diff options
| author | mh <mh@immerda.ch> | 2012-12-31 17:58:22 +0100 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2012-12-31 17:58:22 +0100 |
| commit | 690f05e2888bb862ce300125045f1cb21a0f5856 (patch) | |
| tree | 5a93869e8352b4e8511754b13df90641472dc4f2 | |
| parent | cc53a58dfa6aef4791bb77b24d40a05f3e621643 (diff) | |
generate the base config from a template -> include everything else
| -rw-r--r-- | manifests/base.pp | 26 | ||||
| -rw-r--r-- | manifests/init.pp | 9 | ||||
| -rw-r--r-- | templates/ipsec.conf.erb | 23 |
3 files changed, 42 insertions, 16 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 4f72ae6..17c219c 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -12,21 +12,23 @@ class strongswan::base { creates => "${strongswan::config_dir}/certs/${::fqdn}.asc", } + File { + require => Package['strongswan'], + notify => Service['ipsec'], + owner => 'root', + group => 0, + mode => '0400', + } + file{ '/etc/ipsec.secrets': - content => ": RSA ${::fqdn}.pem\n", - require => Package['strongswan'], - notify => Service['ipsec'], - owner => 'root', - group => 0, - mode => '0400'; + content => ": RSA ${::fqdn}.pem\n"; + # this is needed because if the glob-include in the config + # doesn't find anything it fails. + "${strongswan::config_dir}/ipsec.hosts.__dummy__.conf": + ensure => 'present'; '/etc/ipsec.conf': - source => "puppet:///modules/site_strongswan/configs/${::fqdn}", - require => Package['strongswan'], - notify => Service['ipsec'], - owner => 'root', - group => 0, - mode => '0400'; + content => template('strongswan/ipsec.conf.erb'); } service{'ipsec': diff --git a/manifests/init.pp b/manifests/init.pp index 0ef3818..e46b9a3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,14 +1,16 @@ # manage a strongswan class strongswan( - $manage_shorewall = false, + $manage_shorewall = false, $monkeysphere_publish_key = false, - $ipsec_nat = false + $ipsec_nat = false, + $default_left_ip_address = $::ipaddress, + $additional_options = '' ) { class{'monkeysphere': publish_key => $monkeysphere_publish_key } -> class{'certtool': } - + case $::operatingsystem { centos: { case $::lsbmajdistrelease { @@ -39,6 +41,5 @@ class strongswan( if $ipsec_nat { include shorewall::rules::ipsec_nat } - } } diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb new file mode 100644 index 0000000..40a04c1 --- /dev/null +++ b/templates/ipsec.conf.erb @@ -0,0 +1,23 @@ +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + mobike=no + keyexchange=ikev2 + rightsendcert=never + leftsendcert=never + left=<%= scope.lookupvar('strongswan::default_left_ip_address') %>.asc + leftcert=<%= scope.lookupvar('::fqdn') %>.asc + leftid=@<%= scope.lookupvar('::fqdn') %> + +<% unless scope.lookupvar('strongswan::additional_options').empty? -%> +<%= scope.lookupvar('strongswan::additional_options') %> + +<% end -%> +include <%= scope.lookupvar('strongswan::config_dir') %>/ipsec.hosts.*.conf |