diff options
| author | o <o@immerda.ch> | 2011-04-26 01:17:48 +0200 |
|---|---|---|
| committer | o <o@immerda.ch> | 2011-04-26 01:17:48 +0200 |
| commit | 8158d6e1479aa5046bc7eecdae2e6a8df4056e38 (patch) | |
| tree | 9193087f97e59e770afe410e66289707b7976520 | |
| parent | fd0ccbc3303ecff1630feff3445c9fb5545a4456 (diff) | |
initial version
| -rw-r--r-- | lib/facter/strongswan_cert.rb | 5 | ||||
| -rw-r--r-- | manifests/base.pp | 55 | ||||
| -rw-r--r-- | manifests/init.pp | 9 |
3 files changed, 69 insertions, 0 deletions
diff --git a/lib/facter/strongswan_cert.rb b/lib/facter/strongswan_cert.rb new file mode 100644 index 0000000..31e1b35 --- /dev/null +++ b/lib/facter/strongswan_cert.rb @@ -0,0 +1,5 @@ +Facter.add("strongswan_cert") do + setcode do + File.exists?( "/etc/ipsec.d/certs/#{Facter.value(:fqdn)}.asc" ) ? File.read( "/etc/ipsec.d/certs/#{Facter.value(:fqdn)}.asc" ) : false + end +end diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..8f9cd7c --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,55 @@ +# manifests/init.pp - module to manage strongswan/ipsec + +class strongswan::base { + + require monkeysphere + require certtool + + package{ 'strongswan' : + ensure => installed, + } + + exec{ 'ipsec_privatekey': + command => "certtool --generate-privkey --bits 2048 --outfile /etc/ipsec.d/private/${fqdn}", + creates => "/etc/ipsec.d/private/${fqdn}.pem", + require => Package['strongswan'], + } + + exec{ 'ipsec_monkeysphere_cert' : + require => Exec['ipsec_privatekey'], + creates => "/etc/ipsec.d/certs/${fqdn}.asc", + command => "monkeysphere-host import-key /etc/ipsec.d/private/${fqdn}.pem ike://${fqdn}" + } + + file{ '/etc/ipsec.secrets' : + content => ": RSA ${fqdn}.pem\n", + require => Package['strongswan'], + owner => "root", group => 0, mode => "400", + notify => Service['strongswan'], + } + + if $strongswan_cert != "false" and $strongswan_cert != "" { + @@file{ "/etc/ipsec.d/certs/${fqdn}.asc": + owner => "root", group => 0, mode => "400", + tag => 'strongswan_cert', + content => $strongswan_cert, + require => Package['strongswan'], + notify => Service['strongswan'], + } + } + + File<<| tag == 'strongswan_cert' |>> + + file{ '/etc/ipsec.config' : + source => "puppet:///modules/site-strongswan/configs/${fqdn}", + owner => "root", group => 0, mode => "400", + require => Package['strongswan'], + notify => Service['strongswan'], + } + + service{ 'strongswan' : + ensure => running, + enable => true, + } + +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..48c4d8e --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,9 @@ +class strongswan { + + include strongswan::base + + if $use_shorewall { + include shorewall::rules::ipsec + include shorewall::rules::out::ipsec + } +} |