From 1ce6cb5a30c5ee73d6474ac9c1bbd4c7819d9a73 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:19:00 +0200 Subject: only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) --- puppet/modules/site_openvpn/manifests/init.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index fe5ef87f..41f4c6d4 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,8 +20,12 @@ class site_openvpn { tag 'leap_service' + include site_config::x509::cert_key + include site_config::x509::ca_bundle + + Class['site_config::default'] -> Class['site_openvpn'] - + $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] -- cgit v1.2.3 From c68399c019d09a4c8ba44f47936b4b3842802177 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:29:15 +0200 Subject: tidy openvpn x509 definitions (#3831) --- puppet/modules/site_openvpn/manifests/dh_key.pp | 10 ++++++ puppet/modules/site_openvpn/manifests/init.pp | 5 ++- puppet/modules/site_openvpn/manifests/keys.pp | 45 ------------------------- 3 files changed, 12 insertions(+), 48 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/dh_key.pp delete mode 100644 puppet/modules/site_openvpn/manifests/keys.pp (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp new file mode 100644 index 00000000..13cc0f5b --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/dh_key.pp @@ -0,0 +1,10 @@ +class site_openvpn::dh_key { + + $x509_config = hiera('x509') + + file { '/etc/openvpn/keys/dh.pem': + content => $x509_config['dh'], + mode => '0644', + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 41f4c6d4..29b3f13f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -27,7 +27,6 @@ class site_openvpn { Class['site_config::default'] -> Class['site_openvpn'] $openvpn_config = hiera('openvpn') - $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] if $::ec2_instance_id { @@ -62,8 +61,8 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } - # deploy ca + server keys - include site_openvpn::keys + # deploy dh keys + include site_openvpn::dh_key if $openvpn_allow_unlimited and $openvpn_allow_limited { $unlimited_gateway_address = $openvpn_gateway_address diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp deleted file mode 100644 index 864bbd9b..00000000 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ /dev/null @@ -1,45 +0,0 @@ -class site_openvpn::keys { - - x509::key { - 'leap_openvpn': - content => $site_openvpn::x509_config['key'], - notify => Service[openvpn]; - } - - x509::cert { - 'leap_openvpn': - content => $site_openvpn::x509_config['cert'], - notify => Service[openvpn]; - } - - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', - } - - # - # CA bundle -- we want to have the possibility of allowing multiple CAs. - # For now, the reason is to transition to using client CA. In the future, - # we will want to be able to smoothly phase out one CA and phase in another. - # I tried "--capath" for this, but it did not work. - # - - concat { - '/etc/openvpn/ca_bundle.pem': - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service['openvpn']; - } - - concat::fragment { - 'client_ca_cert': - content => $site_openvpn::x509_config['client_ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - 'ca_cert': - content => $site_openvpn::x509_config['ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - } - -} -- cgit v1.2.3 From d7aca479f254ce4cbe58ee2a2197ea5c6d02de53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:44:30 +0200 Subject: Depend services on deployment of default key, cert and ca (Feature #3838) --- puppet/modules/site_openvpn/manifests/init.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_openvpn/manifests') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 29b3f13f..6ab0d430 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -137,7 +137,11 @@ class site_openvpn { command => '/etc/init.d/openvpn restart', refreshonly => true, subscribe => File['/etc/openvpn'], - require => [ Package['openvpn'], File['/etc/openvpn'] ]; + require => [ + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': -- cgit v1.2.3