From 69c456f5a16fa4484754a809ded93ddd554b1d16 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Oct 2012 18:25:49 +0200 Subject: hiera config now in /etc/leap/hiera.yaml --- puppet/hiera.yaml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index af448d57..93448e23 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -5,22 +5,11 @@ :logger: console -:hierarchy: - - %{fqdn} - - defaults -#former hierarchy, not used anymore -# - hosts/%{fqdn} -# - ca/%{fqdn} -# - ca/defaults -# - eip/%{fqdn} -# - eip/defaults -# more services following -# - defaults - -# relative from where puppet is run, so we need to run puppet -# from the root dir of the leap_platform repo :yaml: - :datadir: ../config + :datadir: /etc/leap +:hierarchy: + - hiera + :puppet: :datasource: data -- cgit v1.2.3 From 2b9c04a66cdc591be22800fcbcf3010517d95e94 Mon Sep 17 00:00:00 2001 From: Kwadronaut Date: Wed, 24 Oct 2012 15:13:42 +0200 Subject: Adding getting started content, needs more cleanup --- README.md | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/README.md b/README.md index 6be733cb..9dc3470e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,79 @@ Leap Platform ============= +What is it? +----------- + +The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary packages and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. + +The LEAP Platform is essentially a git repository of puppet recipes, with a few scripts to help with bootstrapping and deployment. A service provider who wants to deploy LEAP services will clone or fork this repository, edit the main configuration file to specify which services should run on which hosts, and run scripts to deploy this configuration. + +Documentation +------------- +Most of the current documentation can be found in Readme files of the different pieces. Eventually this will be consolidated on the website https://leap.se + +Requirements +------------ +This highly depends on your (expected) user base. For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. You could use Vagrant or KVM to simulate a live deployment. + +For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. In it's initial release you can deploy OpenVPN, DNS, CouchDB and a webapp to administer your users (billing, help tickets,...). + +To get started you will need to have git, ruby1.8, rails, rubygems, bundler, ruby1.8-dev, libgpgme-ruby. + +Configuration +------------- +Edit config/ + + +Installation +------------ + +- Edit /etc/leap/hieradata/common.yaml for your needs +- Run the deploy.sh script as root + +git clone ssh://gitolite@leap.se/leap_platform +git clone ssh://gitolite@leap.se/leap_cli + + cd leap_cli + + bundle + + cd .. + +git clone ssh://gitolite@leap.se/leap_testprovider +ln -s /home/me/dev/leap_cli/bin ~/bin # or whatever to have leap_cli/bin/leap in your path. +cd leap_testprovider +ln -s ../leap_platform . +cd leap_testprovider/provider +leap help +leap clean +leap compile +leap add-user --self + +More Information +---------------- +For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. + + +Following needs to be written: + +Copyright/License +----------------- + +Read LICENSE + +Known bugs +---------- + +Troubleshooting +--------------- + +Changelog +--------- + + +Authors and Credits +------------------ + +a file manifest + -- cgit v1.2.3 From 78bed6218cc6a52d812d0df23c537654bc6b5fed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 09:43:58 +0200 Subject: README: git clone should use git: instead of ssh: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9dc3470e..641538bb 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ Installation - Edit /etc/leap/hieradata/common.yaml for your needs - Run the deploy.sh script as root -git clone ssh://gitolite@leap.se/leap_platform -git clone ssh://gitolite@leap.se/leap_cli +git clone git://code.leap.se/leap_platform +git clone git://code.leap.se/leap_cli cd leap_cli @@ -40,7 +40,7 @@ git clone ssh://gitolite@leap.se/leap_cli cd .. -git clone ssh://gitolite@leap.se/leap_testprovider +git clone git://code.leap.se/leap_testprovider ln -s /home/me/dev/leap_cli/bin ~/bin # or whatever to have leap_cli/bin/leap in your path. cd leap_testprovider ln -s ../leap_platform . -- cgit v1.2.3 From b5a5bfb69f62f5f31f8e81bdcb0dcabb7b4082f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:34:27 +0200 Subject: replace hardcoded interface eth0 with hiera variable --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0902039c..31ee3e6c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults + $interface = hiera('interface') + # define macro file { "/etc/shorewall/macro.leap_eip": content => 'PARAM - - tcp 53,80,443,1194 @@ -21,11 +23,11 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'eth0': - interface => 'eth0'; } + shorewall::routestopped {'$interface': + interface => '$interface'; } - shorewall::masq {'eth0': - interface => 'eth0', + shorewall::masq {'$interface': + interface => '$interface', source => ''; } shorewall::policy { -- cgit v1.2.3 From 76bbc01eae893206a8ed0d8d248ee565e3acdc61 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:35:24 +0200 Subject: use hiera gateway_address and interface variables --- puppet/modules/site_config/manifests/eip.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 95f9dbf4..df17771a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,13 +5,14 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - #$openvpn_configs=hiera('openvpn_server_configs') - #create_resources('site_openvpn::server_config', $openvpn_configs) - + $openvpn_config = hiera('openvpn') + $interface = hiera('interface') + $gateway_address = $openvpn_config['gateway_address'] + site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', - local => $::ipaddress_eth0_1, + local => $gateway_address, server => '10.1.0.0 255.255.248.0', push => '"dhcp-option DNS 10.1.0.1"', management => '127.0.0.1 1000' @@ -19,7 +20,7 @@ class site_config::eip { site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - local => $::ipaddress_eth0_1, + local => $gateway_address, server => '10.2.0.0 255.255.248.0', push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' -- cgit v1.2.3 From 6146c50f4ae9ef7b0887ee4abff66b5b62a6da9d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:06:35 +0200 Subject: added submoule interfaces, from git://github.com/x-way/puppet-interfaces.git --- .gitmodules | 3 +++ puppet/modules/interfaces | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/interfaces diff --git a/.gitmodules b/.gitmodules index 10a21c03..e3e8d6db 100644 --- a/.gitmodules +++ b/.gitmodules @@ -34,3 +34,6 @@ [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb url = git://code.leap.se/puppet_couchdb +[submodule "puppet/modules/interfaces"] + path = puppet/modules/interfaces + url = git://github.com/x-way/puppet-interfaces.git diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces new file mode 160000 index 00000000..1d7dc717 --- /dev/null +++ b/puppet/modules/interfaces @@ -0,0 +1 @@ +Subproject commit 1d7dc7178881c56102c043e96763176f66445c1e -- cgit v1.2.3 From 8128fd27d9d3637654ebf924c860a701a4a08911 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:14:37 +0200 Subject: beginning config of main interface --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index df17771a..0077137b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,9 +5,25 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - $openvpn_config = hiera('openvpn') - $interface = hiera('interface') - $gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + $gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + + include interfaces + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", + 'netmask 255.255.255.0', + "gateway $gateway", + "up ip addr add $openvpn_gateway_address/24 dev eth0 label", + "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + ], + auto => 1, + allow_hotplug => 1 } + site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 92368db363406ebf47419814e1ac1bfc9f17c44a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:08:15 +0200 Subject: linted, variable updated --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 0077137b..57b6d831 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -12,16 +12,16 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", 'netmask 255.255.255.0', - "gateway $gateway", + "gateway $gateway_address", "up ip addr add $openvpn_gateway_address/24 dev eth0 label", "down ip addr del $openvpn_gateway_address/24 dev eth0 label", - ], - auto => 1, + ], + auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From 8253e3ebeb88ba33131365a1b584878a12bbd225 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:14:23 +0200 Subject: removed label for ip addr --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 57b6d831..1beea9ce 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,8 +18,8 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0 label", - "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + "up ip addr add $openvpn_gateway_address/24 dev eth0", + "down ip addr del $openvpn_gateway_address/24 dev eth0", ], auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From c40a1bce442aab4ba8baf062ffcb65e006ad13e0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:53:06 +0100 Subject: use script to add second ip --- puppet/modules/site_config/manifests/eip.pp | 47 +++++++++++++++++++---------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 1beea9ce..c81ad33a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,29 +18,44 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0", - "down ip addr del $openvpn_gateway_address/24 dev eth0", + "up ip addr add $openvpn_gateway_address/24 dev $interface", + "down ip addr del $openvpn_gateway_address/24 dev $interface", ], auto => 1, allow_hotplug => 1 } - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', - management => '127.0.0.1 1000' + #site_openvpn::server_config { 'tcp_config': + # port => '1194', + # proto => 'tcp', + # local => $gateway_address, + # server => '10.1.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.1.0.1"', + # management => '127.0.0.1 1000' + #} + #site_openvpn::server_config { 'udp_config': + # port => '1194', + # proto => 'udp', + # local => $gateway_address, + # server => '10.2.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.2.0.1"', + # management => '127.0.0.1 1001' + #} + + file { '/usr/local/bin/leap_add_second_ip.sh': + content => '#!/bin/sh + ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + mode => '0755', } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', - management => '127.0.0.1 1001' + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } + #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": + # path => '/usr/bin:/sbin', + # unless => "ip addr show dev $interface | grep -q '$interface/24'" + #} + include site_shorewall::eip } -- cgit v1.2.3 From 189e8957c23fb09ef8c130f64e53f58c9da7d3ec Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:58:55 +0100 Subject: pass variable to leap_add_second_ip.sh --- puppet/modules/site_config/manifests/eip.pp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c81ad33a..ed1d395b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -11,19 +11,18 @@ class site_config::eip { $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", - 'netmask 255.255.255.0', - "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev $interface", - "down ip addr del $openvpn_gateway_address/24 dev $interface", - ], - auto => 1, - allow_hotplug => 1 } - + #include interfaces + #interfaces::iface { $interface: + # family => 'inet', + # method => 'static', + # options => [ "address $ip_address", + # 'netmask 255.255.255.0', + # "gateway $gateway_address", + # "up ip addr add $openvpn_gateway_address/24 dev $interface", + # "down ip addr del $openvpn_gateway_address/24 dev $interface", + # ], + # auto => 1, + # allow_hotplug => 1 } #site_openvpn::server_config { 'tcp_config': # port => '1194', @@ -43,8 +42,8 @@ class site_config::eip { #} file { '/usr/local/bin/leap_add_second_ip.sh': - content => '#!/bin/sh - ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + content => "#!/bin/sh +ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", mode => '0755', } -- cgit v1.2.3 From 7c7c3f6ff9806febe903a9cfdef97c36e3743587 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 18:34:51 +0100 Subject: double double quoting solved --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ed1d395b..59889a92 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -43,7 +43,7 @@ class site_config::eip { file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", mode => '0755', } -- cgit v1.2.3 From 8d2b6978e809004f4bca38d4fef27149497ad309 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:01:48 +0100 Subject: linted --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 31ee3e6c..54f3ea6e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $interface = hiera('interface') # define macro - file { "/etc/shorewall/macro.leap_eip": + file { '/etc/shorewall/macro.leap_eip': content => 'PARAM - - tcp 53,80,443,1194 PARAM - - udp 53,80,443,1194 ', } -- cgit v1.2.3 From 7f82917633ad444e1a303df5bd02ebe29aa05921 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:02:05 +0100 Subject: no need for server-up.sh right now --- puppet/modules/site_openvpn/manifests/server_config.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..f4c5237e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -92,10 +92,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', -- cgit v1.2.3 From 372797b1f0b2a65698e8f4cd52fdf5d93a274965 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:04:23 +0100 Subject: reenabled site_openvpn::server_config, leap_add_second_ip.sh @reboot --- puppet/modules/site_config/manifests/eip.pp | 57 +++++++++++------------------ 1 file changed, 21 insertions(+), 36 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 59889a92..498d7eed 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,44 +2,28 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - #$tor=hiera('tor') - #notice("Tor enabled: $tor") - $ip_address = hiera('ip_address') $interface = hiera('interface') $gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - #include interfaces - #interfaces::iface { $interface: - # family => 'inet', - # method => 'static', - # options => [ "address $ip_address", - # 'netmask 255.255.255.0', - # "gateway $gateway_address", - # "up ip addr add $openvpn_gateway_address/24 dev $interface", - # "down ip addr del $openvpn_gateway_address/24 dev $interface", - # ], - # auto => 1, - # allow_hotplug => 1 } - - #site_openvpn::server_config { 'tcp_config': - # port => '1194', - # proto => 'tcp', - # local => $gateway_address, - # server => '10.1.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.1.0.1"', - # management => '127.0.0.1 1000' - #} - #site_openvpn::server_config { 'udp_config': - # port => '1194', - # proto => 'udp', - # local => $gateway_address, - # server => '10.2.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.2.0.1"', - # management => '127.0.0.1 1001' - #} + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_gateway_address, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => '127.0.0.1 1001' + } file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh @@ -51,10 +35,11 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } - #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": - # path => '/usr/bin:/sbin', - # unless => "ip addr show dev $interface | grep -q '$interface/24'" - #} + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } include site_shorewall::eip } -- cgit v1.2.3 From 7361c79e1e864c16450455a3ae374393a04f9eb7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:27:52 +0100 Subject: no need for gateway_address --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 498d7eed..15bf8be2 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,7 @@ class site_config::eip { $ip_address = hiera('ip_address') $interface = hiera('interface') - $gateway_address = hiera('gateway_address') + #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From c72160f993345c184ce01d7e4c14c9923fc194e9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:48:02 +0100 Subject: move interface definition for eth0 to eip.pp, use variable --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 ---- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 54f3ea6e..0c9bfa9c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,6 +13,13 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } + + # define interfaces + shorewall::interface {"$interface": + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -20,6 +27,7 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } -- cgit v1.2.3 From fa31e200b5cbf4ac9b01a864410d535cbf84420d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:07:07 +0100 Subject: put in double quotes --- puppet/modules/site_shorewall/manifests/eip.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0c9bfa9c..87e1e16f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,9 +13,9 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } - + # define interfaces - shorewall::interface {"$interface": + shorewall::interface { $interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } @@ -31,11 +31,12 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'$interface': - interface => '$interface'; } + shorewall::routestopped { $interface: + interface => $interface; } + - shorewall::masq {'$interface': - interface => '$interface', + shorewall::masq {"$interface": + interface => $interface, source => ''; } shorewall::policy { -- cgit v1.2.3 From d235cd5292783722653ff34b35ce28ff31d30935 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:57:34 +0100 Subject: pass ssh_port to shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 87e1e16f..230752dc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,15 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] # define macro file { '/etc/shorewall/macro.leap_eip': - content => 'PARAM - - tcp 53,80,443,1194 + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } # define interfaces -- cgit v1.2.3 From c26c2c18d0abb7dec76a748bf0c2c2f9000298da Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:17:26 +0100 Subject: openvpn_tcp/udp_network_prefix and openvpn_tcp/udp_netmask variables --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 15bf8be2..ecac446b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,26 +2,30 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", local => $openvpn_gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } -- cgit v1.2.3 From 1e3e9658a2309569e73d6bef72d441a6851d2653 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:22:37 +0100 Subject: also provide openvpn_tcp/udp_cidr variable --- puppet/modules/site_config/manifests/eip.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ecac446b..d7a59157 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,8 +9,10 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 1f7dbac75c5c2a610ca4e6763109fd3e06c9072a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:25:11 +0100 Subject: configure tcp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 230752dc..0849d711 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,9 +37,9 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq {"$interface": + shorewall::masq { $interface: interface => $interface, - source => ''; } + source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d89ea18da5dd520bf71df42e15b813b706e2189 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:46:04 +0100 Subject: configure tcp+udp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0849d711..5105b85a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -39,7 +39,11 @@ PARAM - - udp 53,80,443,1194 shorewall::masq { $interface: interface => $interface, - source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + + shorewall::masq { $interface: + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 04d324a61cb33ff282e2dc3228e25723b564ea1f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:49:14 +0100 Subject: differentiate masq definition names --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 5105b85a..a5af0dde 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,11 +37,11 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_tcp": interface => $interface, source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_udp": interface => $interface, source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } -- cgit v1.2.3 From 2f747b961a1fd5f7197e63dde58b64ab465ac39d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:16:49 +0100 Subject: commenting --- puppet/modules/site_config/manifests/eip.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index d7a59157..4280fb67 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,7 +1,6 @@ class site_config::eip { - include site_openvpn - include site_openvpn::keys + # parse hiera config $ip_address = hiera('ip_address') $interface = hiera('interface') #$gateway_address = hiera('gateway_address') @@ -14,6 +13,12 @@ class site_config::eip { $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', @@ -31,6 +36,7 @@ class site_config::eip { management => '127.0.0.1 1001' } + # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", -- cgit v1.2.3 From 038380e042289a9586141d7154febea2a2a6a56c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:18:06 +0100 Subject: prettyfying --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index f4c5237e..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, -- cgit v1.2.3 From 9586f6ec95b6bdba7ca3df4135055f2cced9e972 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:41:17 +0100 Subject: start shorewall by default --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a5af0dde..34268125 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + #$shorewall_startup='0' include site_shorewall::defaults -- cgit v1.2.3