From 5df60aad95fcff99ef5837577b0a70435e99d1aa Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Thu, 10 Jan 2013 20:34:48 -0700 Subject: documentation, refactoring to make the dependency chain easier to follow --- manifests/client.pp | 135 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 107 insertions(+), 28 deletions(-) (limited to 'manifests/client.pp') diff --git a/manifests/client.pp b/manifests/client.pp index 6abef5e..581eece 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,5 +1,89 @@ -# client.pp - +# == Define: openvpn::client +# +# This define creates the client certs for a specified openvpn server as well +# as creating a tarball that can be directly imported into openvpn clients +# +# +# === Parameters +# +# [*server*] +# String. Name of the corresponding openvpn endpoint +# Required +# +# [*compression*] +# String. Which compression algorithim to use +# Default: comp-lzo +# Options: comp-lzo or '' (disable compression) +# +# [*dev*] +# String. Device method +# Default: tun +# Options: tun (routed connections), tap (bridged connections) +# +# [*mute*] +# Integer. Set log mute level +# Default: 20 +# +# [*mute_replay_warnings*] +# Boolean. Silence duplicate packet warnings (common on wireless networks) +# Default: true +# +# [*nobind*] +# Boolean. Whether or not to bind to a specific port number +# Default: true +# +# [*persist_key*] +# Boolean. Try to retain access to resources that may be unavailable +# because of privilege downgrades +# Default: true +# +# [*persist_tun*] +# Boolean. Try to retain access to resources that may be unavailable +# because of privilege downgrades +# Default: true +# +# [*port*] +# Integer. The port the openvpn server service is running on +# Default: 1194 +# +# [*proto*] +# String. What IP protocol is being used. +# Default: tcp +# Options: tcp or udp +# +# [*remote_host*] +# String. The IP or hostname of the openvpn server service +# Default: FQDN +# +# [*resolv_retry*] +# Integer/String. How many seconds should the openvpn client try to resolve +# the server's hostname +# Default: infinite +# Options: Integer or infinite +# +# [*verb*] +# Integer. Level of logging verbosity +# Default: 3 +# +# +# === Examples +# +# openvpn::client { +# 'my_user': +# server => 'contractors', +# remote_host => 'vpn.mycompany.com' +# } +# +# * Removal: +# Manual process right now, todo for the future +# +# +# === Authors +# +# * Raffael Schmid +# * John Kinsella +# * Justin Lambert +# define openvpn::client( $server, $compression = 'comp-lzo', @@ -7,7 +91,6 @@ define openvpn::client( $mute = '20', $mute_replay_warnings = true, $nobind = true, - $ns_cert_type = 'server', $persist_key = true, $persist_tun = true, $port = '1194', @@ -16,41 +99,37 @@ define openvpn::client( $resolv_retry = 'infinite', $verb = '3', ) { + + Openvpn::Server[$server] -> + Openvpn::Client[$name] + exec { "generate certificate for ${name} in context of ${server}": command => ". ./vars && ./pkitool ${name}", cwd => "/etc/openvpn/${server}/easy-rsa", creates => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - provider => 'shell', - require => Exec["generate server cert ${server}"]; + provider => 'shell'; } file { - "/etc/openvpn/${server}/download-configs/${name}": - ensure => directory, - require => File["/etc/openvpn/${server}/download-configs"]; - - "/etc/openvpn/${server}/download-configs/${name}/keys": - ensure => directory, - require => File["/etc/openvpn/${server}/download-configs/${name}"]; + [ "/etc/openvpn/${server}/download-configs/${name}", + "/etc/openvpn/${server}/download-configs/${name}/keys"]: + ensure => directory; "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - require => [ Exec["generate certificate for ${name} in context of ${server}"], - File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + require => Exec["generate certificate for ${name} in context of ${server}"]; "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", - require => [ Exec["generate certificate for ${name} in context of ${server}"], - File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + require => Exec["generate certificate for ${name} in context of ${server}"]; "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", - require => [ Exec["generate certificate for ${name} in context of ${server}"], - File["/etc/openvpn/${server}/download-configs/${name}/keys"] ]; + require => Exec["generate certificate for ${name} in context of ${server}"]; "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": owner => root, @@ -60,16 +139,16 @@ define openvpn::client( notify => Exec["tar the thing ${server} with ${name}"]; } - concat { - "/etc/openvpn/${server}/client-configs/${name}": - owner => root, - group => root, - mode => 644, - warn => true, - force => true, - notify => Exec["tar the thing ${server} with ${name}"], - require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ]; - } +# concat { +# "/etc/openvpn/${server}/client-configs/${name}": +# owner => root, +# group => root, +# mode => 644, +# warn => true, +# force => true, +# notify => Exec["tar the thing ${server} with ${name}"], +# require => [ File['/etc/openvpn'], File["/etc/openvpn/${server}/download-configs/${name}"] ]; +# } exec { "tar the thing ${server} with ${name}": -- cgit v1.2.3