diff options
author | Raffael Schmid <raffael@yux.ch> | 2013-01-24 23:10:21 -0800 |
---|---|---|
committer | Raffael Schmid <raffael@yux.ch> | 2013-01-24 23:10:21 -0800 |
commit | f7b67655a95175a8d7aa6e1778c92f2c1910720d (patch) | |
tree | 990c39d3f7bb9b5cc13c04e8d9edfb58ccb903d9 | |
parent | ba7ec7abd25cd4c5031e11cd3ae17872ef31b24b (diff) | |
parent | dfb1d97f7e85b67a20887faa494bf863a6077067 (diff) |
Merge pull request #8 from luxflux/options_changes
Rewrite of the module, thanks @jlambert121
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | .rvmrc | 38 | ||||
-rw-r--r-- | Gemfile | 5 | ||||
-rw-r--r-- | Gemfile.lock | 36 | ||||
-rw-r--r-- | Vagrantfile | 42 | ||||
-rw-r--r-- | manifests/client.pp | 235 | ||||
-rw-r--r-- | manifests/client_specific_config.pp | 60 | ||||
-rw-r--r-- | manifests/config.pp | 36 | ||||
-rw-r--r-- | manifests/init.pp | 63 | ||||
-rw-r--r-- | manifests/install.pp | 30 | ||||
-rw-r--r-- | manifests/option.pp | 24 | ||||
-rw-r--r-- | manifests/params.pp | 18 | ||||
-rw-r--r-- | manifests/server.pp | 229 | ||||
-rw-r--r-- | manifests/service.pp | 24 | ||||
-rw-r--r-- | spec/classes/openvpn_config_spec.rb | 15 | ||||
-rw-r--r-- | spec/classes/openvpn_init_spec.rb | 11 | ||||
-rw-r--r-- | spec/classes/openvpn_install_spec.rb | 11 | ||||
-rw-r--r-- | spec/classes/openvpn_service_spec.rb | 13 | ||||
-rw-r--r-- | spec/defines/openvpn_client_spec.rb | 152 | ||||
-rw-r--r-- | spec/defines/openvpn_client_specific_config_spec.rb | 40 | ||||
-rw-r--r-- | spec/defines/openvpn_option_spec.rb | 42 | ||||
-rw-r--r-- | spec/defines/openvpn_server_spec.rb | 222 | ||||
-rw-r--r-- | templates/client.erb | 26 | ||||
-rw-r--r-- | templates/client_specific_config.erb | 10 | ||||
-rw-r--r-- | templates/server.erb | 33 | ||||
-rw-r--r-- | vagrant/client.pp | 5 | ||||
-rw-r--r-- | vagrant/server.pp | 23 |
27 files changed, 964 insertions, 480 deletions
@@ -1,2 +1,3 @@ pkg spec/fixtures +.vagrant @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# This is an RVM Project .rvmrc file, used to automatically load the ruby +# development environment upon cd'ing into the directory + +# First we specify our desired <ruby>[@<gemset>], the @gemset name is optional, +# Only full ruby name is supported here, for short names use: +# echo "rvm use 1.9.3" > .rvmrc +environment_id="ruby-1.9.3-p194@puppet" + +# Uncomment the following lines if you want to verify rvm version per project +# rvmrc_rvm_version="1.15.8 (stable)" # 1.10.1 seams as a safe start +# eval "$(echo ${rvm_version}.${rvmrc_rvm_version} | awk -F. '{print "[[ "$1*65536+$2*256+$3" -ge "$4*65536+$5*256+$6" ]]"}' )" || { +# echo "This .rvmrc file requires at least RVM ${rvmrc_rvm_version}, aborting loading." +# return 1 +# } + +# First we attempt to load the desired environment directly from the environment +# file. This is very fast and efficient compared to running through the entire +# CLI and selector. If you want feedback on which environment was used then +# insert the word 'use' after --create as this triggers verbose mode. +if [[ -d "${rvm_path:-$HOME/.rvm}/environments" + && -s "${rvm_path:-$HOME/.rvm}/environments/$environment_id" ]] +then + \. "${rvm_path:-$HOME/.rvm}/environments/$environment_id" + [[ -s "${rvm_path:-$HOME/.rvm}/hooks/after_use" ]] && + \. "${rvm_path:-$HOME/.rvm}/hooks/after_use" || true + if [[ $- == *i* ]] # check for interactive shells + then echo "Using: $(tput setaf 2)$GEM_HOME$(tput sgr0)" # show the user the ruby and gemset they are using in green + else echo "Using: $GEM_HOME" # don't use colors in non-interactive shells + fi +else + # If the environment file has not yet been created, use the RVM CLI to select. + rvm --create use "$environment_id" || { + echo "Failed to create RVM environment '${environment_id}'." + return 1 + } +fi @@ -0,0 +1,5 @@ +source :rubygems + +gem 'puppet' +gem 'rspec-puppet' +gem 'puppetlabs_spec_helper' diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..9fce3f9 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,36 @@ +GEM + remote: http://rubygems.org/ + specs: + diff-lcs (1.1.3) + facter (1.6.17) + hiera (1.0.0) + metaclass (0.0.1) + mocha (0.13.1) + metaclass (~> 0.0.1) + puppet (3.0.2) + facter (~> 1.6.11) + hiera (~> 1.0.0) + puppetlabs_spec_helper (0.4.0) + mocha (>= 0.10.5) + rake + rspec (>= 2.9.0) + rspec-puppet (>= 0.1.1) + rake (10.0.3) + rspec (2.12.0) + rspec-core (~> 2.12.0) + rspec-expectations (~> 2.12.0) + rspec-mocks (~> 2.12.0) + rspec-core (2.12.2) + rspec-expectations (2.12.1) + diff-lcs (~> 1.1.3) + rspec-mocks (2.12.1) + rspec-puppet (0.1.5) + rspec + +PLATFORMS + ruby + +DEPENDENCIES + puppet + puppetlabs_spec_helper + rspec-puppet diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..88875ff --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,42 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +def server_config(config) + config.vm.provision :puppet, :module_path => '..' do |puppet| + puppet.manifests_path = "vagrant" + puppet.manifest_file = "server.pp" + end +end + +def client_config(config) + config.vm.provision :puppet, :module_path => '..' do |puppet| + puppet.manifests_path = "vagrant" + puppet.manifest_file = "client.pp" + end +end + +Vagrant::Config.run do |config| + + config.vm.define :server_ubuntu do |c| + c.vm.box = 'precise64' + server_config c + c.vm.network :hostonly, '10.255.255.10' + end + + config.vm.define :server_centos do |c| + c.vm.box = 'centos63' + + c.vm.provision :shell, :inline => 'if [ ! -f rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm ]; then wget -q http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm; fi' + c.vm.provision :shell, :inline => 'yum install -y rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm || exit 0' + + server_config c + c.vm.network :hostonly, '10.255.255.11' + end + + config.vm.define :client_ubuntu do |c| + c.vm.box = 'precise64' + client_config c + c.vm.network :hostonly, '10.255.255.20' + end + +end diff --git a/manifests/client.pp b/manifests/client.pp index ed11b3a..581eece 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,121 +1,155 @@ -# client.pp +# == Define: openvpn::client +# +# This define creates the client certs for a specified openvpn server as well +# as creating a tarball that can be directly imported into openvpn clients +# +# +# === Parameters +# +# [*server*] +# String. Name of the corresponding openvpn endpoint +# Required +# +# [*compression*] +# String. Which compression algorithim to use +# Default: comp-lzo +# Options: comp-lzo or '' (disable compression) +# +# [*dev*] +# String. Device method +# Default: tun +# Options: tun (routed connections), tap (bridged connections) +# +# [*mute*] +# Integer. Set log mute level +# Default: 20 +# +# [*mute_replay_warnings*] +# Boolean. Silence duplicate packet warnings (common on wireless networks) +# Default: true +# +# [*nobind*] +# Boolean. Whether or not to bind to a specific port number +# Default: true +# +# [*persist_key*] +# Boolean. Try to retain access to resources that may be unavailable +# because of privilege downgrades +# Default: true +# +# [*persist_tun*] +# Boolean. Try to retain access to resources that may be unavailable +# because of privilege downgrades +# Default: true +# +# [*port*] +# Integer. The port the openvpn server service is running on +# Default: 1194 +# +# [*proto*] +# String. What IP protocol is being used. +# Default: tcp +# Options: tcp or udp +# +# [*remote_host*] +# String. The IP or hostname of the openvpn server service +# Default: FQDN +# +# [*resolv_retry*] +# Integer/String. How many seconds should the openvpn client try to resolve +# the server's hostname +# Default: infinite +# Options: Integer or infinite +# +# [*verb*] +# Integer. Level of logging verbosity +# Default: 3 +# +# +# === Examples +# +# openvpn::client { +# 'my_user': +# server => 'contractors', +# remote_host => 'vpn.mycompany.com' +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# * John Kinsella <mailto:jlkinsel@gmail.com> +# * Justin Lambert <mailto:jlambert@letsevenup.com> +# +define openvpn::client( + $server, + $compression = 'comp-lzo', + $dev = 'tun', + $mute = '20', + $mute_replay_warnings = true, + $nobind = true, + $persist_key = true, + $persist_tun = true, + $port = '1194', + $proto = 'tcp', + $remote_host = $::fqdn, + $resolv_retry = 'infinite', + $verb = '3', +) { -define openvpn::client($server, $remote_host = $::fqdn) { + Openvpn::Server[$server] -> + Openvpn::Client[$name] + exec { "generate certificate for ${name} in context of ${server}": command => ". ./vars && ./pkitool ${name}", cwd => "/etc/openvpn/${server}/easy-rsa", creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - provider => 'shell', - require => Exec["generate server cert ${server}"]; + provider => 'shell'; } file { - "/etc/openvpn/${server}/download-configs/${name}": - ensure => directory, - require => File["/etc/openvpn/${server}/download-configs"]; - - "/etc/openvpn/${server}/download-configs/${name}/keys": - ensure => directory, - require => File["/etc/openvpn/${server}/download-configs/${name}"]; + [ "/etc/openvpn/${server}/download-configs/${name}", + "/etc/openvpn/${server}/download-configs/${name}/keys"]: + ensure => directory; "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - require => [ Exec["generate certificate for ${name} in context of ${server}"], - File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + require => Exec["generate certificate for ${name} in context of ${server}"]; "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", - require => [ Exec["generate certificate for ${name} in context of ${server}"], - File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + require => Exec["generate certificate for ${name} in context of ${server}"]; "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", - require => [ Exec["generate certificate for ${name} in context of ${server}"], - File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; - } - + require => Exec["generate certificate for ${name} in context of ${server}"]; - openvpn::option { - "ca ${server} with ${name}": - key => 'ca', - value => 'keys/ca.crt', - client => $name, - server => $server; - "cert ${server} with ${name}": - key => 'cert', - value => "keys/${name}.crt", - client => $name, - server => $server; - "key ${server} with ${name}": - key => 'key', - value => "keys/${name}.key", - client => $name, - server => $server; - "client ${server} with ${name}": - key => 'client', - client => $name, - server => $server; - "dev ${server} with ${name}": - key => 'dev', - value => 'tun', - client => $name, - server => $server; - "proto ${server} with ${name}": - key => 'proto', - value => 'tcp', - client => $name, - server => $server; - "remote ${server} with ${name}": - key => 'remote', - value => "${remote_host} 1194", - client => $name, - server => $server; - "resolv-retry ${server} with ${name}": - key => 'resolv-retry', - value => 'infinite', - client => $name, - server => $server; - "nobind ${server} with ${name}": - key => 'nobind', - client => $name, - server => $server; - "persist-key ${server} with ${name}": - key => 'persist-key', - client => $name, - server => $server; - "persist-tun ${server} with ${name}": - key => 'persist-tun', - client => $name, - server => $server; - "mute-replay-warnings ${server} with ${name}": - key => 'mute-replay-warnings', - client => $name, - server => $server; - "ns-cert-type ${server} with ${name}": - key => 'ns-cert-type', - value => 'server', - client => $name, - server => $server; - "comp-lzo ${server} with ${name}": - key => 'comp-lzo', - client => $name, - server => $server; - "verb ${server} with ${name}": - key => 'verb', - value => '3', - client => $name, - server => $server; - "mute ${server} with ${name}": - key => 'mute', - value => '20', - client => $name, - server => $server; + "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": + owner => root, + group => root, + mode => '0444', + content => template('openvpn/client.erb'), + notify => Exec["tar the thing ${server} with ${name}"]; } +# concat { +# "/etc/openvpn/${server}/client-configs/${name}": +# owner => root, +# group => root, +# mode => 644, +# warn => true, +# force => true, +# notify => Exec["tar the thing ${server} with ${name}"], +# require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ]; +# } + exec { "tar the thing ${server} with ${name}": cwd => "/etc/openvpn/${server}/download-configs/", @@ -126,17 +160,4 @@ define openvpn::client($server, $remote_host = $::fqdn) { File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] ]; } - - - concat { - [ "/etc/openvpn/${server}/client-configs/${name}", "/etc/openvpn/${server}/download-configs/${name}/${name}.conf" ]: - owner => root, - group => root, - mode => 644, - warn => true, - force => true, - notify => Exec["tar the thing ${server} with ${name}"], - require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ]; - } - } diff --git a/manifests/client_specific_config.pp b/manifests/client_specific_config.pp new file mode 100644 index 0000000..231d55d --- /dev/null +++ b/manifests/client_specific_config.pp @@ -0,0 +1,60 @@ +# == Define: openvpn::client_specific_config +# +# This define configures options which will be pushed by the server to a +# specific client only. +# http://openvpn.net/index.php/open-source/documentation/howto.html#policy +# +# === Parameters +# +# [*server*] +# String. Name of the corresponding openvpn endpoint +# Required +# +# [*iroute*] +# Array. Array of iroute combinations. +# Default: [] +# +# [*ifconfig*] +# String. IP configuration to push to the client. +# Default: false +# +# [*dhcp_options] +# Array. DHCP options to push to the client. +# Default: [] +# +# +# === Examples +# +# openvpn::client_specific_config { +# 'vpn_client': +# server => 'contractors', +# iroute => ['10.0.1.0 255.255.255.0'], +# ifconfig => '10.10.10.2 255.255.255.0', +# dhcp_options => ['DNS 8.8.8.8'] +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# +define openvpn::client_specific_config( + $server, + $iroute = [], + $ifconfig = false, + $dhcp_options = [] +) { + + Openvpn::Server[$server] -> + Openvpn::Client[$name] -> + Openvpn::Client_specific_config[$name] + + file { "/etc/openvpn/${server}/client-configs/${name}": + ensure => present, + content => template('openvpn/client_specific_config.erb') + } + +} diff --git a/manifests/config.pp b/manifests/config.pp new file mode 100644 index 0000000..5767d8f --- /dev/null +++ b/manifests/config.pp @@ -0,0 +1,36 @@ +# == Class: openvpn::config +# +# This class sets up the openvpn enviornment as well as the default config file +# +# +# === Examples +# +# This class should not be directly invoked +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# * John Kinsella <mailto:jlkinsel@gmail.com> +# * Justin Lambert <mailto:jlambert@letsevenup.com> +# +class openvpn::config { + + if $::osfamily == 'Debian' { + include concat::setup + + concat { + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true; + } + + concat::fragment { + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; + } + } +}
\ No newline at end of file diff --git a/manifests/init.pp b/manifests/init.pp index a3dd70c..a757873 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,45 +1,28 @@ -# openvpn.pp - +# == Class: openvpn +# +# This module installs the openvpn service, configures vpn endpoints, generates +# client certificates, and generates client config files +# +# +# === Examples +# +# * Installation: +# class { 'openvpn': } +# +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# * John Kinsella <mailto:jlkinsel@gmail.com> +# * Justin Lambert <mailto:jlambert@letsevenup.com> +# class openvpn { - package { - 'openvpn': - ensure => installed; - } - service { - 'openvpn': - ensure => running, - enable => true, - hasrestart => true, - hasstatus => true, - require => Exec['concat_/etc/default/openvpn']; - } - file { - '/etc/openvpn': - ensure => directory, - require => Package['openvpn']; - } - file { - '/etc/openvpn/keys': - ensure => directory, - require => File['/etc/openvpn']; - } - - include concat::setup - concat { - '/etc/default/openvpn': - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service['openvpn']; - } + class {'openvpn::params': } -> + class {'openvpn::install': } -> + class {'openvpn::config': } ~> + class {'openvpn::service': } -> + Class['openvpn'] - concat::fragment { - 'openvpn.default.header': - content => template('openvpn/etc-default-openvpn.erb'), - target => '/etc/default/openvpn', - order => 01; - } } diff --git a/manifests/install.pp b/manifests/install.pp new file mode 100644 index 0000000..c22775d --- /dev/null +++ b/manifests/install.pp @@ -0,0 +1,30 @@ +# == Class: openvpn +# +# This module installs the openvpn service, configures vpn endpoints, generates +# client certificates, and generates client config files +# +# +# === Examples +# +# This class should not be directly invoked +# +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# * John Kinsella <mailto:jlkinsel@gmail.com> +# * Justin Lambert <mailto:jlambert@letsevenup.com> +# +class openvpn::install { + + package { + 'openvpn': + ensure => installed; + } + + file { + [ '/etc/openvpn', '/etc/openvpn/keys' ]: + ensure => directory, + require => Package['openvpn']; + } +}
\ No newline at end of file diff --git a/manifests/option.pp b/manifests/option.pp deleted file mode 100644 index eb3d5a7..0000000 --- a/manifests/option.pp +++ /dev/null @@ -1,24 +0,0 @@ -# option.pp - -define openvpn::option($key, $server, $value = '', $client = '', $csc = false) { - $content = $value ? { - '' => $key, - default => "${key} ${value}" - } - - if $client == '' { - $path = "/etc/openvpn/${server}.conf" - } else { - if $csc { - $path = "/etc/openvpn/${server}/client-configs/${client}" - } else { - $path = "/etc/openvpn/${server}/download-configs/${client}/${client}.conf" - } - } - - concat::fragment { - "openvpn.${server}.${client}.${name}": - target => $path, - content => "${content}\n"; - } -} diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 0000000..838ca1f --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,18 @@ +class openvpn::params { + + $group = $::osfamily ? { + 'RedHat' => 'nobody', + default => 'nogroup' + } + + $easyrsa_source = $::osfamily ? { + 'RedHat' => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0', + default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + } + + $link_openssl_cnf = $::osfamily ? { + /(Debian|RedHat)/ => true, + default => false + } + +} diff --git a/manifests/server.pp b/manifests/server.pp index bfcaad8..d4024a5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,56 +1,154 @@ -# server.pp +# == Define: openvpn::server +# +# This define creates the openvpn server instance and ssl certificates +# +# +# === Parameters +# +# [*country*] +# String. Country to be used for the SSL certificate +# +# [*province*] +# String. Province to be used for the SSL certificate +# +# [*city*] +# String. City to be used for the SSL certificate +# +# [*organization*] +# String. Organization to be used for the SSL certificate +# +# [*email*] +# String. Email address to be used for the SSL certificate +# +# [*compression*] +# String. Which compression algorithim to use +# Default: comp-lzo +# Options: comp-lzo or '' (disable compression) +# +# [*dev*] +# String. Device method +# Default: tun +# Options: tun (routed connections), tap (bridged connections) +# +# [*user*] +# String. Group to drop privileges to after startup +# Default: nobody +# +# [*group*] +# String. User to drop privileges to after startup +# Default: depends on your $::osfamily +# +# [*ipp*] +# Boolean. Persist ifconfig information to a file to retain client IP +# addresses between sessions +# Default: false +# +# [*local*] +# String. Interface for openvpn to bind to. +# Default: $::ipaddress_eth0 +# Options: An IP address or '' to bind to all ip addresses +# +# [*logfile*] +# String. Logfile for this openvpn server +# Default: false +# Options: false (syslog) or log file name +# +# [*port*] +# Integer. The port the openvpn server service is running on +# Default: 1194 +# +# [*proto*] +# String. What IP protocol is being used. +# Default: tcp +# Options: tcp or udp +# +# [*status_log*] +# String. Logfile for periodic dumps of the vpn service status +# Default: "${name}/openvpn-status.log" +# +# [*server*] +# String. Network to assign client addresses out of +# Default: None. Required in tun mode, not in tap mode +# +# [*push*] +# Array. Options to push out to the client. This can include routes, DNS +# servers, DNS search domains, and many other options. +# Default: [] +# +# +# === Examples +# +# openvpn::client { +# 'my_user': +# server => 'contractors', +# remote_host => 'vpn.mycompany.com' +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# * John Kinsella <mailto:jlkinsel@gmail.com> +# * Justin Lambert <mailto:jlambert@letsevenup.com> +# +define openvpn::server( + $country, + $province, + $city, + $organization, + $email, + $compression = 'comp-lzo', + $dev = 'tun0', + $user = 'nobody', + $group = false, + $ipp = false, + $ip_pool = [], + $local = $::ipaddress_eth0, + $logfile = false, + $port = '1194', + $proto = 'tcp', + $status_log = "${name}/openvpn-status.log", + $server = '', + $push = [] +) { -define openvpn::server($country, $province, $city, $organization, $email) { - include openvpn + include openvpn + Class['openvpn::install'] -> + Openvpn::Server[$name] ~> + Class['openvpn::service'] - $easyrsa_source = $::osfamily ? { - 'RedHat' => '/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0', - default => '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + $tls_server = $proto ? { + /tcp/ => true, + default => false } - $link_openssl_cnf = $::osfamily ? { - /(Debian|RedHat)/ => true, - default => false + $group_to_set = $group ? { + false => $openvpn::params::group, + default => $group } file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package['openvpn']; - } - file { - "/etc/openvpn/${name}/client-configs": - ensure => directory, - require => File["/etc/openvpn/${name}"]; - "/etc/openvpn/${name}/download-configs": - ensure => directory, - require => File["/etc/openvpn/${name}"]; - } - - openvpn::option { - "client-config-dir ${name}": - key => 'client-config-dir', - value => "/etc/openvpn/${name}/client-configs", - server => $name, - require => File["/etc/openvpn/${name}"]; - "mode ${name}": - key => 'mode', - value => 'server', - server => $name; + ["/etc/openvpn/${name}", "/etc/openvpn/${name}/client-configs", "/etc/openvpn/${name}/download-configs" ]: + ensure => directory; } exec { "copy easy-rsa to openvpn config folder ${name}": - command => "/bin/cp -r ${easyrsa_source} /etc/openvpn/${name}/easy-rsa", + command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", creates => "/etc/openvpn/${name}/easy-rsa", - notify => Exec['fix_easyrsa_file_permissions'], + notify => Exec["fix_easyrsa_file_permissions_${name}"], require => File["/etc/openvpn/${name}"]; } + exec { - 'fix_easyrsa_file_permissions': + "fix_easyrsa_file_permissions_${name}": refreshonly => true, command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; } + file { "/etc/openvpn/${name}/easy-rsa/vars": ensure => present, @@ -62,7 +160,7 @@ define openvpn::server($country, $province, $city, $organization, $email) { "/etc/openvpn/${name}/easy-rsa/openssl.cnf": require => Exec["copy easy-rsa to openvpn config folder ${name}"]; } - if $link_openssl_cnf == true { + if $openvpn::params::link_openssl_cnf == true { File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] { ensure => link, target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf" @@ -99,55 +197,20 @@ define openvpn::server($country, $province, $city, $organization, $email) { require => Exec["copy easy-rsa to openvpn config folder ${name}"]; } - openvpn::option { - "ca ${name}": - key => 'ca', - value => "/etc/openvpn/${name}/keys/ca.crt", - require => Exec["initca ${name}"], - server => $name; - "cert ${name}": - key => 'cert', - value => "/etc/openvpn/${name}/keys/server.crt", - require => Exec["generate server cert ${name}"], - server => $name; - "key ${name}": - key => 'key', - value => "/etc/openvpn/${name}/keys/server.key", - require => Exec["generate server cert ${name}"], - server => $name; - "dh ${name}": - key => 'dh', - value => "/etc/openvpn/${name}/keys/dh1024.pem", - require => Exec["generate dh param ${name}"], - server => $name; - - "proto ${name}": - key => 'proto', - value => 'tcp', - require => Exec["generate dh param ${name}"], - server => $name; - - "comp-lzo ${name}": - key => 'comp-lzo', - require => Exec["generate dh param ${name}"], - server => $name; - } - - concat::fragment { + if $::osfamily == 'Debian' { + concat::fragment { "openvpn.default.autostart.${name}": - content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", - target => '/etc/default/openvpn', - order => 10; + content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", + target => '/etc/default/openvpn', + order => 10; + } } - concat { - "/etc/openvpn/${name}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File['/etc/openvpn'], - notify => Service['openvpn']; + file { + "/etc/openvpn/${name}.conf": + owner => root, + group => root, + mode => '0444', + content => template('openvpn/server.erb'); } - } diff --git a/manifests/service.pp b/manifests/service.pp new file mode 100644 index 0000000..57d764d --- /dev/null +++ b/manifests/service.pp @@ -0,0 +1,24 @@ +# == Class: openvpn::config +# +# This class maintains the openvpn service +# +# +# === Examples +# +# This class should not be directly invoked +# +# === Authors +# +# * Raffael Schmid <mailto:raffael@yux.ch> +# * John Kinsella <mailto:jlkinsel@gmail.com> +# * Justin Lambert <mailto:jlambert@letsevenup.com> +# +class openvpn::service { + service { + 'openvpn': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true; + } +}
\ No newline at end of file diff --git a/spec/classes/openvpn_config_spec.rb b/spec/classes/openvpn_config_spec.rb new file mode 100644 index 0000000..bbb63a7 --- /dev/null +++ b/spec/classes/openvpn_config_spec.rb @@ -0,0 +1,15 @@ +require 'spec_helper' + +describe 'openvpn::config', :type => :class do + + it { should create_class('openvpn::config') } + + context "on Debian based machines" do + let (:facts) { { :osfamily => 'Debian', :concat_basedir => '/var/lib/puppet/concat' } } + + it { should contain_class('concat::setup') } + it { should contain_concat('/etc/default/openvpn') } + it { should contain_concat__fragment('openvpn.default.header') } + end + +end diff --git a/spec/classes/openvpn_init_spec.rb b/spec/classes/openvpn_init_spec.rb index cdfdea1..45dcc9b 100644 --- a/spec/classes/openvpn_init_spec.rb +++ b/spec/classes/openvpn_init_spec.rb @@ -5,16 +5,5 @@ describe 'openvpn', :type => :class do let (:facts) { { :concat_basedir => '/var/lib/puppet/concat' } } it { should create_class('openvpn') } - it { should contain_class('concat::setup') } - it { should contain_package('openvpn') } - it { should contain_service('openvpn').with( - 'ensure' => 'running', - 'enable' => true - ) } - - it { should contain_file('/etc/openvpn').with('ensure' => 'directory') } - it { should contain_file('/etc/openvpn/keys').with('ensure' => 'directory') } - - it { should contain_concat__fragment('openvpn.default.header') } end diff --git a/spec/classes/openvpn_install_spec.rb b/spec/classes/openvpn_install_spec.rb new file mode 100644 index 0000000..cdb3135 --- /dev/null +++ b/spec/classes/openvpn_install_spec.rb @@ -0,0 +1,11 @@ +require 'spec_helper' + +describe 'openvpn::install', :type => :class do + + it { should create_class('openvpn::install') } + it { should contain_package('openvpn') } + + it { should contain_file('/etc/openvpn').with('ensure' => 'directory') } + it { should contain_file('/etc/openvpn/keys').with('ensure' => 'directory') } + +end diff --git a/spec/classes/openvpn_service_spec.rb b/spec/classes/openvpn_service_spec.rb new file mode 100644 index 0000000..f427e7f --- /dev/null +++ b/spec/classes/openvpn_service_spec.rb @@ -0,0 +1,13 @@ +require 'spec_helper' + +describe 'openvpn::service', :type => :class do + + let (:facts) { { :concat_basedir => '/var/lib/puppet/concat' } } + + it { should create_class('openvpn::service') } + it { should contain_service('openvpn').with( + 'ensure' => 'running', + 'enable' => true + ) } + +end diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index da71d63..a4b580e 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -4,6 +4,15 @@ describe 'openvpn::client', :type => :define do let(:title) { 'test_client' } let(:params) { { 'server' => 'test_server' } } let(:facts) { { :fqdn => 'somehost', :concat_basedir => '/var/lib/puppet/concat' } } + let(:pre_condition) do + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }' + end it { should contain_exec('generate certificate for test_client in context of test_server') } @@ -23,94 +32,57 @@ describe 'openvpn::client', :type => :define do 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client' ) } - it { should contain_openvpn__option('ca test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'ca', - 'value' => 'keys/ca.crt' - )} - it { should contain_openvpn__option('cert test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'cert', - 'value' => 'keys/test_client.crt' - )} - it { should contain_openvpn__option('key test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'key', - 'value' => 'keys/test_client.key' - )} - it { should contain_openvpn__option('client test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'client' - )} - it { should contain_openvpn__option('dev test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'dev', - 'value' => 'tun' - )} - it { should contain_openvpn__option('proto test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'proto', - 'value' => 'tcp' - )} - it { should contain_openvpn__option('remote test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'remote', - 'value' => 'somehost 1194' - )} - it { should contain_openvpn__option('resolv-retry test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'resolv-retry', - 'value' => 'infinite' - )} - it { should contain_openvpn__option('nobind test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'nobind' - )} - it { should contain_openvpn__option('persist-key test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'persist-key' - )} - it { should contain_openvpn__option('persist-tun test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'persist-tun' - )} - it { should contain_openvpn__option('mute-replay-warnings test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'mute-replay-warnings' - )} - it { should contain_openvpn__option('ns-cert-type test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'ns-cert-type', - 'value' => 'server' - )} - it { should contain_openvpn__option('comp-lzo test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'comp-lzo' - )} - it { should contain_openvpn__option('verb test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'verb', - 'value' => '3' - )} - it { should contain_openvpn__option('mute test_server with test_client').with( - 'server' => 'test_server', - 'client' => 'test_client', - 'key' => 'mute', - 'value' => '20' - )} + context "setting the minimum parameters" do + let(:params) { { 'server' => 'test_server' } } + let(:facts) { { :fqdn => 'somehost', :concat_basedir => '/var/lib/puppet/concat' } } + + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^client$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/ca\.crt$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cert\s+keys\/test_client.crt$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^key\s+keys\/test_client\.key$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^dev\s+tun$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^proto\s+tcp$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^remote\s+somehost\s+1194$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^comp-lzo$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^resolv-retry\s+infinite$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^nobind$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^persist-key$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^persist-tun$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute-replay-warnings$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ns\-cert\-type\s+server$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+3$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+20$/)} + end + + context "setting all of the parameters" do + let(:params) { { + 'server' => 'test_server', + 'compression' => 'comp-something', + 'dev' => 'tap', + 'mute' => 10, + 'mute_replay_warnings' => false, + 'nobind' => false, + 'persist_key' => false, + 'persist_tun' => false, + 'port' => '123', + 'proto' => 'udp', + 'remote_host' => 'somewhere', + 'resolv_retry' => '2m', + 'verb' => '1' + } } + let(:facts) { { :fqdn => 'somehost', :concat_basedir => '/var/lib/puppet/concat' } } + + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^client$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/ca\.crt$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cert\s+keys\/test_client.crt$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^key\s+keys\/test_client\.key$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^dev\s+tap$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^proto\s+udp$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^remote\s+somewhere\s+123$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^comp-something$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^resolv-retry\s+2m$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+1$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+10$/)} + end + end diff --git a/spec/defines/openvpn_client_specific_config_spec.rb b/spec/defines/openvpn_client_specific_config_spec.rb new file mode 100644 index 0000000..cfdab38 --- /dev/null +++ b/spec/defines/openvpn_client_specific_config_spec.rb @@ -0,0 +1,40 @@ +require 'spec_helper' + +describe 'openvpn::client_specific_config', :type => :define do + let(:title) { 'test_client' } + let(:params) { { 'server' => 'test_server' } } + let(:facts) { { :fqdn => 'somehost', :concat_basedir => '/var/lib/puppet/concat' } } + let(:pre_condition) do + [ + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }', + 'openvpn::client { "test_client": + server => "test_server" + }' + ].join + end + + it { should contain_file('/etc/openvpn/test_server/client-configs/test_client') } + + describe "setting no paramter at all" do + it { should contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(/\A\n\z/) } + end + + describe "setting all parameters" do + let(:params) do + {:server => 'test_server', + :iroute => ['10.0.1.0 255.255.255.0'], + :ifconfig => '10.10.10.2 255.255.255.0', + :dhcp_options => ['DNS 8.8.8.8']} + end + + it { should contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(/^iroute 10.0.1.0 255.255.255.0$/) } + it { should contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(/^ifconfig-push 10.10.10.2 255.255.255.0$/) } + it { should contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(/^push dhcp-option DNS 8.8.8.8$/) } + end +end diff --git a/spec/defines/openvpn_option_spec.rb b/spec/defines/openvpn_option_spec.rb deleted file mode 100644 index a2d1661..0000000 --- a/spec/defines/openvpn_option_spec.rb +++ /dev/null @@ -1,42 +0,0 @@ -require 'spec_helper' - -describe 'openvpn::option', :type => :define do - - let(:title) { 'test_param' } - - context "when key => 'test_key', server => 'test_server'" do - let(:params) { { 'key' => 'test_key', 'server' => 'test_server' } } - - it { should contain_concat__fragment('openvpn.test_server..test_param').with( - 'target' => '/etc/openvpn/test_server.conf', - 'content' => "test_key\n" - ) } - end - - context "when key => 'test_key', value => 'test_value', server => 'test_server'" do - let(:params) { { 'key' => 'test_key', 'value' => 'test_value', 'server' => 'test_server' } } - - it { should contain_concat__fragment('openvpn.test_server..test_param').with( - 'target' => '/etc/openvpn/test_server.conf', - 'content' => "test_key test_value\n" - ) } - end - - context "when key => 'test_key', server => 'test_server', client => 'test_client'" do - let(:params) { { 'key' => 'test_key', 'server' => 'test_server', 'client' => 'test_client' } } - - it { should contain_concat__fragment('openvpn.test_server.test_client.test_param').with( - 'target' => '/etc/openvpn/test_server/download-configs/test_client/test_client.conf', - 'content' => "test_key\n" - ) } - end - - context "when key => 'test_key', server => 'test_server', client => 'test_client', csc => true" do - let(:params) { { 'key' => 'test_key', 'server' => 'test_server', 'client' => 'test_client', 'csc' => 'true' } } - - it { should contain_concat__fragment('openvpn.test_server.test_client.test_param').with( - 'target' => '/etc/openvpn/test_server/client-configs/test_client', - 'content' => "test_key\n" - ) } - end -end diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index 1032302..3a17bc2 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -1,109 +1,165 @@ require 'spec_helper' - + describe 'openvpn::server', :type => :define do - + let(:title) { 'test_server' } - let(:params) { { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } } - - let (:facts) { { :concat_basedir => '/var/lib/puppet/concat' } } - - # Files associated with a server config - it { should contain_file('/etc/openvpn/test_server').with('ensure' => 'directory')} - it { should contain_file('/etc/openvpn/test_server/client-configs').with('ensure' => 'directory')} - it { should contain_file('/etc/openvpn/test_server/download-configs').with('ensure' => 'directory')} - it { should contain_file('/etc/openvpn/test_server/easy-rsa/vars')} - it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf')} - it { should contain_file('/etc/openvpn/test_server/keys').with( - 'ensure' => 'link', - 'target' => '/etc/openvpn/test_server/easy-rsa/keys' - )} - - it { should contain_concat__fragment('openvpn.default.autostart.test_server').with( - 'content' => "AUTOSTART=\"$AUTOSTART test_server\"\n", - 'target' => '/etc/default/openvpn' - )} - - # Execs to working with certificates - it { should contain_exec('copy easy-rsa to openvpn config folder test_server').with( - 'command' => '/bin/cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/test_server/easy-rsa' - )} - it { should contain_exec('generate dh param test_server') } - it { should contain_exec('initca test_server') } - it { should contain_exec('generate server cert test_server') } - - # Options that should be set - it { should contain_openvpn__option('client-config-dir test_server').with( - 'server' => 'test_server', - 'key' => 'client-config-dir', - 'value' => '/etc/openvpn/test_server/client-configs' - )} - it { should contain_openvpn__option('mode test_server').with( - 'server' => 'test_server', - 'key' => 'mode', - 'value' => 'server' - )} - it { should contain_openvpn__option('ca test_server').with( - 'server' => 'test_server', - 'key' => 'ca', - 'value' => '/etc/openvpn/test_server/keys/ca.crt' - )} - it { should contain_openvpn__option('cert test_server').with( - 'server' => 'test_server', - 'key' => 'cert', - 'value' => '/etc/openvpn/test_server/keys/server.crt' - )} - it { should contain_openvpn__option('key test_server').with( - 'server' => 'test_server', - 'key' => 'key', - 'value' => '/etc/openvpn/test_server/keys/server.key' - )} - it { should contain_openvpn__option('dh test_server').with( - 'server' => 'test_server', - 'key' => 'dh', - 'value' => '/etc/openvpn/test_server/keys/dh1024.pem' - )} - it { should contain_openvpn__option('proto test_server').with( - 'server' => 'test_server', - 'key' => 'proto', - 'value' => 'tcp' - )} - it { should contain_openvpn__option('comp-lzo test_server').with( - 'server' => 'test_server', - 'key' => 'comp-lzo' - )} + + context "creating a server with the minimum parameters" do + let(:params) { { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } } + + let (:facts) { { + :ipaddress_eth0 => '1.2.3.4', + :network_eth0 => '1.2.3.0', + :netmask_eth0 => '255.255.255.0', + :concat_basedir => '/var/lib/puppet/concat', + :osfamily => 'anything_else' + } } + + # Files associated with a server config + it { should contain_file('/etc/openvpn/test_server').with('ensure' => 'directory')} + it { should contain_file('/etc/openvpn/test_server/client-configs').with('ensure' => 'directory')} + it { should contain_file('/etc/openvpn/test_server/download-configs').with('ensure' => 'directory')} + it { should contain_file('/etc/openvpn/test_server/easy-rsa/vars')} + it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf')} + it { should contain_file('/etc/openvpn/test_server/keys').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/test_server/easy-rsa/keys' + )} + + # Execs to working with certificates + it { should contain_exec('copy easy-rsa to openvpn config folder test_server').with( + 'command' => '/bin/cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/test_server/easy-rsa' + )} + it { should contain_exec('generate dh param test_server') } + it { should contain_exec('initca test_server') } + it { should contain_exec('generate server cert test_server') } + + # VPN server config file itself + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^mode\s+server$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^dh\s+\/etc\/openvpn\/test_server\/keys\/dh1024.pem$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^proto\s+tcp-server$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^tls-server$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^port\s+1194$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^comp-lzo$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+nogroup$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^user\s+nobody$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^log\-append\s+test_server\/openvpn\.log$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^status\s+test_server\/openvpn\-status\.log$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^dev\s+tun0$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^local\s+1\.2\.3\.4$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^ifconfig-pool-persist/) } + end + + context "creating a server setting all parameters" do + let(:params) { { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'compression' => 'fake_compression', + 'port' => '123', + 'proto' => 'udp', + 'group' => 'someone', + 'user' => 'someone', + 'logfile' => '/var/log/openvpn/test_server.log', + 'status_log' => '/var/log/openvpn/test_server_status.log', + 'dev' => 'tun1', + 'local' => '2.3.4.5', + 'ipp' => true, + 'server' => '2.3.4.0 255.255.0.0', + 'push' => [ 'dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0' ] + } } + + let (:facts) { { + :ipaddress_eth0 => '1.2.3.4', + :network_eth0 => '1.2.3.0', + :netmask_eth0 => '255.255.255.0', + :concat_basedir => '/var/lib/puppet/concat' + } } + + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^mode\s+server$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^dh\s+\/etc\/openvpn\/test_server\/keys\/dh1024.pem$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^proto\s+udp-server$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^proto\s+tls-server$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^port\s+123$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^fake_compression$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+someone$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^user\s+someone$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^log\-append\s+\/var\/log\/openvpn\/test_server\.log$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^status\s+\/var\/log\/openvpn\/test_server_status\.log$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^dev\s+tun1$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^local\s+2\.3\.4\.5$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^server\s+2\.3\.4\.0\s+255\.255\.0\.0$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^push\s+dhcp-option\s+DNS\s+172\.31\.0\.30$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^push\s+route\s+172\.31\.0\.0\s+255\.255\.0\.0$/) } + end context "when RedHat based machine" do + let(:params) { { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } } + let(:facts) { { :osfamily => 'RedHat', :concat_basedir => '/var/lib/puppet/concat' } } - + it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').with( 'ensure' => 'link', 'target' => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf' )} - + it { should contain_exec('copy easy-rsa to openvpn config folder test_server').with( 'command' => '/bin/cp -r /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 /etc/openvpn/test_server/easy-rsa' )} - + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+nobody$/) } + end - - context "when Debian based machine" do + + context "when Debian based machine" do + let(:params) { { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } } + let(:facts) { { :osfamily => 'Debian', :concat_basedir => '/var/lib/puppet/concat' } } it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').with( 'ensure' => 'link', 'target' => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf' )} - + it { should contain_exec('copy easy-rsa to openvpn config folder test_server').with( 'command' => '/bin/cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/test_server/easy-rsa' )} + # Configure to start vpn session + it { should contain_concat__fragment('openvpn.default.autostart.test_server').with( + 'content' => "AUTOSTART=\"$AUTOSTART test_server\"\n", + 'target' => '/etc/default/openvpn' + )} + + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+nogroup$/) } + end - + end diff --git a/templates/client.erb b/templates/client.erb new file mode 100644 index 0000000..021ed61 --- /dev/null +++ b/templates/client.erb @@ -0,0 +1,26 @@ +client +ca keys/ca.crt +cert keys/<%= scope.lookupvar('name') %>.crt +key keys/<%= scope.lookupvar('name') %>.key +dev <%= scope.lookupvar('dev') %> +proto <%= scope.lookupvar('proto') %> +remote <%= scope.lookupvar('remote_host') %> <%= scope.lookupvar('port') %> +<% if scope.lookupvar('compression') != '' -%> +<%= scope.lookupvar('compression') %> +<% end -%> +resolv-retry <%= scope.lookupvar('resolv_retry') %> +<% if scope.lookupvar('nobind') -%> +nobind +<% end -%> +<% if scope.lookupvar('persist_key') -%> +persist-key +<% end -%> +<% if scope.lookupvar('persist_tun') -%> +persist-tun +<% end -%> +<% if scope.lookupvar('mute_replay_warnings') -%> +mute-replay-warnings +<% end -%> +ns-cert-type server +verb <%= scope.lookupvar('verb') %> +mute <%= scope.lookupvar('mute') %> diff --git a/templates/client_specific_config.erb b/templates/client_specific_config.erb new file mode 100644 index 0000000..62cc0e7 --- /dev/null +++ b/templates/client_specific_config.erb @@ -0,0 +1,10 @@ +<% scope.lookupvar('iroute').each do |route| -%> +iroute <%= route %> +<% end -%> +<% if ifconfig = scope.lookupvar('ifconfig') -%> +ifconfig-push <%= ifconfig %> +<% end -%> +<% scope.lookupvar('dhcp_options').each do |option| -%> +push dhcp-option <%= option %> +<% end -%> + diff --git a/templates/server.erb b/templates/server.erb new file mode 100644 index 0000000..006e56f --- /dev/null +++ b/templates/server.erb @@ -0,0 +1,33 @@ +mode server +client-config-dir /etc/openvpn/<%= scope.lookupvar('name') %>/client-configs +ca /etc/openvpn/<%= scope.lookupvar('name') %>/keys/ca.crt +cert /etc/openvpn/<%= scope.lookupvar('name') %>/keys/server.crt +key /etc/openvpn/<%= scope.lookupvar('name') %>/keys/server.key +dh /etc/openvpn/<%= scope.lookupvar('name') %>/keys/dh1024.pem +proto <%= scope.lookupvar('proto') %>-server +port <%= scope.lookupvar('port') %> +<% if scope.lookupvar('tls_server') -%> +tls-server +<% end -%> +<% if scope.lookupvar('compression') != '' -%> +<%= scope.lookupvar('compression') %> +<% end -%> +group <%= scope.lookupvar('group_to_set') %> +user <%= scope.lookupvar('user') %> +<% if scope.lookupvar('logfile') -%> +log-append <%= scope.lookupvar('logfile') %> +<% end -%> +status <%= scope.lookupvar('status_log') %> +dev <%= scope.lookupvar('dev') %> +<% if scope.lookupvar('local') != '' -%> +local <%= scope.lookupvar('local') %> +<% end -%> +<% if scope.lookupvar('ipp') -%> +ifconfig-pool-persist <%= scope.lookupvar('name') %>/vpn-ipp.txt +<% end -%> +<% if scope.lookupvar('server') != '' -%> +server <%= scope.lookupvar('server') %> +<% end -%> +<% scope.lookupvar('push').each do |item| -%> +push <%= item %> +<% end -%> diff --git a/vagrant/client.pp b/vagrant/client.pp new file mode 100644 index 0000000..7ebeb1d --- /dev/null +++ b/vagrant/client.pp @@ -0,0 +1,5 @@ +node default { + + package { 'openvpn': ensure => installed; } + +} diff --git a/vagrant/server.pp b/vagrant/server.pp new file mode 100644 index 0000000..d97c517 --- /dev/null +++ b/vagrant/server.pp @@ -0,0 +1,23 @@ +node default { + openvpn::server { 'winterthur': + country => "CH", + province => "ZH", + city => "Winterthur", + organization => "example.org", + email => "root@example.org", + server => '10.200.200.0 255.255.255.0' + } + + openvpn::client { 'client1': + server => 'winterthur'; + } + + openvpn::client_specific_config { 'client1': + server => 'winterthur', + ifconfig => '10.200.200.100 255.255.255.0' + } + + openvpn::client { 'client2': + server => 'winterthur'; + } +} |