewall::masq {'eth0': + interface => 'eth0'; } + shorewall::policy { 'all-to-all': sourcezone => 'all', @@ -49,10 +52,15 @@ class site_shorewall::eip { destination => 'all', action => 'HTTP(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-DNS': source => '$FW', destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 9398b62b4de978a782fd6ba8c8c1bb2237b4fa04 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:18:22 +0200 Subject: shorewall: add empty source for masq --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9a4454f9..98a39837 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -21,7 +21,8 @@ class site_shorewall::eip { interface => 'eth0'; } shorewall::masq {'eth0': - interface => 'eth0'; } + interface => 'eth0', + source => ''; } shorewall::policy { 'all-to-all': -- cgit v1.2.3 From dd59c82520aba539e15351cc69395ec48fff7999 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:26:29 +0200 Subject: shorewall: policy: accept eip2all --- puppet/modules/site_shorewall/manifests/eip.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 98a39837..9cd332e1 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -25,6 +25,11 @@ class site_shorewall::eip { source => ''; } shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 200; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From 0bf3dc82f81c8147b2e4e5e32b3515d6ba373aee Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:29:35 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9cd332e1..3edd1bcc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -53,6 +53,8 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + + # eip gw itself to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -63,6 +65,12 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + 'eip2fw-https': source => 'eip', destination => '$FW', -- cgit v1.2.3 From a11a41c94a8ebfa217f27141268e472858a91feb Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:30:17 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 3edd1bcc..0806a862 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -65,7 +65,7 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-git': source => '$FW', destination => 'all', action => 'Git(ACCEPT)', -- cgit v1.2.3 From 7f40d1b15e84416bd56e8b6ffbc8e09cda859c87 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:39:49 +0200 Subject: shorewall: reorder policy --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0806a862..a4d1231d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -29,7 +29,7 @@ class site_shorewall::eip { sourcezone => 'eip', destinationzone => 'all', policy => 'ACCEPT', - order => 200; + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From cf2f7703b615dd4568beeebea59f514a20cf169a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:52:50 +0200 Subject: cleaned defaults.pp --- puppet/modules/site_shorewall/manifests/defaults.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index cfe7bae2..c68b8370 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,17 +10,8 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {$shorewall_main_interface: + shorewall::interface {'eth0': zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } } -- cgit v1.2.3 From 912d7103855ba674255d2dbeda87ab358388ecc0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:53:18 +0200 Subject: cleaned eip.pp, added second main if --- puppet/modules/site_shorewall/manifests/eip.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a4d1231d..80119ee8 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,16 @@ class site_shorewall::eip { include site_shorewall::defaults + shorewall::interface {'eth0:1': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From acc806b363b5bc5f1b6a994e525d20b65bc06fa8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:55:31 +0200 Subject: Support for the norfc1918 interface option has been removed from Shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 80119ee8..6ccfff69 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,11 +10,9 @@ class site_shorewall::eip { options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From 81c20fd7d39300c27a2d8196871a832767c5623a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:57:59 +0200 Subject: no virtual IFs in shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 --- 1 file changed, 3 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 6ccfff69..590a01ba 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,9 +5,6 @@ class site_shorewall::eip { include site_shorewall::defaults - shorewall::interface {'eth0:1': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } -- cgit v1.2.3 From c716f40cf2011c3141e2e7150fd3f928ffac626a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:46:06 +0200 Subject: shorewall: made rules more precise, use own macro --- puppet/modules/site_shorewall/manifests/eip.pp | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 590a01ba..8624af87 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,10 @@ class site_shorewall::eip { include site_shorewall::defaults + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - - 53,80,443,1194', } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -41,15 +45,16 @@ class site_shorewall::eip { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - 'all2all-ssh': - source => 'all', - destination => 'all', + + 'net2fw-ssh': + source => 'net', + destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'all2all-openvpn': - source => 'all', - destination => 'all', - action => 'OpenVPN(ACCEPT)', + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', order => 200; # eip gw itself to outside -- cgit v1.2.3 From a3cd8ac7a637111281f32d6ed5c8e856fe5be973 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:48:21 +0200 Subject: shorewall: need to sprecify protocol --- puppet/modules/site_shorewall/manifests/eip.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8624af87..0902039c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,7 +7,9 @@ class site_shorewall::eip { # define macro file { "/etc/shorewall/macro.leap_eip": - content => 'PARAM - - - 53,80,443,1194', } + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } shorewall::interface {'tun0': zone => 'eip', -- cgit v1.2.3 From 9fc9b19057fcf322e8d3fcaead0032859f873f53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Oct 2012 19:49:48 +0200 Subject: renamed hiera keys to work with leap_cli --- puppet/manifests/site.pp | 2 +- puppet/modules/site_openvpn/manifests/keys.pp | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 89c97888..d451bdf5 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,7 @@ node 'default' { notice("Services for $fqdn: $services") # configure eip - if 'eip' in $services { + if 'openvpn' in $services { include site_config::eip } diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index b31369c9..d029fbac 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,13 +1,18 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn_keys') + $openvpn_keys = hiera_hash('openvpn') + + file { '/etc/openvpn/keys/ca.key': + content => $openvpn_keys['ca_key'], + mode => '0600', + } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca'], + content => $openvpn_keys['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $openvpn_keys['dh_key'], mode => '0644', } @@ -17,7 +22,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_cert'], + content => $openvpn_keys['server_crt'], mode => '0644', } } -- cgit v1.2.3 From df1cb1b7445adcabbe355290d1e720040b916f6b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 14:01:11 +0200 Subject: + site_config::resolvconf --- puppet/modules/site_config/manifests/init.pp | 4 ++++ puppet/modules/site_config/manifests/resolvconf.pp | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_config/manifests/resolvconf.pp diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 64eb06f4..8aa1b54d 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,7 +1,11 @@ class site_config { + # default class, use by all hosts + include apt, lsb, git # configure ssh and inculde ssh-keys include site_config::sshd + # configure /etc/resolv.conf + include site_config::resolvconf } diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp new file mode 100644 index 00000000..ec3ce9e9 --- /dev/null +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -0,0 +1,13 @@ +class site_config::resolvconf { + package { 'bind9': + ensure => installed, + } + + $domain_hash = hiera('domain') + $domain = $domain_hash['public'] + + $resolvconf_search = $domain + $resolvconf_domain = $domain + $resolvconf_nameservers = '127.0.0.1 # caching-only local bind:87.118.100.175 # http://server.privacyfoundation.de' + include resolvconf +} -- cgit v1.2.3 From 082efdddf4b5a4c741a655e6833b8d86bb717303 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 14:44:05 +0200 Subject: ssh_keys -> ssh_pubkeys for clarity --- puppet/modules/site_config/manifests/sshd.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 8e33ca7f..4834bb6f 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -1,8 +1,8 @@ class site_config::sshd { # configure ssh and inculde ssh-keys include sshd - $ssh_keys=hiera_hash('ssh_keys') + $ssh_pubkeys=hiera_hash('ssh_pubkeys') include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) + notice($ssh_pubkeys) + create_resources('site_sshd::ssh_key', $ssh_pubkeys) } -- cgit v1.2.3 From 18482bf1a47474771f72bb92e766bff2781ad3fd Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:01:34 +0200 Subject: new resolvconf module uses parameterized class --- puppet/modules/site_config/manifests/resolvconf.pp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index ec3ce9e9..6536969a 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -4,10 +4,13 @@ class site_config::resolvconf { } $domain_hash = hiera('domain') - $domain = $domain_hash['public'] + $domain_public = $domain_hash['public'] - $resolvconf_search = $domain - $resolvconf_domain = $domain - $resolvconf_nameservers = '127.0.0.1 # caching-only local bind:87.118.100.175 # http://server.privacyfoundation.de' - include resolvconf + # 127.0.0.1: caching-only local bind + # 87.118.100.175: http://server.privacyfoundation.de + class { 'resolvconf': + $domain = $domain_public, + $search = $domain_public, + $nameservers = [ '127.0.0.1', '87.118.100.175' ] + } } -- cgit v1.2.3 From dfe67e888d5ab6b74c0dd9cc7e3d738c07b0ae5d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:06:59 +0200 Subject: fixes resolvconf call --- puppet/modules/site_config/manifests/resolvconf.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 6536969a..dca48b21 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,9 +8,9 @@ class site_config::resolvconf { # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de - class { 'resolvconf': - $domain = $domain_public, - $search = $domain_public, - $nameservers = [ '127.0.0.1', '87.118.100.175' ] + class { '::resolvconf': + domain => $domain_public, + search => $domain_public, + nameservers => [ '127.0.0.1', '87.118.100.175' ] } } -- cgit v1.2.3 From b297dd3c47a9d23eaba6070555ecec47f3acbcc6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:09:40 +0200 Subject: add third dns server (swiss privacy found.) --- puppet/modules/site_config/manifests/resolvconf.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index dca48b21..bd0539b9 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -6,11 +6,12 @@ class site_config::resolvconf { $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] - # 127.0.0.1: caching-only local bind + # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de + # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175' ] + nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] } } -- cgit v1.2.3 From 0eff2049fa8d846dffee3236824b8bc42e581467 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:32:15 +0200 Subject: added ruby-hiera-puppet as dependency --- deploy.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/deploy.sh b/deploy.sh index 7754f91c..d5bca7d0 100755 --- a/deploy.sh +++ b/deploy.sh @@ -5,19 +5,28 @@ PUPPET_ENV='--confdir=puppet' install_prerequisites () { - apt-get update - apt-get install puppet git + PACKAGES='git puppet ruby-hiera-puppet' + dpkg -l $PACKAGES > /dev/null 2>&1 + if [ ! $? -eq 0 ] + then + apt-get update + apt-get install $PACKAGES + fi # lsb is needed for a first puppet run puppet apply $PUPPET_ENV --execute 'include lsb' - git submodule init - git submodule update } # main # commented for testing purposes +# this should be run once on every host on setup #install_prerequisites -puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ +# keep repository up to date +git pull +git submodule init +git submodule update +# run puppet without irritating deprecation warnings +puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ | grep -v 'warning:.*is deprecated' -- cgit v1.2.3