diff options
-rw-r--r-- | manifests/base.pp | 41 | ||||
-rw-r--r-- | manifests/cert.pp | 4 | ||||
-rw-r--r-- | manifests/init.pp | 34 | ||||
-rw-r--r-- | manifests/remote_host.pp | 4 | ||||
-rw-r--r-- | templates/ipsec.conf.erb | 4 | ||||
-rw-r--r-- | templates/remote_host.erb | 2 |
6 files changed, 56 insertions, 33 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index e6595a0..e0f3d18 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,17 +1,30 @@ # manage strongswan services class strongswan::base { - package{'strongswan': - ensure => installed, - require => Package['monkeysphere','gnutls-utils']; - } -> exec{ - 'ipsec_privatekey': - command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::cert_dir}/private/${::fqdn}.pem", - creates => "${strongswan::cert_dir}/private/${::fqdn}.pem"; - } -> exec{'ipsec_monkeysphere_cert': - command => "monkeysphere-host import-key ${strongswan::cert_dir}/private/${::fqdn}.pem ike://${::fqdn} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${::fqdn} > ${strongswan::cert_dir}/certs/${::fqdn}.asc", - creates => "${strongswan::cert_dir}/certs/${::fqdn}.asc", - } -> anchor{'strongswan::certs::done': } + package { 'strongswan': + ensure => installed, + } -> + + exec { 'ipsec_privatekey': + command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::cert_dir}/private/${strongswan::custom_hostname}.pem", + creates => "${strongswan::cert_dir}/private/${strongswan::custom_hostname}.pem"; + } -> + + anchor{'strongswan::certs::done': } + + if $use_monkeysphere { + + Package['strongswan'] { + require => Package['monkeysphere','gnutls-utils'], + } + + exec { 'ipsec_monkeysphere_cert': + command => "monkeysphere-host import-key ${strongswan::cert_dir}/private/${strongswan::custom_hostname}.pem ike://${strongswan::custom_hostname} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${strongswan::custom_hostname} > ${strongswan::cert_dir}/certs/${strongswan::custom_hostname}.asc", + creates => "${strongswan::cert_dir}/certs/${strongswan::custom_hostname}.asc", + require => Exec['ipsec_privatekey'], + before => Anchor['strongswan::certs::done'], + } + } File { require => Package['strongswan'], @@ -24,7 +37,7 @@ class strongswan::base { $binary_name = basename($strongswan::binary) file{ '/etc/ipsec.secrets': - content => ": RSA ${::fqdn}.pem\n"; + content => ": RSA ${strongswan::custom_hostname}.pem\n"; # this is needed because if the glob-include in the config # doesn't find anything it fails. "${strongswan::config_dir}/hosts": @@ -35,7 +48,7 @@ class strongswan::base { "${strongswan::config_dir}/hosts/__dummy__.conf": ensure => 'present'; '/etc/ipsec.conf': - content => template('strongswan/ipsec.conf.erb'); + content => template($strongswan::ipsec_conf_template); "/usr/local/sbin/${binary_name}_connected_hosts": content => "#!/bin/bash\n${strongswan::binary} status | grep INSTALLED | awk -F\\{ '{ print \$1 }'\n", notify => undef, @@ -50,7 +63,7 @@ class strongswan::base { mode => '0500'; } - service{'ipsec': + service { 'ipsec': ensure => running, enable => true, } diff --git a/manifests/cert.pp b/manifests/cert.pp index ae7e5ef..6b9f685 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -1,5 +1,5 @@ # manage a cert snippet that we want to include -define strongswan::cert( +define strongswan::cert ( $ensure = 'present', $cert = 'absent' ) { @@ -7,7 +7,7 @@ define strongswan::cert( fail("You need to pass some \$cert content for ${name} if it should be present") } - file{"${strongswan::cert_dir}/certs/${name}.asc": + file { "${strongswan::cert_dir}/certs/${name}.asc": ensure => $ensure, require => Package['strongswan'], notify => Service['ipsec'], diff --git a/manifests/init.pp b/manifests/init.pp index 88cf48c..53e84bb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,17 +2,27 @@ class strongswan( $manage_shorewall = false, $shorewall_source = 'net', + $use_monkeysphere = false, $monkeysphere_publish_key = false, $ipsec_nat = false, $default_left_ip_address = $::ipaddress, $default_left_subnet = reject(split($::strongswan_ips,','),$::ipaddress), $additional_options = '', - $auto_remote_host = false + $auto_remote_host = false, + $ipsec_conf_template = 'strongswan/ipsec.conf.erb', + $custom_hostname = $::fqdn ) { - class{'monkeysphere': - publish_key => $monkeysphere_publish_key - } -> class{'certtool': } + if $use_monkeysphere != false { + class { 'monkeysphere': + publish_key => $monkeysphere_publish_key + } -> class { 'certtool': } + + $require_monkeysphere = $use_monkeysphere ? { + true => Class['monkeysphere'], + false => '' + } + } case $::operatingsystem { centos: { @@ -22,16 +32,16 @@ class strongswan( $cert_dir = '/etc/ipsec.d' $binary = '/usr/sbin/ipsec' - class{'strongswan::centos::five': - require => Class['monkeysphere'], + class { 'strongswan::centos::five': + require => $require_monkeysphere } } default: { $config_dir = '/etc/strongswan' $cert_dir = '/etc/strongswan/ipsec.d' $binary = '/usr/sbin/strongswan' - class{'strongswan::centos::six': - require => Class['monkeysphere'], + class { 'strongswan::centos::six': + require => $require_monkeysphere } } } @@ -40,15 +50,15 @@ class strongswan( $config_dir = '/etc/ipsec.d' $cert_dir = '/etc/ipsec.d' $binary = '/usr/sbin/ipsec' - class{'strongswan::base': - require => Class['monkeysphere'], + class { 'strongswan::base': + require => $require_monkeysphere } } } if $auto_remote_host and ($::strongswan_cert != 'false') and ($::strongswan_cert != '') { # export myself - @@strongswan::remote_host{$::fqdn: + @@strongswan::remote_host { $strongswan::custom_hostname: right_cert_content => $::strongswan_cert, right_ip_address => $strongswan::default_left_ip_address, right_subnet => $strongswan::default_left_subnet, @@ -60,7 +70,7 @@ class strongswan( } if $manage_shorewall { - shorewall::rules::ipsec{ + shorewall::rules::ipsec { $strongswan::shorewall_source: } if $ipsec_nat { diff --git a/manifests/remote_host.pp b/manifests/remote_host.pp index f61b7fd..ca0c71d 100644 --- a/manifests/remote_host.pp +++ b/manifests/remote_host.pp @@ -10,7 +10,7 @@ define strongswan::remote_host( $right_cert_name = $name, $right_cert_content = 'absent' ){ - file{"${strongswan::config_dir}/hosts/${name}.conf": + file { "${strongswan::config_dir}/hosts/${name}.conf": ensure => $ensure, require => Package['strongswan'], notify => Service['ipsec'], @@ -26,7 +26,7 @@ define strongswan::remote_host( } if $right_cert_content != 'unmanaged' { - strongswan::cert{$right_cert_name: } + strongswan::cert { $right_cert_name: } if ($right_cert_content != 'absent') and ($ensure == 'present') { Strongswan::Cert[$right_cert_name]{ ensure => $ensure, diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb index 44225d3..6912c16 100644 --- a/templates/ipsec.conf.erb +++ b/templates/ipsec.conf.erb @@ -13,8 +13,8 @@ conn %default rightsendcert=never leftsendcert=never left=<%= scope.lookupvar('strongswan::default_left_ip_address') %> - leftcert=<%= scope.lookupvar('::fqdn') %>.asc - leftid=@<%= scope.lookupvar('::fqdn') %> + leftcert=<%= scope.lookupvar('strongswan::custom_hostname') %>.asc + leftid=@<%= scope.lookupvar('strongswan::custom_hostname') %> <% unless (subn=scope.lookupvar('strongswan::default_left_subnet')).empty? -%> leftsubnet=<%= subn.collect{|s| s.include?('/') ? s : (s.include?(':') ? "#{s}/128" : "#{s}/32" ) }.join(',') %> <% end -%> diff --git a/templates/remote_host.erb b/templates/remote_host.erb index dbe3945..207e25b 100644 --- a/templates/remote_host.erb +++ b/templates/remote_host.erb @@ -1,5 +1,5 @@ # host <%= name %> -<% if !(right_id =~ /#{scope.lookupvar('::fqdn')}/) -%> +<% if !(right_id =~ /#{scope.lookupvar('strongswan::custom_hostname')}/) -%> conn <%= name %> <% if left_ip_address != 'absent' -%> left=<%= left_ip_address %> |