From 7ce3190986cf8e5fe037a7ccd4c1076505b117f4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:41:59 -0400 Subject: remove submodules in preparation for move to subrepos Change-Id: Ia7655153b556337f676e3d909559c4a7306bedd6 --- puppet/modules/openvpn | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/openvpn (limited to 'puppet/modules/openvpn/manifests') diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn deleted file mode 160000 index 25f1fe8d..00000000 --- a/puppet/modules/openvpn +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c -- cgit v1.2.3 From da37dd95c39f3f100020164473eed53a317fb53f Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:45:26 -0400 Subject: git subrepo clone https://leap.se/git/puppet_openvpn puppet/modules/openvpn subrepo: subdir: "puppet/modules/openvpn" merged: "26d4edc" upstream: origin: "https://leap.se/git/puppet_openvpn" branch: "master" commit: "26d4edc" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "1e79595" Change-Id: I596766ccfb806b3ca2d1c755c4e24c5ad3d997f9 --- puppet/modules/openvpn/manifests/client.pp | 187 +++++++++++++++++ .../openvpn/manifests/client_specific_config.pp | 79 +++++++ puppet/modules/openvpn/manifests/config.pp | 52 +++++ puppet/modules/openvpn/manifests/init.pp | 43 ++++ puppet/modules/openvpn/manifests/install.pp | 46 ++++ puppet/modules/openvpn/manifests/params.pp | 37 ++++ puppet/modules/openvpn/manifests/server.pp | 233 +++++++++++++++++++++ puppet/modules/openvpn/manifests/service.pp | 36 ++++ 8 files changed, 713 insertions(+) create mode 100644 puppet/modules/openvpn/manifests/client.pp create mode 100644 puppet/modules/openvpn/manifests/client_specific_config.pp create mode 100644 puppet/modules/openvpn/manifests/config.pp create mode 100644 puppet/modules/openvpn/manifests/init.pp create mode 100644 puppet/modules/openvpn/manifests/install.pp create mode 100644 puppet/modules/openvpn/manifests/params.pp create mode 100644 puppet/modules/openvpn/manifests/server.pp create mode 100644 puppet/modules/openvpn/manifests/service.pp (limited to 'puppet/modules/openvpn/manifests') diff --git a/puppet/modules/openvpn/manifests/client.pp b/puppet/modules/openvpn/manifests/client.pp new file mode 100644 index 00000000..92c6aa4e --- /dev/null +++ b/puppet/modules/openvpn/manifests/client.pp @@ -0,0 +1,187 @@ +# == Define: openvpn::client +# +# This define creates the client certs for a specified openvpn server as well +# as creating a tarball that can be directly imported into openvpn clients +# +# +# === Parameters +# +# [*server*] +# String. Name of the corresponding openvpn endpoint +# Required +# +# [*compression*] +# String. Which compression algorithim to use +# Default: comp-lzo +# Options: comp-lzo or '' (disable compression) +# +# [*dev*] +# String. Device method +# Default: tun +# Options: tun (routed connections), tap (bridged connections) +# +# [*mute*] +# Integer. Set log mute level +# Default: 20 +# +# [*mute_replay_warnings*] +# Boolean. Silence duplicate packet warnings (common on wireless networks) +# Default: true +# +# [*nobind*] +# Boolean. Whether or not to bind to a specific port number +# Default: true +# +# [*persist_key*] +# Boolean. Try to retain access to resources that may be unavailable +# because of privilege downgrades +# Default: true +# +# [*persist_tun*] +# Boolean. Try to retain access to resources that may be unavailable +# because of privilege downgrades +# Default: true +# +# [*port*] +# Integer. The port the openvpn server service is running on +# Default: 1194 +# +# [*proto*] +# String. What IP protocol is being used. +# Default: tcp +# Options: tcp or udp +# +# [*remote_host*] +# String. The IP or hostname of the openvpn server service +# Default: FQDN +# +# [*resolv_retry*] +# Integer/String. How many seconds should the openvpn client try to resolve +# the server's hostname +# Default: infinite +# Options: Integer or infinite +# +# [*verb*] +# Integer. Level of logging verbosity +# Default: 3 +# +# +# === Examples +# +# openvpn::client { +# 'my_user': +# server => 'contractors', +# remote_host => 'vpn.mycompany.com' +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +define openvpn::client( + $server, + $compression = 'comp-lzo', + $dev = 'tun', + $mute = '20', + $mute_replay_warnings = true, + $nobind = true, + $persist_key = true, + $persist_tun = true, + $port = '1194', + $proto = 'tcp', + $remote_host = $::fqdn, + $resolv_retry = 'infinite', + $verb = '3', +) { + + Openvpn::Server[$server] -> + Openvpn::Client[$name] + + exec { + "generate certificate for ${name} in context of ${server}": + command => ". ./vars && ./pkitool ${name}", + cwd => "/etc/openvpn/${server}/easy-rsa", + creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + provider => 'shell'; + } + + file { + [ "/etc/openvpn/${server}/download-configs/${name}", + "/etc/openvpn/${server}/download-configs/${name}/keys"]: + ensure => directory; + + "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + require => Exec["generate certificate for ${name} in context of ${server}"]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", + require => Exec["generate certificate for ${name} in context of ${server}"]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", + require => Exec["generate certificate for ${name} in context of ${server}"]; + + "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": + owner => root, + group => root, + mode => '0444', + content => template('openvpn/client.erb'), + notify => Exec["tar the thing ${server} with ${name}"]; + } + + exec { + "tar the thing ${server} with ${name}": + cwd => "/etc/openvpn/${server}/download-configs/", + command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", + refreshonly => true, + require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] + ], + notify => Exec["generate ${name}.ovpn in ${server}"]; + } + + exec { + "generate ${name}.ovpn in ${server}": + cwd => "/etc/openvpn/${server}/download-configs/", + command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf|perl -lne 'if(m|^ca keys/ca.crt|){ chomp(\$ca=`cat ${name}/keys/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", + refreshonly => true, + require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"], + ], + } + + file { "/etc/openvpn/${server}/download-configs/${name}.ovpn": + mode => '0400', + require => Exec["generate ${name}.ovpn in ${server}"], + } +} diff --git a/puppet/modules/openvpn/manifests/client_specific_config.pp b/puppet/modules/openvpn/manifests/client_specific_config.pp new file mode 100644 index 00000000..4287421a --- /dev/null +++ b/puppet/modules/openvpn/manifests/client_specific_config.pp @@ -0,0 +1,79 @@ +# == Define: openvpn::client_specific_config +# +# This define configures options which will be pushed by the server to a +# specific client only. This feature is explained here: +# http://openvpn.net/index.php/open-source/documentation/howto.html#policy +# +# === Parameters +# +# All the parameters are explained in the openvpn documentation: +# http://openvpn.net/index.php/open-source/documentation/howto.html#policy +# +# [*server*] +# String. Name of the corresponding openvpn endpoint +# Required +# +# [*iroute*] +# Array. Array of iroute combinations. +# Default: [] +# +# [*ifconfig*] +# String. IP configuration to push to the client. +# Default: false +# +# [*dhcp_options] +# Array. DHCP options to push to the client. +# Default: [] +# +# +# === Examples +# +# openvpn::client_specific_config { +# 'vpn_client': +# server => 'contractors', +# iroute => ['10.0.1.0 255.255.255.0'], +# ifconfig => '10.10.10.1 10.10.10.2', +# dhcp_options => ['DNS 8.8.8.8'] +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +define openvpn::client_specific_config( + $server, + $iroute = [], + $ifconfig = false, + $dhcp_options = [] +) { + + Openvpn::Server[$server] -> + Openvpn::Client[$name] -> + Openvpn::Client_specific_config[$name] + + file { "/etc/openvpn/${server}/client-configs/${name}": + ensure => present, + content => template('openvpn/client_specific_config.erb') + } + +} diff --git a/puppet/modules/openvpn/manifests/config.pp b/puppet/modules/openvpn/manifests/config.pp new file mode 100644 index 00000000..32b32094 --- /dev/null +++ b/puppet/modules/openvpn/manifests/config.pp @@ -0,0 +1,52 @@ +# == Class: openvpn::config +# +# This class sets up the openvpn enviornment as well as the default config file +# +# +# === Examples +# +# This class should not be directly invoked +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class openvpn::config { + + if $::osfamily == 'Debian' { + include concat::setup + + concat { + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true; + } + + concat::fragment { + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; + } + } +} diff --git a/puppet/modules/openvpn/manifests/init.pp b/puppet/modules/openvpn/manifests/init.pp new file mode 100644 index 00000000..7e07f025 --- /dev/null +++ b/puppet/modules/openvpn/manifests/init.pp @@ -0,0 +1,43 @@ +# == Class: openvpn +# +# This module installs the openvpn service, configures vpn endpoints, generates +# client certificates, and generates client config files +# +# +# === Examples +# +# * Installation: +# class { 'openvpn': } +# +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class openvpn { + + class {'openvpn::params': } -> + class {'openvpn::install': } -> + class {'openvpn::config': } ~> + class {'openvpn::service': } -> + Class['openvpn'] + +} diff --git a/puppet/modules/openvpn/manifests/install.pp b/puppet/modules/openvpn/manifests/install.pp new file mode 100644 index 00000000..a230373a --- /dev/null +++ b/puppet/modules/openvpn/manifests/install.pp @@ -0,0 +1,46 @@ +# == Class: openvpn +# +# This module installs the openvpn service, configures vpn endpoints, generates +# client certificates, and generates client config files +# +# +# === Examples +# +# This class should not be directly invoked +# +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class openvpn::install { + + package { + 'openvpn': + ensure => installed; + } + + file { + [ '/etc/openvpn', '/etc/openvpn/keys' ]: + ensure => directory, + require => Package['openvpn']; + } +} diff --git a/puppet/modules/openvpn/manifests/params.pp b/puppet/modules/openvpn/manifests/params.pp new file mode 100644 index 00000000..33495270 --- /dev/null +++ b/puppet/modules/openvpn/manifests/params.pp @@ -0,0 +1,37 @@ +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class openvpn::params { + + $group = $::osfamily ? { + 'RedHat' => 'nobody', + default => 'nogroup' + } + + $easyrsa_source = $::osfamily ? { + 'RedHat' => $::operatingsystemmajrelease ? { + 6 => '/usr/share/openvpn/easy-rsa/2.0', + default => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0' + }, + default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + } + + $link_openssl_cnf = $::osfamily ? { + /(Debian|RedHat)/ => true, + default => false + } + +} diff --git a/puppet/modules/openvpn/manifests/server.pp b/puppet/modules/openvpn/manifests/server.pp new file mode 100644 index 00000000..649048c4 --- /dev/null +++ b/puppet/modules/openvpn/manifests/server.pp @@ -0,0 +1,233 @@ +# == Define: openvpn::server +# +# This define creates the openvpn server instance and ssl certificates +# +# +# === Parameters +# +# [*country*] +# String. Country to be used for the SSL certificate +# +# [*province*] +# String. Province to be used for the SSL certificate +# +# [*city*] +# String. City to be used for the SSL certificate +# +# [*organization*] +# String. Organization to be used for the SSL certificate +# +# [*email*] +# String. Email address to be used for the SSL certificate +# +# [*compression*] +# String. Which compression algorithim to use +# Default: comp-lzo +# Options: comp-lzo or '' (disable compression) +# +# [*dev*] +# String. Device method +# Default: tun +# Options: tun (routed connections), tap (bridged connections) +# +# [*user*] +# String. Group to drop privileges to after startup +# Default: nobody +# +# [*group*] +# String. User to drop privileges to after startup +# Default: depends on your $::osfamily +# +# [*ipp*] +# Boolean. Persist ifconfig information to a file to retain client IP +# addresses between sessions +# Default: false +# +# [*local*] +# String. Interface for openvpn to bind to. +# Default: $::ipaddress_eth0 +# Options: An IP address or '' to bind to all ip addresses +# +# [*logfile*] +# String. Logfile for this openvpn server +# Default: false +# Options: false (syslog) or log file name +# +# [*port*] +# Integer. The port the openvpn server service is running on +# Default: 1194 +# +# [*proto*] +# String. What IP protocol is being used. +# Default: tcp +# Options: tcp or udp +# +# [*status_log*] +# String. Logfile for periodic dumps of the vpn service status +# Default: "${name}/openvpn-status.log" +# +# [*server*] +# String. Network to assign client addresses out of +# Default: None. Required in tun mode, not in tap mode +# +# [*push*] +# Array. Options to push out to the client. This can include routes, DNS +# servers, DNS search domains, and many other options. +# Default: [] +# +# +# === Examples +# +# openvpn::client { +# 'my_user': +# server => 'contractors', +# remote_host => 'vpn.mycompany.com' +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +define openvpn::server( + $country, + $province, + $city, + $organization, + $email, + $compression = 'comp-lzo', + $dev = 'tun0', + $user = 'nobody', + $group = false, + $ipp = false, + $ip_pool = [], + $local = $::ipaddress_eth0, + $logfile = false, + $port = '1194', + $proto = 'tcp', + $status_log = "${name}/openvpn-status.log", + $server = '', + $push = [] +) { + + include openvpn + Class['openvpn::install'] -> + Openvpn::Server[$name] ~> + Class['openvpn::service'] + + $tls_server = $proto ? { + /tcp/ => true, + default => false + } + + $group_to_set = $group ? { + false => $openvpn::params::group, + default => $group + } + + file { + ["/etc/openvpn/${name}", "/etc/openvpn/${name}/client-configs", "/etc/openvpn/${name}/download-configs" ]: + ensure => directory; + } + + exec { + "copy easy-rsa to openvpn config folder ${name}": + command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa", + notify => Exec["fix_easyrsa_file_permissions_${name}"], + require => File["/etc/openvpn/${name}"]; + } + + exec { + "fix_easyrsa_file_permissions_${name}": + refreshonly => true, + command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; + } + + file { + "/etc/openvpn/${name}/easy-rsa/vars": + ensure => present, + content => template('openvpn/vars.erb'), + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + file { + "/etc/openvpn/${name}/easy-rsa/openssl.cnf": + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + if $openvpn::params::link_openssl_cnf == true { + File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] { + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf" + } + } + + exec { + "generate dh param ${name}": + command => '. ./vars && ./clean-all && ./build-dh', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/dh1024.pem", + provider => 'shell', + require => File["/etc/openvpn/${name}/easy-rsa/vars"]; + + "initca ${name}": + command => '. ./vars && ./pkitool --initca', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", + provider => 'shell', + require => [ Exec["generate dh param ${name}"], File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ]; + + "generate server cert ${name}": + command => '. ./vars && ./pkitool --server server', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/server.key", + provider => 'shell', + require => Exec["initca ${name}"]; + } + + file { + "/etc/openvpn/${name}/keys": + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/keys", + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + if $::osfamily == 'Debian' { + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", + target => '/etc/default/openvpn', + order => 10; + } + } + + file { + "/etc/openvpn/${name}.conf": + owner => root, + group => root, + mode => '0444', + content => template('openvpn/server.erb'); + } +} diff --git a/puppet/modules/openvpn/manifests/service.pp b/puppet/modules/openvpn/manifests/service.pp new file mode 100644 index 00000000..54e8db7d --- /dev/null +++ b/puppet/modules/openvpn/manifests/service.pp @@ -0,0 +1,36 @@ +# == Class: openvpn::config +# +# This class maintains the openvpn service +# +# +# === Examples +# +# This class should not be directly invoked +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# +# === License +# +# Copyright 2013 Raffael Schmid, +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# lied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class openvpn::service { + service { + 'openvpn': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true; + } +} -- cgit v1.2.3 From d6719731dce8ee7e048a16a447a426abcaa44f24 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 21 Jul 2016 12:13:24 -0700 Subject: remove openvpn submodule --- puppet/modules/openvpn/manifests/client.pp | 187 ----------------- .../openvpn/manifests/client_specific_config.pp | 79 ------- puppet/modules/openvpn/manifests/config.pp | 52 ----- puppet/modules/openvpn/manifests/init.pp | 43 ---- puppet/modules/openvpn/manifests/install.pp | 46 ---- puppet/modules/openvpn/manifests/params.pp | 37 ---- puppet/modules/openvpn/manifests/server.pp | 233 --------------------- puppet/modules/openvpn/manifests/service.pp | 36 ---- 8 files changed, 713 deletions(-) delete mode 100644 puppet/modules/openvpn/manifests/client.pp delete mode 100644 puppet/modules/openvpn/manifests/client_specific_config.pp delete mode 100644 puppet/modules/openvpn/manifests/config.pp delete mode 100644 puppet/modules/openvpn/manifests/init.pp delete mode 100644 puppet/modules/openvpn/manifests/install.pp delete mode 100644 puppet/modules/openvpn/manifests/params.pp delete mode 100644 puppet/modules/openvpn/manifests/server.pp delete mode 100644 puppet/modules/openvpn/manifests/service.pp (limited to 'puppet/modules/openvpn/manifests') diff --git a/puppet/modules/openvpn/manifests/client.pp b/puppet/modules/openvpn/manifests/client.pp deleted file mode 100644 index 92c6aa4e..00000000 --- a/puppet/modules/openvpn/manifests/client.pp +++ /dev/null @@ -1,187 +0,0 @@ -# == Define: openvpn::client -# -# This define creates the client certs for a specified openvpn server as well -# as creating a tarball that can be directly imported into openvpn clients -# -# -# === Parameters -# -# [*server*] -# String. Name of the corresponding openvpn endpoint -# Required -# -# [*compression*] -# String. Which compression algorithim to use -# Default: comp-lzo -# Options: comp-lzo or '' (disable compression) -# -# [*dev*] -# String. Device method -# Default: tun -# Options: tun (routed connections), tap (bridged connections) -# -# [*mute*] -# Integer. Set log mute level -# Default: 20 -# -# [*mute_replay_warnings*] -# Boolean. Silence duplicate packet warnings (common on wireless networks) -# Default: true -# -# [*nobind*] -# Boolean. Whether or not to bind to a specific port number -# Default: true -# -# [*persist_key*] -# Boolean. Try to retain access to resources that may be unavailable -# because of privilege downgrades -# Default: true -# -# [*persist_tun*] -# Boolean. Try to retain access to resources that may be unavailable -# because of privilege downgrades -# Default: true -# -# [*port*] -# Integer. The port the openvpn server service is running on -# Default: 1194 -# -# [*proto*] -# String. What IP protocol is being used. -# Default: tcp -# Options: tcp or udp -# -# [*remote_host*] -# String. The IP or hostname of the openvpn server service -# Default: FQDN -# -# [*resolv_retry*] -# Integer/String. How many seconds should the openvpn client try to resolve -# the server's hostname -# Default: infinite -# Options: Integer or infinite -# -# [*verb*] -# Integer. Level of logging verbosity -# Default: 3 -# -# -# === Examples -# -# openvpn::client { -# 'my_user': -# server => 'contractors', -# remote_host => 'vpn.mycompany.com' -# } -# -# * Removal: -# Manual process right now, todo for the future -# -# -# === Authors -# -# * Raffael Schmid -# * John Kinsella -# * Justin Lambert -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -define openvpn::client( - $server, - $compression = 'comp-lzo', - $dev = 'tun', - $mute = '20', - $mute_replay_warnings = true, - $nobind = true, - $persist_key = true, - $persist_tun = true, - $port = '1194', - $proto = 'tcp', - $remote_host = $::fqdn, - $resolv_retry = 'infinite', - $verb = '3', -) { - - Openvpn::Server[$server] -> - Openvpn::Client[$name] - - exec { - "generate certificate for ${name} in context of ${server}": - command => ". ./vars && ./pkitool ${name}", - cwd => "/etc/openvpn/${server}/easy-rsa", - creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - provider => 'shell'; - } - - file { - [ "/etc/openvpn/${server}/download-configs/${name}", - "/etc/openvpn/${server}/download-configs/${name}/keys"]: - ensure => directory; - - "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": - ensure => link, - target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - require => Exec["generate certificate for ${name} in context of ${server}"]; - - "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": - ensure => link, - target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", - require => Exec["generate certificate for ${name} in context of ${server}"]; - - "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": - ensure => link, - target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", - require => Exec["generate certificate for ${name} in context of ${server}"]; - - "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": - owner => root, - group => root, - mode => '0444', - content => template('openvpn/client.erb'), - notify => Exec["tar the thing ${server} with ${name}"]; - } - - exec { - "tar the thing ${server} with ${name}": - cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", - refreshonly => true, - require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] - ], - notify => Exec["generate ${name}.ovpn in ${server}"]; - } - - exec { - "generate ${name}.ovpn in ${server}": - cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf|perl -lne 'if(m|^ca keys/ca.crt|){ chomp(\$ca=`cat ${name}/keys/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", - refreshonly => true, - require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"], - ], - } - - file { "/etc/openvpn/${server}/download-configs/${name}.ovpn": - mode => '0400', - require => Exec["generate ${name}.ovpn in ${server}"], - } -} diff --git a/puppet/modules/openvpn/manifests/client_specific_config.pp b/puppet/modules/openvpn/manifests/client_specific_config.pp deleted file mode 100644 index 4287421a..00000000 --- a/puppet/modules/openvpn/manifests/client_specific_config.pp +++ /dev/null @@ -1,79 +0,0 @@ -# == Define: openvpn::client_specific_config -# -# This define configures options which will be pushed by the server to a -# specific client only. This feature is explained here: -# http://openvpn.net/index.php/open-source/documentation/howto.html#policy -# -# === Parameters -# -# All the parameters are explained in the openvpn documentation: -# http://openvpn.net/index.php/open-source/documentation/howto.html#policy -# -# [*server*] -# String. Name of the corresponding openvpn endpoint -# Required -# -# [*iroute*] -# Array. Array of iroute combinations. -# Default: [] -# -# [*ifconfig*] -# String. IP configuration to push to the client. -# Default: false -# -# [*dhcp_options] -# Array. DHCP options to push to the client. -# Default: [] -# -# -# === Examples -# -# openvpn::client_specific_config { -# 'vpn_client': -# server => 'contractors', -# iroute => ['10.0.1.0 255.255.255.0'], -# ifconfig => '10.10.10.1 10.10.10.2', -# dhcp_options => ['DNS 8.8.8.8'] -# } -# -# * Removal: -# Manual process right now, todo for the future -# -# -# === Authors -# -# * Raffael Schmid -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -define openvpn::client_specific_config( - $server, - $iroute = [], - $ifconfig = false, - $dhcp_options = [] -) { - - Openvpn::Server[$server] -> - Openvpn::Client[$name] -> - Openvpn::Client_specific_config[$name] - - file { "/etc/openvpn/${server}/client-configs/${name}": - ensure => present, - content => template('openvpn/client_specific_config.erb') - } - -} diff --git a/puppet/modules/openvpn/manifests/config.pp b/puppet/modules/openvpn/manifests/config.pp deleted file mode 100644 index 32b32094..00000000 --- a/puppet/modules/openvpn/manifests/config.pp +++ /dev/null @@ -1,52 +0,0 @@ -# == Class: openvpn::config -# -# This class sets up the openvpn enviornment as well as the default config file -# -# -# === Examples -# -# This class should not be directly invoked -# -# === Authors -# -# * Raffael Schmid -# * John Kinsella -# * Justin Lambert -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class openvpn::config { - - if $::osfamily == 'Debian' { - include concat::setup - - concat { - '/etc/default/openvpn': - owner => root, - group => root, - mode => 644, - warn => true; - } - - concat::fragment { - 'openvpn.default.header': - content => template('openvpn/etc-default-openvpn.erb'), - target => '/etc/default/openvpn', - order => 01; - } - } -} diff --git a/puppet/modules/openvpn/manifests/init.pp b/puppet/modules/openvpn/manifests/init.pp deleted file mode 100644 index 7e07f025..00000000 --- a/puppet/modules/openvpn/manifests/init.pp +++ /dev/null @@ -1,43 +0,0 @@ -# == Class: openvpn -# -# This module installs the openvpn service, configures vpn endpoints, generates -# client certificates, and generates client config files -# -# -# === Examples -# -# * Installation: -# class { 'openvpn': } -# -# -# === Authors -# -# * Raffael Schmid -# * John Kinsella -# * Justin Lambert -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class openvpn { - - class {'openvpn::params': } -> - class {'openvpn::install': } -> - class {'openvpn::config': } ~> - class {'openvpn::service': } -> - Class['openvpn'] - -} diff --git a/puppet/modules/openvpn/manifests/install.pp b/puppet/modules/openvpn/manifests/install.pp deleted file mode 100644 index a230373a..00000000 --- a/puppet/modules/openvpn/manifests/install.pp +++ /dev/null @@ -1,46 +0,0 @@ -# == Class: openvpn -# -# This module installs the openvpn service, configures vpn endpoints, generates -# client certificates, and generates client config files -# -# -# === Examples -# -# This class should not be directly invoked -# -# -# === Authors -# -# * Raffael Schmid -# * John Kinsella -# * Justin Lambert -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class openvpn::install { - - package { - 'openvpn': - ensure => installed; - } - - file { - [ '/etc/openvpn', '/etc/openvpn/keys' ]: - ensure => directory, - require => Package['openvpn']; - } -} diff --git a/puppet/modules/openvpn/manifests/params.pp b/puppet/modules/openvpn/manifests/params.pp deleted file mode 100644 index 33495270..00000000 --- a/puppet/modules/openvpn/manifests/params.pp +++ /dev/null @@ -1,37 +0,0 @@ -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class openvpn::params { - - $group = $::osfamily ? { - 'RedHat' => 'nobody', - default => 'nogroup' - } - - $easyrsa_source = $::osfamily ? { - 'RedHat' => $::operatingsystemmajrelease ? { - 6 => '/usr/share/openvpn/easy-rsa/2.0', - default => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0' - }, - default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0' - } - - $link_openssl_cnf = $::osfamily ? { - /(Debian|RedHat)/ => true, - default => false - } - -} diff --git a/puppet/modules/openvpn/manifests/server.pp b/puppet/modules/openvpn/manifests/server.pp deleted file mode 100644 index 649048c4..00000000 --- a/puppet/modules/openvpn/manifests/server.pp +++ /dev/null @@ -1,233 +0,0 @@ -# == Define: openvpn::server -# -# This define creates the openvpn server instance and ssl certificates -# -# -# === Parameters -# -# [*country*] -# String. Country to be used for the SSL certificate -# -# [*province*] -# String. Province to be used for the SSL certificate -# -# [*city*] -# String. City to be used for the SSL certificate -# -# [*organization*] -# String. Organization to be used for the SSL certificate -# -# [*email*] -# String. Email address to be used for the SSL certificate -# -# [*compression*] -# String. Which compression algorithim to use -# Default: comp-lzo -# Options: comp-lzo or '' (disable compression) -# -# [*dev*] -# String. Device method -# Default: tun -# Options: tun (routed connections), tap (bridged connections) -# -# [*user*] -# String. Group to drop privileges to after startup -# Default: nobody -# -# [*group*] -# String. User to drop privileges to after startup -# Default: depends on your $::osfamily -# -# [*ipp*] -# Boolean. Persist ifconfig information to a file to retain client IP -# addresses between sessions -# Default: false -# -# [*local*] -# String. Interface for openvpn to bind to. -# Default: $::ipaddress_eth0 -# Options: An IP address or '' to bind to all ip addresses -# -# [*logfile*] -# String. Logfile for this openvpn server -# Default: false -# Options: false (syslog) or log file name -# -# [*port*] -# Integer. The port the openvpn server service is running on -# Default: 1194 -# -# [*proto*] -# String. What IP protocol is being used. -# Default: tcp -# Options: tcp or udp -# -# [*status_log*] -# String. Logfile for periodic dumps of the vpn service status -# Default: "${name}/openvpn-status.log" -# -# [*server*] -# String. Network to assign client addresses out of -# Default: None. Required in tun mode, not in tap mode -# -# [*push*] -# Array. Options to push out to the client. This can include routes, DNS -# servers, DNS search domains, and many other options. -# Default: [] -# -# -# === Examples -# -# openvpn::client { -# 'my_user': -# server => 'contractors', -# remote_host => 'vpn.mycompany.com' -# } -# -# * Removal: -# Manual process right now, todo for the future -# -# -# === Authors -# -# * Raffael Schmid -# * John Kinsella -# * Justin Lambert -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -define openvpn::server( - $country, - $province, - $city, - $organization, - $email, - $compression = 'comp-lzo', - $dev = 'tun0', - $user = 'nobody', - $group = false, - $ipp = false, - $ip_pool = [], - $local = $::ipaddress_eth0, - $logfile = false, - $port = '1194', - $proto = 'tcp', - $status_log = "${name}/openvpn-status.log", - $server = '', - $push = [] -) { - - include openvpn - Class['openvpn::install'] -> - Openvpn::Server[$name] ~> - Class['openvpn::service'] - - $tls_server = $proto ? { - /tcp/ => true, - default => false - } - - $group_to_set = $group ? { - false => $openvpn::params::group, - default => $group - } - - file { - ["/etc/openvpn/${name}", "/etc/openvpn/${name}/client-configs", "/etc/openvpn/${name}/download-configs" ]: - ensure => directory; - } - - exec { - "copy easy-rsa to openvpn config folder ${name}": - command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa", - notify => Exec["fix_easyrsa_file_permissions_${name}"], - require => File["/etc/openvpn/${name}"]; - } - - exec { - "fix_easyrsa_file_permissions_${name}": - refreshonly => true, - command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; - } - - file { - "/etc/openvpn/${name}/easy-rsa/vars": - ensure => present, - content => template('openvpn/vars.erb'), - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; - } - - file { - "/etc/openvpn/${name}/easy-rsa/openssl.cnf": - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; - } - - if $openvpn::params::link_openssl_cnf == true { - File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] { - ensure => link, - target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf" - } - } - - exec { - "generate dh param ${name}": - command => '. ./vars && ./clean-all && ./build-dh', - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa/keys/dh1024.pem", - provider => 'shell', - require => File["/etc/openvpn/${name}/easy-rsa/vars"]; - - "initca ${name}": - command => '. ./vars && ./pkitool --initca', - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", - provider => 'shell', - require => [ Exec["generate dh param ${name}"], File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ]; - - "generate server cert ${name}": - command => '. ./vars && ./pkitool --server server', - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa/keys/server.key", - provider => 'shell', - require => Exec["initca ${name}"]; - } - - file { - "/etc/openvpn/${name}/keys": - ensure => link, - target => "/etc/openvpn/${name}/easy-rsa/keys", - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; - } - - if $::osfamily == 'Debian' { - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", - target => '/etc/default/openvpn', - order => 10; - } - } - - file { - "/etc/openvpn/${name}.conf": - owner => root, - group => root, - mode => '0444', - content => template('openvpn/server.erb'); - } -} diff --git a/puppet/modules/openvpn/manifests/service.pp b/puppet/modules/openvpn/manifests/service.pp deleted file mode 100644 index 54e8db7d..00000000 --- a/puppet/modules/openvpn/manifests/service.pp +++ /dev/null @@ -1,36 +0,0 @@ -# == Class: openvpn::config -# -# This class maintains the openvpn service -# -# -# === Examples -# -# This class should not be directly invoked -# -# === Authors -# -# * Raffael Schmid -# * John Kinsella -# * Justin Lambert -# -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# lied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class openvpn::service { - service { - 'openvpn': - ensure => running, - enable => true, - hasrestart => true, - hasstatus => true; - } -} -- cgit v1.2.3 From 2df23a682b9a1a99502c79d7112dcefeecf63619 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 21 Jul 2016 12:13:33 -0700 Subject: git subrepo clone https://leap.se/git/puppet_openvpn puppet/modules/openvpn subrepo: subdir: "puppet/modules/openvpn" merged: "ba7ec7a" upstream: origin: "https://leap.se/git/puppet_openvpn" branch: "master" commit: "ba7ec7a" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "cb2995b" --- puppet/modules/openvpn/manifests/client.pp | 142 ++++++++++++++++++++++++++ puppet/modules/openvpn/manifests/init.pp | 45 +++++++++ puppet/modules/openvpn/manifests/option.pp | 24 +++++ puppet/modules/openvpn/manifests/server.pp | 153 +++++++++++++++++++++++++++++ 4 files changed, 364 insertions(+) create mode 100644 puppet/modules/openvpn/manifests/client.pp create mode 100644 puppet/modules/openvpn/manifests/init.pp create mode 100644 puppet/modules/openvpn/manifests/option.pp create mode 100644 puppet/modules/openvpn/manifests/server.pp (limited to 'puppet/modules/openvpn/manifests') diff --git a/puppet/modules/openvpn/manifests/client.pp b/puppet/modules/openvpn/manifests/client.pp new file mode 100644 index 00000000..ed11b3a9 --- /dev/null +++ b/puppet/modules/openvpn/manifests/client.pp @@ -0,0 +1,142 @@ +# client.pp + +define openvpn::client($server, $remote_host = $::fqdn) { + exec { + "generate certificate for ${name} in context of ${server}": + command => ". ./vars && ./pkitool ${name}", + cwd => "/etc/openvpn/${server}/easy-rsa", + creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + provider => 'shell', + require => Exec["generate server cert ${server}"]; + } + + file { + "/etc/openvpn/${server}/download-configs/${name}": + ensure => directory, + require => File["/etc/openvpn/${server}/download-configs"]; + + "/etc/openvpn/${server}/download-configs/${name}/keys": + ensure => directory, + require => File["/etc/openvpn/${server}/download-configs/${name}"]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + require => [ Exec["generate certificate for ${name} in context of ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", + require => [ Exec["generate certificate for ${name} in context of ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + + "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", + require => [ Exec["generate certificate for ${name} in context of ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + } + + + openvpn::option { + "ca ${server} with ${name}": + key => 'ca', + value => 'keys/ca.crt', + client => $name, + server => $server; + "cert ${server} with ${name}": + key => 'cert', + value => "keys/${name}.crt", + client => $name, + server => $server; + "key ${server} with ${name}": + key => 'key', + value => "keys/${name}.key", + client => $name, + server => $server; + "client ${server} with ${name}": + key => 'client', + client => $name, + server => $server; + "dev ${server} with ${name}": + key => 'dev', + value => 'tun', + client => $name, + server => $server; + "proto ${server} with ${name}": + key => 'proto', + value => 'tcp', + client => $name, + server => $server; + "remote ${server} with ${name}": + key => 'remote', + value => "${remote_host} 1194", + client => $name, + server => $server; + "resolv-retry ${server} with ${name}": + key => 'resolv-retry', + value => 'infinite', + client => $name, + server => $server; + "nobind ${server} with ${name}": + key => 'nobind', + client => $name, + server => $server; + "persist-key ${server} with ${name}": + key => 'persist-key', + client => $name, + server => $server; + "persist-tun ${server} with ${name}": + key => 'persist-tun', + client => $name, + server => $server; + "mute-replay-warnings ${server} with ${name}": + key => 'mute-replay-warnings', + client => $name, + server => $server; + "ns-cert-type ${server} with ${name}": + key => 'ns-cert-type', + value => 'server', + client => $name, + server => $server; + "comp-lzo ${server} with ${name}": + key => 'comp-lzo', + client => $name, + server => $server; + "verb ${server} with ${name}": + key => 'verb', + value => '3', + client => $name, + server => $server; + "mute ${server} with ${name}": + key => 'mute', + value => '20', + client => $name, + server => $server; + } + + exec { + "tar the thing ${server} with ${name}": + cwd => "/etc/openvpn/${server}/download-configs/", + command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", + refreshonly => true, + require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] ]; + } + + + concat { + [ "/etc/openvpn/${server}/client-configs/${name}", "/etc/openvpn/${server}/download-configs/${name}/${name}.conf" ]: + owner => root, + group => root, + mode => 644, + warn => true, + force => true, + notify => Exec["tar the thing ${server} with ${name}"], + require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ]; + } + +} diff --git a/puppet/modules/openvpn/manifests/init.pp b/puppet/modules/openvpn/manifests/init.pp new file mode 100644 index 00000000..a3dd70c0 --- /dev/null +++ b/puppet/modules/openvpn/manifests/init.pp @@ -0,0 +1,45 @@ +# openvpn.pp + +class openvpn { + package { + 'openvpn': + ensure => installed; + } + service { + 'openvpn': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; + } + file { + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; + } + file { + '/etc/openvpn/keys': + ensure => directory, + require => File['/etc/openvpn']; + } + + include concat::setup + + concat { + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; + } + +} diff --git a/puppet/modules/openvpn/manifests/option.pp b/puppet/modules/openvpn/manifests/option.pp new file mode 100644 index 00000000..eb3d5a72 --- /dev/null +++ b/puppet/modules/openvpn/manifests/option.pp @@ -0,0 +1,24 @@ +# option.pp + +define openvpn::option($key, $server, $value = '', $client = '', $csc = false) { + $content = $value ? { + '' => $key, + default => "${key} ${value}" + } + + if $client == '' { + $path = "/etc/openvpn/${server}.conf" + } else { + if $csc { + $path = "/etc/openvpn/${server}/client-configs/${client}" + } else { + $path = "/etc/openvpn/${server}/download-configs/${client}/${client}.conf" + } + } + + concat::fragment { + "openvpn.${server}.${client}.${name}": + target => $path, + content => "${content}\n"; + } +} diff --git a/puppet/modules/openvpn/manifests/server.pp b/puppet/modules/openvpn/manifests/server.pp new file mode 100644 index 00000000..bfcaad83 --- /dev/null +++ b/puppet/modules/openvpn/manifests/server.pp @@ -0,0 +1,153 @@ +# server.pp + +define openvpn::server($country, $province, $city, $organization, $email) { + include openvpn + + $easyrsa_source = $::osfamily ? { + 'RedHat' => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0', + default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + } + + $link_openssl_cnf = $::osfamily ? { + /(Debian|RedHat)/ => true, + default => false + } + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } + file { + "/etc/openvpn/${name}/client-configs": + ensure => directory, + require => File["/etc/openvpn/${name}"]; + "/etc/openvpn/${name}/download-configs": + ensure => directory, + require => File["/etc/openvpn/${name}"]; + } + + openvpn::option { + "client-config-dir ${name}": + key => 'client-config-dir', + value => "/etc/openvpn/${name}/client-configs", + server => $name, + require => File["/etc/openvpn/${name}"]; + "mode ${name}": + key => 'mode', + value => 'server', + server => $name; + } + + exec { + "copy easy-rsa to openvpn config folder ${name}": + command => "/bin/cp -r ${easyrsa_source} /etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa", + notify => Exec['fix_easyrsa_file_permissions'], + require => File["/etc/openvpn/${name}"]; + } + exec { + 'fix_easyrsa_file_permissions': + refreshonly => true, + command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; + } + file { + "/etc/openvpn/${name}/easy-rsa/vars": + ensure => present, + content => template('openvpn/vars.erb'), + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + file { + "/etc/openvpn/${name}/easy-rsa/openssl.cnf": + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + if $link_openssl_cnf == true { + File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] { + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf" + } + } + + exec { + "generate dh param ${name}": + command => '. ./vars && ./clean-all && ./build-dh', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/dh1024.pem", + provider => 'shell', + require => File["/etc/openvpn/${name}/easy-rsa/vars"]; + + "initca ${name}": + command => '. ./vars && ./pkitool --initca', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", + provider => 'shell', + require => [ Exec["generate dh param ${name}"], File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ]; + + "generate server cert ${name}": + command => '. ./vars && ./pkitool --server server', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/server.key", + provider => 'shell', + require => Exec["initca ${name}"]; + } + + file { + "/etc/openvpn/${name}/keys": + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/keys", + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + } + + openvpn::option { + "ca ${name}": + key => 'ca', + value => "/etc/openvpn/${name}/keys/ca.crt", + require => Exec["initca ${name}"], + server => $name; + "cert ${name}": + key => 'cert', + value => "/etc/openvpn/${name}/keys/server.crt", + require => Exec["generate server cert ${name}"], + server => $name; + "key ${name}": + key => 'key', + value => "/etc/openvpn/${name}/keys/server.key", + require => Exec["generate server cert ${name}"], + server => $name; + "dh ${name}": + key => 'dh', + value => "/etc/openvpn/${name}/keys/dh1024.pem", + require => Exec["generate dh param ${name}"], + server => $name; + + "proto ${name}": + key => 'proto', + value => 'tcp', + require => Exec["generate dh param ${name}"], + server => $name; + + "comp-lzo ${name}": + key => 'comp-lzo', + require => Exec["generate dh param ${name}"], + server => $name; + } + + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", + target => '/etc/default/openvpn', + order => 10; + } + + concat { + "/etc/openvpn/${name}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } + +} -- cgit v1.2.3