documentation, refactoring to make the dependency chain easier to follow

author: Justin Lambert <jlambert@eml.cc> 2013-01-10 20:34:48 -0700
committer: Justin Lambert <jlambert@eml.cc> 2013-01-10 20:34:48 -0700
commit: 5df60aad95fcff99ef5837577b0a70435e99d1aa (patch)
tree: 94f191531c4342052c43e96b59e299f63f069e5a
parent: c0b642e0e81b3c12c52a5f4b2d8f5ae4317e8c36 (diff)
8 files changed, 347 insertions, 96 deletions
diff --git a/manifests/client.pp b/manifests/client.pp
index 6abef5e..581eece 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -1,5 +1,89 @@
-# client.pp
-
+# == Define: openvpn::client
+#
+# This define creates the client certs for a specified openvpn server as well
+# as creating a tarball that can be directly imported into openvpn clients
+#
+#
+# === Parameters
+#
+# [*server*]
+#   String.  Name of the corresponding openvpn endpoint
+#   Required
+#
+# [*compression*]
+#   String.  Which compression algorithim to use
+#   Default: comp-lzo
+#   Options: comp-lzo or '' (disable compression)
+#
+# [*dev*]
+#   String.  Device method
+#   Default: tun
+#   Options: tun (routed connections), tap (bridged connections)
+#
+# [*mute*]
+#   Integer.  Set log mute level
+#   Default: 20
+#
+# [*mute_replay_warnings*]
+#   Boolean.  Silence duplicate packet warnings (common on wireless networks)
+#   Default: true
+#
+# [*nobind*]
+#   Boolean.  Whether or not to bind to a specific port number
+#   Default: true
+#
+# [*persist_key*]
+#   Boolean.  Try to retain access to resources that may be unavailable 
+#     because of privilege downgrades
+#   Default: true
+#
+# [*persist_tun*]
+#   Boolean.  Try to retain access to resources that may be unavailable 
+#     because of privilege downgrades
+#   Default: true
+#
+# [*port*]
+#   Integer.  The port the openvpn server service is running on
+#   Default: 1194
+#
+# [*proto*]
+#   String.  What IP protocol is being used.
+#   Default: tcp
+#   Options: tcp or udp
+#
+# [*remote_host*]
+#   String.  The IP or hostname of the openvpn server service
+#   Default: FQDN
+#
+# [*resolv_retry*]
+#   Integer/String. How many seconds should the openvpn client try to resolve
+#     the server's hostname
+#   Default: infinite
+#   Options: Integer or infinite
+#
+# [*verb*]
+#   Integer.  Level of logging verbosity
+#   Default: 3
+#
+#
+# === Examples
+#
+#   openvpn::client {
+#     'my_user':
+#       server      => 'contractors',
+#       remote_host => 'vpn.mycompany.com'
+#    }
+#
+# * Removal:
+#     Manual process right now, todo for the future
+#
+#
+# === Authors
+#
+# * Raffael Schmid <mailto:raffael@yux.ch>
+# * John Kinsella <mailto:jlkinsel@gmail.com>
+# * Justin Lambert <mailto:jlambert@letsevenup.com>
+#
 define openvpn::client(
   $server,
   $compression = 'comp-lzo',
@@ -7,7 +91,6 @@ define openvpn::client(
   $mute = '20',
   $mute_replay_warnings = true,
   $nobind = true,
-  $ns_cert_type = 'server',
   $persist_key = true,
   $persist_tun = true,
   $port = '1194',
@@ -16,41 +99,37 @@ define openvpn::client(
   $resolv_retry = 'infinite',
   $verb = '3',
 ) {
+
+  Openvpn::Server[$server] -> 
+  Openvpn::Client[$name]
+  
     exec {
         "generate certificate for ${name} in context of ${server}":
             command  => ". ./vars && ./pkitool ${name}",
             cwd      => "/etc/openvpn/${server}/easy-rsa",
             creates  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
-            provider => 'shell',
-            require  => Exec["generate server cert ${server}"];
+            provider => 'shell';
     }
 
     file {
-        "/etc/openvpn/${server}/download-configs/${name}":
-            ensure  => directory,
-            require => File["/etc/openvpn/${server}/download-configs"];
-
-        "/etc/openvpn/${server}/download-configs/${name}/keys":
-            ensure  => directory,
-            require => File["/etc/openvpn/${server}/download-configs/${name}"];
+        [ "/etc/openvpn/${server}/download-configs/${name}",
+          "/etc/openvpn/${server}/download-configs/${name}/keys"]:
+            ensure  => directory;
 
         "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt":
             ensure  => link,
             target  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
-            require => [  Exec["generate certificate for ${name} in context of ${server}"],
-                          File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+            require => Exec["generate certificate for ${name} in context of ${server}"];
 
         "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key":
             ensure  => link,
             target  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key",
-            require => [  Exec["generate certificate for ${name} in context of ${server}"],
-                          File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+            require => Exec["generate certificate for ${name} in context of ${server}"];
 
         "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt":
             ensure  => link,
             target  => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt",
-            require => [  Exec["generate certificate for ${name} in context of ${server}"],
-                          File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+            require => Exec["generate certificate for ${name} in context of ${server}"];
 
         "/etc/openvpn/${server}/download-configs/${name}/${name}.conf":
             owner   => root,
@@ -60,16 +139,16 @@ define openvpn::client(
             notify  => Exec["tar the thing ${server} with ${name}"];                          
     }
 
-    concat {
-        "/etc/openvpn/${server}/client-configs/${name}":
-            owner   => root,
-            group   => root,
-            mode    => 644,
-            warn    => true,
-            force   => true,
-            notify  => Exec["tar the thing ${server} with ${name}"],
-            require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ];
-    }
+#    concat {
+#        "/etc/openvpn/${server}/client-configs/${name}":
+#            owner   => root,
+#            group   => root,
+#            mode    => 644,
+#            warn    => true,
+#            force   => true,
+#            notify  => Exec["tar the thing ${server} with ${name}"],
+#            require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ];
+#    }
     
     exec {
         "tar the thing ${server} with ${name}":
diff --git a/manifests/config.pp b/manifests/config.pp
new file mode 100644
index 0000000..9e7753d
--- /dev/null
+++ b/manifests/config.pp
@@ -0,0 +1,33 @@
+# == Class: openvpn::config
+#
+# This class sets up the openvpn enviornment as well as the default config file
+#
+#
+# === Examples
+#
+# This class should not be directly invoked
+#
+# === Authors
+#
+# * Raffael Schmid <mailto:raffael@yux.ch>
+# * John Kinsella <mailto:jlkinsel@gmail.com>
+# * Justin Lambert <mailto:jlambert@letsevenup.com>
+#
+class openvpn::config {
+  include concat::setup
+
+  concat {
+    '/etc/default/openvpn':
+      owner  => root,
+      group  => root,
+      mode   => 644,
+      warn   => true;
+  }
+
+  concat::fragment {
+    'openvpn.default.header':
+      content => template('openvpn/etc-default-openvpn.erb'),
+      target  => '/etc/default/openvpn',
+      order   => 01;
+  }
+}
+\ No newline at end of file
diff --git a/manifests/init.pp b/manifests/init.pp
index a3dd70c..173b9bd 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,45 +1,27 @@
-# openvpn.pp
-
+# == Class: openvpn
+#
+# This module installs the openvpn service, configures vpn endpoints, generates
+# client certificates, and generates client config files
+#
+#
+# === Examples
+#
+# * Installation:
+#     class { 'openvpn': }
+#
+#
+# === Authors
+#
+# * Raffael Schmid <mailto:raffael@yux.ch>
+# * John Kinsella <mailto:jlkinsel@gmail.com>
+# * Justin Lambert <mailto:jlambert@letsevenup.com>
+#
 class openvpn {
-    package {
-        'openvpn':
-            ensure => installed;
-    }
-    service {
-        'openvpn':
-            ensure     => running,
-            enable     => true,
-            hasrestart => true,
-            hasstatus  => true,
-            require    => Exec['concat_/etc/default/openvpn'];
-    }
-    file {
-        '/etc/openvpn':
-            ensure  => directory,
-            require => Package['openvpn'];
-    }
-    file {
-        '/etc/openvpn/keys':
-            ensure  => directory,
-            require => File['/etc/openvpn'];
-    }
-
-    include concat::setup
 
-    concat {
-        '/etc/default/openvpn':
-            owner  => root,
-            group  => root,
-            mode   => 644,
-            warn   => true,
-            notify => Service['openvpn'];
-    }
+  class {'openvpn::install': } ->
+  class {'openvpn::config': } ~>
+  class {'openvpn::service': } ->
+  Class['openvpn']
 
-    concat::fragment {
-        'openvpn.default.header':
-            content => template('openvpn/etc-default-openvpn.erb'),
-            target  => '/etc/default/openvpn',
-            order   => 01;
-    }
 
 }
diff --git a/manifests/install.pp b/manifests/install.pp
new file mode 100644
index 0000000..c22775d
--- /dev/null
+++ b/manifests/install.pp
@@ -0,0 +1,30 @@
+# == Class: openvpn
+#
+# This module installs the openvpn service, configures vpn endpoints, generates
+# client certificates, and generates client config files
+#
+#
+# === Examples
+#
+# This class should not be directly invoked
+#
+#
+# === Authors
+#
+# * Raffael Schmid <mailto:raffael@yux.ch>
+# * John Kinsella <mailto:jlkinsel@gmail.com>
+# * Justin Lambert <mailto:jlambert@letsevenup.com>
+#
+class openvpn::install {
+
+  package {
+    'openvpn':
+      ensure => installed;
+  }
+
+  file {
+    [ '/etc/openvpn', '/etc/openvpn/keys' ]:
+      ensure  => directory,
+      require => Package['openvpn'];
+  }
+}
+\ No newline at end of file
diff --git a/manifests/server.pp b/manifests/server.pp
index ad9351a..20dceed 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,5 +1,98 @@
-# server.pp
-
+# == Define: openvpn::server
+#
+# This define creates the openvpn server instance and ssl certificates
+#
+#
+# === Parameters
+#
+# [*country*]
+#   String.  Country to be used for the SSL certificate
+#
+# [*province*]
+#   String.  Province to be used for the SSL certificate
+#
+# [*city*]
+#   String.  City to be used for the SSL certificate
+#
+# [*organization*]
+#   String.  Organization to be used for the SSL certificate
+#
+# [*email*]
+#   String.  Email address to be used for the SSL certificate
+#
+# [*compression*]
+#   String.  Which compression algorithim to use
+#   Default: comp-lzo
+#   Options: comp-lzo or '' (disable compression)
+#
+# [*dev*]
+#   String.  Device method
+#   Default: tun
+#   Options: tun (routed connections), tap (bridged connections)
+#
+# [*group*]
+#   String.  User to drop privileges to after startup
+#   Default: nobody
+#
+# [*ipp*]
+#   Boolean.  Persist ifconfig information to a file to retain client IP
+#     addresses between sessions
+#   Default: true
+#
+# [*local*]
+#   String.  Interface for openvpn to bind to.
+#   Default: $::ipaddress_eth0
+#   Options: An IP address or '' to bind to all ip addresses
+#
+# [*logfile*]
+#   String.  Logfile for this openvpn server
+#   Default: "${name}/openvpn.log"
+#
+# [*port*]
+#   Integer.  The port the openvpn server service is running on
+#   Default: 1194
+#
+# [*proto*]
+#   String.  What IP protocol is being used.
+#   Default: tcp
+#   Options: tcp or udp
+#
+# [*status_log*]
+#   String.  Logfile for periodic dumps of the vpn service status
+#   Default: "${name}/openvpn-status.log"
+#
+# [*user*]
+#   String.  Group to drop privileges to after startup
+#   Default: nobody
+#
+# [*server*]
+#   String.  Network to assign client addresses out of
+#   Default: $::network_eth0 $::netmask_eth0
+#
+# [*push*]
+#   Array.  Options to push out to the client.  This can include routes, DNS
+#     servers, DNS search domains, and many other options.
+#   Default: []
+#
+#
+# === Examples
+#
+#   openvpn::client {
+#     'my_user':
+#       server      => 'contractors',
+#       remote_host => 'vpn.mycompany.com'
+#    }
+#
+# * Removal:
+#     Manual process right now, todo for the future
+#
+#
+# === Authors
+#
+# * Raffael Schmid <mailto:raffael@yux.ch>
+# * John Kinsella <mailto:jlkinsel@gmail.com>
+# * Justin Lambert <mailto:jlambert@letsevenup.com>
+#
 define openvpn::server(
   $country, 
   $province, 
@@ -7,19 +100,23 @@ define openvpn::server(
   $organization, 
   $email,
   $compression = 'comp-lzo',
-  $port = '1194',
-  $proto = 'tcp',
+  $dev = 'tun0',
   $group = 'nobody',
-  $user = 'nobody',
+  $ipp = true,
+  $local = $::ipaddress_eth0,
   $logfile = "${name}/openvpn.log",
+  $port = '1194',
+  $proto = 'tcp',
   $status_log = "${name}/openvpn-status.log",
-  $dev = 'tun0',
-  $local = $::ipaddress_eth0,
-  $ipp = false,
+  $user = 'nobody',
   $server = "${::network_eth0} ${::netmask_eth0}",
   $push = []
 ) {
-    include openvpn
+  
+  include openvpn
+    Class['openvpn::install'] ->
+    Openvpn::Server[$name] ~>
+    Class['openvpn::service']
 
     $easyrsa_source = $::osfamily ? {
       'RedHat'  => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0',
@@ -33,22 +130,23 @@ define openvpn::server(
 
     file {
         ["/etc/openvpn/${name}", "/etc/openvpn/${name}/client-configs", "/etc/openvpn/${name}/download-configs" ]:
-            ensure  => directory,
-            require => Package['openvpn'];
+            ensure  => directory;
     }
 
     exec {
         "copy easy-rsa to openvpn config folder ${name}":
             command => "/bin/cp -r ${easyrsa_source} /etc/openvpn/${name}/easy-rsa",
             creates => "/etc/openvpn/${name}/easy-rsa",
-            notify  => Exec['fix_easyrsa_file_permissions'],
+            notify  => Exec["fix_easyrsa_file_permissions_${name}"],
             require => File["/etc/openvpn/${name}"];
     }
+    
     exec {
-        'fix_easyrsa_file_permissions':
+        "fix_easyrsa_file_permissions_${name}":
             refreshonly => true,
             command     => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*";
     }
+    
     file {
         "/etc/openvpn/${name}/easy-rsa/vars":
             ensure  => present,
@@ -109,7 +207,6 @@ define openvpn::server(
         owner   => root,
         group   => root,
         mode    => '0444',
-        content => template('openvpn/server.erb'),
-        notify  => Service['openvpn'];
+        content => template('openvpn/server.erb');
     }
 }
diff --git a/manifests/service.pp b/manifests/service.pp
new file mode 100644
index 0000000..57d764d
--- /dev/null
+++ b/manifests/service.pp
@@ -0,0 +1,24 @@
+# == Class: openvpn::config
+#
+# This class maintains the openvpn service
+#
+#
+# === Examples
+#
+# This class should not be directly invoked
+#
+# === Authors
+#
+# * Raffael Schmid <mailto:raffael@yux.ch>
+# * John Kinsella <mailto:jlkinsel@gmail.com>
+# * Justin Lambert <mailto:jlambert@letsevenup.com>
+#
+class openvpn::service {
+  service {
+    'openvpn':
+      ensure     => running,
+      enable     => true,
+      hasrestart => true,
+      hasstatus  => true;
+  }
+}
+\ No newline at end of file
diff --git a/templates/client.erb b/templates/client.erb
index c343cd7..021ed61 100644
--- a/templates/client.erb
+++ b/templates/client.erb
@@ -5,20 +5,22 @@ key keys/<%= scope.lookupvar('name') %>.key
 dev <%= scope.lookupvar('dev') %>
 proto <%= scope.lookupvar('proto') %>
 remote <%= scope.lookupvar('remote_host') %> <%= scope.lookupvar('port') %>
+<% if scope.lookupvar('compression') != '' -%>
 <%= scope.lookupvar('compression') %>
+<% end -%>
 resolv-retry <%= scope.lookupvar('resolv_retry') %>
-<% if scope.lookupvar('nobind') %>
+<% if scope.lookupvar('nobind') -%>
 nobind
-<% end %>
-<% if scope.lookupvar('persist_key') %>
+<% end -%>
+<% if scope.lookupvar('persist_key') -%>
 persist-key
-<% end %>
-<% if scope.lookupvar('persist_tun') %>
+<% end -%>
+<% if scope.lookupvar('persist_tun') -%>
 persist-tun
-<% end %>
-<% if scope.lookupvar('mute_replay_warnings') %>
+<% end -%>
+<% if scope.lookupvar('mute_replay_warnings') -%>
 mute-replay-warnings
-<% end %>
-ns-cert-type <%= scope.lookupvar('ns_cert_type') %>
+<% end -%>
+ns-cert-type server
 verb <%= scope.lookupvar('verb') %>
 mute <%= scope.lookupvar('mute') %>
diff --git a/templates/server.erb b/templates/server.erb
index 540a786..b010cbd 100644
--- a/templates/server.erb
+++ b/templates/server.erb
@@ -6,17 +6,21 @@ key /etc/openvpn/<%= scope.lookupvar('name') %>/keys/server.key
 dh /etc/openvpn/<%= scope.lookupvar('name') %>/keys/dh1024.pem
 proto <%= scope.lookupvar('proto') %>
 port <%= scope.lookupvar('port') %>
+<% if scope.lookupvar('compression') != '' -%>
 <%= scope.lookupvar('compression') %>
+<% end -%>
 group <%= scope.lookupvar('group') %>
 user <%= scope.lookupvar('user') %>
 log-append <%= scope.lookupvar('logfile') %>
 status <%= scope.lookupvar('status_log') %>
 dev <%= scope.lookupvar('dev') %>
+<% if scope.lookupvar('local') != '' -%>
 local <%= scope.lookupvar('local') %>
-<% if scope.lookupvar('ipp') %>
+<% end -%>
+<% if scope.lookupvar('ipp') -%>
 ifconfig-pool-persist <%= scope.lookupvar('name') %>/vpn-ipp.txt
-<% end %>
+<% end -%>
 server <%= scope.lookupvar('server') %>
-<% scope.lookupvar('push').each do |item| %>
+<% scope.lookupvar('push').each do |item| -%>
 push <%= item %>
-<% end %>
+<% end -%>
author	Justin Lambert <jlambert@eml.cc>	2013-01-10 20:34:48 -0700
committer	Justin Lambert <jlambert@eml.cc>	2013-01-10 20:34:48 -0700
commit	5df60aad95fcff99ef5837577b0a70435e99d1aa (patch)
tree	94f191531c4342052c43e96b59e299f63f069e5a
parent	c0b642e0e81b3c12c52a5f4b2d8f5ae4317e8c36 (diff)