diff options
| author | mh <mh@immerda.ch> | 2012-12-31 18:51:06 +0100 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2012-12-31 18:51:06 +0100 |
| commit | 492468d87aa6ea31b137fb2361b6bf7da88f3d1d (patch) | |
| tree | e7c33b8a10bc55cc8a7abce811e19c0bb247333b | |
| parent | cf80d8606ff7d4989c8b30550624b9eaa2007e73 (diff) | |
fully auto remote host configuration
we do not only export the certificate, but also the config snippet itself
so hosts configure themself fully with an ipsec configuration.
| -rw-r--r-- | manifests/base.pp | 19 | ||||
| -rw-r--r-- | manifests/cert.pp | 23 | ||||
| -rw-r--r-- | manifests/init.pp | 3 | ||||
| -rw-r--r-- | manifests/remote_host.pp | 35 | ||||
| -rw-r--r-- | templates/ipsec.conf.erb | 2 | ||||
| -rw-r--r-- | templates/remote_host.erb | 8 |
6 files changed, 77 insertions, 13 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 17c219c..05d6d9f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -25,7 +25,12 @@ class strongswan::base { content => ": RSA ${::fqdn}.pem\n"; # this is needed because if the glob-include in the config # doesn't find anything it fails. - "${strongswan::config_dir}/ipsec.hosts.__dummy__.conf": + "${strongswan::config_dir}/hosts": + ensure => directory, + purge => true, + force => true, + recurse => true; + "${strongswan::config_dir}/hosts/__dummy__.conf": ensure => 'present'; '/etc/ipsec.conf': content => template('strongswan/ipsec.conf.erb'); @@ -36,12 +41,14 @@ class strongswan::base { enable => true, } - if $::strongswan_cert != 'false' and $::strongswan_cert != '' { - @@strongswan::cert{$::fqdn: - cert => $::strongswan_cert, - tag => 'strongswan_cert' + if $strongswan::auto_remote_host and ($::strongswan_cert != 'false') and ($::strongswan_cert != '') { + # export + @@strongswan::remote_host{$::fqdn: + right_cert_content => $::strongswan_cert, + right_ip_address => $default_left_ip_address, + tag => $::fqdn } + Strongswan::Remote_Host<<| tag != $::fqdn |>> } - Strongswan::Cert<<| tag == 'strongswan_cert' |>> } diff --git a/manifests/cert.pp b/manifests/cert.pp index 66ed574..d5baf90 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -1,11 +1,24 @@ # manage a cert snippet that we want to include -define strongswan::cert($cert) { +define strongswan::cert( + $ensure = 'present', + $cert = 'absent' +) { + if ($cert == 'absent') and ($ensure == 'present'){ + fail("You need to pass some \$cert content for ${name} if it should be present") + } + file{"${strongswan::config_dir}/certs/${name}.asc": - content => $cert, + ensure => $ensure, require => Package['strongswan'], notify => Service['ipsec'], - owner => 'root', - group => 0, - mode => '0400'; + } + + if $ensure == 'present' { + File["${strongswan::config_dir}/certs/${name}.asc"]{ + content => $cert, + owner => 'root', + group => 0, + mode => '0400', + } } } diff --git a/manifests/init.pp b/manifests/init.pp index e46b9a3..3b67f58 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,7 +4,8 @@ class strongswan( $monkeysphere_publish_key = false, $ipsec_nat = false, $default_left_ip_address = $::ipaddress, - $additional_options = '' + $additional_options = '', + $auto_remote_host = false ) { class{'monkeysphere': diff --git a/manifests/remote_host.pp b/manifests/remote_host.pp new file mode 100644 index 0000000..6521622 --- /dev/null +++ b/manifests/remote_host.pp @@ -0,0 +1,35 @@ +# configure a simple remote host +define strongswan::remote_host( + $right_ip_address, + $ensure = 'present', + $right_id = $name, + $right_cert_name = $name, + $right_cert_content = 'absent', +){ + file{"${strongswan::config_dir}/hosts/${name}.conf": + ensure => $ensure, + require => Package['strongswan'], + notify => Service['ipsec'], + } + + if $ensure == 'present' { + File["${strongswan::config_dir}/hosts/${name}.conf"]{ + content => template('strongswan/remote_host.erb'), + owner => 'root', + group => 0, + mode => '0400', + } + } + + strongswan::cert{$name: } + if ($right_cert_content != 'absent') and ($ensure == 'present') { + Strongswan::Cert[$name]{ + ensure => $ensure, + cert => $right_cert_content, + } + } else { + Strongswan::Cert[$name]{ + ensure => 'absent', + } + } +} diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb index ca0daa9..5527c5f 100644 --- a/templates/ipsec.conf.erb +++ b/templates/ipsec.conf.erb @@ -20,4 +20,4 @@ conn %default <%= scope.lookupvar('strongswan::additional_options') %> <% end -%> -include <%= scope.lookupvar('strongswan::config_dir') %>/ipsec.hosts.*.conf +include <%= scope.lookupvar('strongswan::config_dir') %>/hosts/*.conf diff --git a/templates/remote_host.erb b/templates/remote_host.erb new file mode 100644 index 0000000..4193506 --- /dev/null +++ b/templates/remote_host.erb @@ -0,0 +1,8 @@ +# host <%= name %> +conn <%= name %> + right=<%= right_ip_address %> + rightid=@<%= right_id %> + rightcert=<%= right_cert_name %>.asc + type=transport + auto=start + |