add module content
authorRaffael Schmid <raffael@yux.ch>
Fri, 12 Aug 2011 08:13:29 +0000 (10:13 +0200)
committerRaffael Schmid <raffael@yux.ch>
Fri, 12 Aug 2011 08:13:29 +0000 (10:13 +0200)
manifests/classes/openvpn.pp [new file with mode: 0644]
manifests/definitions/client.pp [new file with mode: 0644]
manifests/definitions/option.pp [new file with mode: 0644]
manifests/definitions/push.pp [new file with mode: 0644]
manifests/definitions/route.pp [new file with mode: 0644]
manifests/definitions/server.pp [new file with mode: 0644]
manifests/init.pp [new file with mode: 0644]
templates/etc-default-openvpn.erb [new file with mode: 0644]
templates/vars.erb [new file with mode: 0644]

diff --git a/manifests/classes/openvpn.pp b/manifests/classes/openvpn.pp
new file mode 100644 (file)
index 0000000..55dac85
--- /dev/null
@@ -0,0 +1,32 @@
+# openvpn.pp
+
+class openvpn {
+    package {
+        "openvpn":
+            ensure => installed;
+    }
+    service {
+        "openvpn":
+            ensure     => running,
+            hasrestart => true,
+            hasstatus  => true,
+            require    => Exec["/etc/default/openvpn concatenation"];
+    }
+    file {
+        "/etc/openvpn":
+            ensure  => directory,
+            require => Package["openvpn"];
+    }
+    file {
+        "/etc/openvpn/keys":
+            ensure  => directory,
+            require => File["/etc/openvpn"];
+    }
+    common::concatfilepart {
+        "00-etc-default-openvpn header":
+            ensure  => present,
+            content => template("openvpn/etc-default-openvpn.erb"),
+            notify  => Service["openvpn"],
+            file    => "/etc/default/openvpn";
+    }
+}
diff --git a/manifests/definitions/client.pp b/manifests/definitions/client.pp
new file mode 100644 (file)
index 0000000..620d374
--- /dev/null
@@ -0,0 +1,130 @@
+# client.pp
+
+define openvpn::client($server, $remote_host = $fqdn) {
+    exec {
+        "generate certificate for ${name} in context of ${server}":
+            command  => ". ./vars && ./pkitool ${name}",
+            cwd      => "/etc/openvpn/${server}/easy-rsa",
+            creates  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
+            provider => "shell",
+            require  => Exec["generate server cert ${server}"];
+    }
+
+    file {
+        "/etc/openvpn/${server}/download-configs/${name}":
+            ensure  => directory,
+            require => File["/etc/openvpn/${server}/download-configs"];
+        
+        "/etc/openvpn/${server}/download-configs/${name}/keys":
+            ensure  => directory,
+            require => File["/etc/openvpn/${server}/download-configs/${name}"];
+        
+        "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt":
+            ensure => link,
+            target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
+            require => [ Exec["generate certificate for ${name} in context of ${server}"],
+                         File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+        
+        "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key":
+            ensure => link,
+            target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key",
+            require => [ Exec["generate certificate for ${name} in context of ${server}"],
+                         File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+        
+        "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt":
+            ensure => link,
+            target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt",
+            require => [ Exec["generate certificate for ${name} in context of ${server}"],
+                         File["/etc/openvpn/${server}/download-configs/${name}/keys"] ];
+    }
+
+
+    openvpn::option {
+        "ca ${server} with ${name}":
+            key    => "ca",
+            value  => "keys/ca.crt",
+            client => $name,
+            server => $server;
+        "cert ${server} with ${name}":
+            key    => "cert",
+            value  => "keys/${name}.crt",
+            client => $name,
+            server => $server;
+        "key ${server} with ${name}":
+            key    => "key",
+            value  => "keys/${name}.key",
+            client => $name,
+            server => $server;
+        "client ${server} with ${name}":
+            key    => "client",
+            client => $name,
+            server => $server;
+        "dev ${server} with ${name}":
+            key    => "dev",
+            value  => "tun",
+            client => $name,
+            server => $server;
+        "proto ${server} with ${name}":
+            key    => "proto",
+            value  => "tcp",
+            client => $name,
+            server => $server;
+        "remote ${server} with ${name}":
+            key    => "remote",
+            value  => "${remote_host} 1194",
+            client => $name,
+            server => $server;
+        "resolv-retry ${server} with ${name}":
+            key    => "resolv-retry",
+            value  => "infinite",
+            client => $name,
+            server => $server;
+        "nobind ${server} with ${name}":
+            key    => "nobind",
+            client => $name,
+            server => $server;
+        "persist-key ${server} with ${name}":
+            key    => "persist-key",
+            client => $name,
+            server => $server;
+        "persist-tun ${server} with ${name}":
+            key    => "persist-tun",
+            client => $name,
+            server => $server;
+        "mute-replay-warnings ${server} with ${name}":
+            key    => "mute-replay-warnings",
+            client => $name,
+            server => $server;
+        "ns-cert-type ${server} with ${name}":
+            key    => "ns-cert-type",
+            value  => "server",
+            client => $name,
+            server => $server;
+        "comp-lzo ${server} with ${name}":
+            key    => "comp-lzo",
+            client => $name,
+            server => $server;
+        "verb ${server} with ${name}":
+            key    => "verb",
+            value  => "3",
+            client => $name,
+            server => $server;
+        "mute ${server} with ${name}":
+            key    => "mute",
+            value  => "20",
+            client => $name,
+            server => $server;
+    }
+
+    exec {
+        "tar the thing ${server} with ${name}":
+            cwd         => "/etc/openvpn/${server}/download-configs/",
+            command     => "rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}",
+            refreshonly => true,
+            subscribe   => Exec["/etc/openvpn/${server}/download-configs/${name}/${name}.conf concatenation"],
+            require     => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"],
+                            File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"],
+                            File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"],
+                            File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] ];
+    }
+}
diff --git a/manifests/definitions/option.pp b/manifests/definitions/option.pp
new file mode 100644 (file)
index 0000000..6c694d4
--- /dev/null
@@ -0,0 +1,31 @@
+# option.pp
+
+define openvpn::option($ensure = present, $key, $value = "", $server, $client = "", $csc = false) {
+    $content = $value ? {
+        ""      => "${key}",
+        default => "${key} ${value}"
+    }
+    
+    if $client == "" {
+        $path = "/etc/openvpn/${server}.conf"
+        $req = File["/etc/openvpn"]
+        $notify  = Service["openvpn"]
+    } else {
+        if $scs {
+            $path = "/etc/openvpn/${server}/client-configs/${client}"
+        } else {
+            $path = "/etc/openvpn/${server}/download-configs/${client}/${client}.conf"
+        }
+        $req = [ File["/etc/openvpn"], File["/etc/openvpn/${server}/download-configs/${client}"] ]
+        $notify = undef
+    }
+    
+    common::concatfilepart {
+        "${name}":
+            ensure  => $ensure,
+            file    => $path,
+            content => "${content}\n",
+            notify  => $notify,
+            require => $req;
+    }
+}
diff --git a/manifests/definitions/push.pp b/manifests/definitions/push.pp
new file mode 100644 (file)
index 0000000..e799b04
--- /dev/null
@@ -0,0 +1,18 @@
+## push.pp
+#
+#define openvpn::push($network, $netmask, $server, $gateway = "undefined") {
+#    
+#    $gw = $gateway ? {
+#        "undefined" => "",
+#        default     => " ${gateway}"
+#    }
+#
+#    common::concatfilepart {
+#        "push ${name}":
+#            ensure  => $ensure,
+#            file    => "/etc/openvpn/${server}.conf",
+#            content => "push \"route ${network} ${netmask}${gw}\"\n",
+#            notify  => Service["openvpn"],
+#            require => Package["openvpn"];
+#    }
+#}
diff --git a/manifests/definitions/route.pp b/manifests/definitions/route.pp
new file mode 100644 (file)
index 0000000..00d955a
--- /dev/null
@@ -0,0 +1,12 @@
+## route.pp
+#
+#define openvpn::route($network, $netmask, $server, $gateway) {
+#    common::concatfilepart {
+#        "route ${name}":
+#            ensure  => $ensure,
+#            file    => "/etc/openvpn/${server}.conf",
+#            content => "route ${network} ${netmask} ${gateway}\n",
+#            notify  => Service["openvpn"],
+#            require => Package["openvpn"];
+#    }
+#}
diff --git a/manifests/definitions/server.pp b/manifests/definitions/server.pp
new file mode 100644 (file)
index 0000000..2bf2f64
--- /dev/null
@@ -0,0 +1,92 @@
+# server.pp
+
+define openvpn::server($country, $province, $city, $organization, $email) {
+    include openvpn
+
+    file {
+        "/etc/openvpn/${name}":
+            ensure => directory,
+            require => Package["openvpn"];
+    }
+    file {
+        "/etc/openvpn/${name}/client-configs":
+            ensure => directory,
+            require => File["/etc/openvpn/${name}"];
+        "/etc/openvpn/${name}/download-configs":
+            ensure => directory,
+            require => File["/etc/openvpn/${name}"];
+    }
+
+    exec {
+        "copy easy-rsa to openvpn config folder ${name}":
+            command => "cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/${name}/easy-rsa",
+            creates => "/etc/openvpn/${name}/easy-rsa",
+            require => File["/etc/openvpn/${name}"];
+    }
+    file {
+        "/etc/openvpn/${name}/easy-rsa/vars":
+            ensure  => present,
+            content => template("openvpn/vars.erb"),
+            require => Exec["copy easy-rsa to openvpn config folder ${name}"];
+    }
+    
+    exec {
+        "generate dh param ${name}":
+            command  => ". ./vars && ./clean-all && ./build-dh",
+            cwd      => "/etc/openvpn/${name}/easy-rsa",
+            creates  => "/etc/openvpn/${name}/easy-rsa/keys/dh1024.pem",
+            provider => "shell",
+            require  => File["/etc/openvpn/${name}/easy-rsa/vars"];
+        
+        "initca ${name}":
+            command  => ". ./vars && ./pkitool --initca",
+            cwd      => "/etc/openvpn/${name}/easy-rsa",
+            creates  => "/etc/openvpn/${name}/easy-rsa/keys/ca.key",
+            provider => "shell",
+            require  => Exec["generate dh param ${name}"];
+        
+        "generate server cert ${name}":
+            command  => ". ./vars && ./pkitool --server server",
+            cwd      => "/etc/openvpn/${name}/easy-rsa",
+            creates  => "/etc/openvpn/${name}/easy-rsa/keys/server.key",
+            provider => "shell",
+            require  => Exec["initca ${name}"];
+    }
+
+    file {
+        "/etc/openvpn/${name}/keys":
+            ensure  => link,
+            target  => "/etc/openvpn/${name}/easy-rsa/keys",
+            require => Exec["copy easy-rsa to openvpn config folder ${name}"];
+    }
+
+    openvpn::option {
+        "ca ${name}":
+            key     => "ca",
+            value   => "/etc/openvpn/${name}/keys/ca.crt",
+            require => Exec["initca ${name}"],
+            server  => "${name}";
+        "cert ${name}":
+            key     => "cert",
+            value   => "/etc/openvpn/${name}/keys/server.crt",
+            require => Exec["generate server cert ${name}"],
+            server  => "${name}";
+        "key ${name}":
+            key     => "key",
+            value   => "/etc/openvpn/${name}/keys/server.key",
+            require => Exec["generate server cert ${name}"],
+            server  => "${name}";
+        "dh ${name}":
+            key     => "dh",
+            value   => "/etc/openvpn/${name}/keys/dh1024.pem",
+            require => Exec["generate dh param ${name}"],
+            server  => "${name}";
+    }
+    
+    common::concatfilepart {
+        "etc-default-openvpn autostart for ${name}":
+            ensure  => present,
+            content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n",
+            file    => "/etc/default/openvpn";
+    }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644 (file)
index 0000000..bab81f2
--- /dev/null
@@ -0,0 +1,4 @@
+# init.pp
+
+import "classes/*.pp"
+import "definitions/*.pp"
diff --git a/templates/etc-default-openvpn.erb b/templates/etc-default-openvpn.erb
new file mode 100644 (file)
index 0000000..310e462
--- /dev/null
@@ -0,0 +1,20 @@
+# This is the configuration file for /etc/init.d/openvpn
+
+#
+# Start only these VPNs automatically via init script.
+# Allowed values are "all", "none" or space separated list of
+# names of the VPNs. If empty, "all" is assumed.
+#
+#AUTOSTART="all"
+#AUTOSTART="none"
+#AUTOSTART="home office"
+#
+# Refresh interval (in seconds) of default status files
+# located in /var/run/openvpn.$NAME.status
+# Defaults to 10, 0 disables status file generation
+#
+#STATUSREFRESH=10
+#STATUSREFRESH=0
+# Optional arguments to openvpn's command line
+OPTARGS=""
+AUTOSTART=""
diff --git a/templates/vars.erb b/templates/vars.erb
new file mode 100644 (file)
index 0000000..de988f4
--- /dev/null
@@ -0,0 +1,69 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="/etc/openvpn/<%= name %>/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="<%= country %>"
+export KEY_PROVINCE="<%= province %>"
+export KEY_CITY="<%= city %>"
+export KEY_ORG="<%= organization %>"
+export KEY_EMAIL="<%= email %>"
+