diff options
-rw-r--r-- | manifests/base.pp | 26 | ||||
-rw-r--r-- | manifests/init.pp | 9 | ||||
-rw-r--r-- | templates/ipsec.conf.erb | 23 |
3 files changed, 42 insertions, 16 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 4f72ae6..17c219c 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -12,21 +12,23 @@ class strongswan::base { creates => "${strongswan::config_dir}/certs/${::fqdn}.asc", } + File { + require => Package['strongswan'], + notify => Service['ipsec'], + owner => 'root', + group => 0, + mode => '0400', + } + file{ '/etc/ipsec.secrets': - content => ": RSA ${::fqdn}.pem\n", - require => Package['strongswan'], - notify => Service['ipsec'], - owner => 'root', - group => 0, - mode => '0400'; + content => ": RSA ${::fqdn}.pem\n"; + # this is needed because if the glob-include in the config + # doesn't find anything it fails. + "${strongswan::config_dir}/ipsec.hosts.__dummy__.conf": + ensure => 'present'; '/etc/ipsec.conf': - source => "puppet:///modules/site_strongswan/configs/${::fqdn}", - require => Package['strongswan'], - notify => Service['ipsec'], - owner => 'root', - group => 0, - mode => '0400'; + content => template('strongswan/ipsec.conf.erb'); } service{'ipsec': diff --git a/manifests/init.pp b/manifests/init.pp index 0ef3818..e46b9a3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,14 +1,16 @@ # manage a strongswan class strongswan( - $manage_shorewall = false, + $manage_shorewall = false, $monkeysphere_publish_key = false, - $ipsec_nat = false + $ipsec_nat = false, + $default_left_ip_address = $::ipaddress, + $additional_options = '' ) { class{'monkeysphere': publish_key => $monkeysphere_publish_key } -> class{'certtool': } - + case $::operatingsystem { centos: { case $::lsbmajdistrelease { @@ -39,6 +41,5 @@ class strongswan( if $ipsec_nat { include shorewall::rules::ipsec_nat } - } } diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb new file mode 100644 index 0000000..40a04c1 --- /dev/null +++ b/templates/ipsec.conf.erb @@ -0,0 +1,23 @@ +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + mobike=no + keyexchange=ikev2 + rightsendcert=never + leftsendcert=never + left=<%= scope.lookupvar('strongswan::default_left_ip_address') %>.asc + leftcert=<%= scope.lookupvar('::fqdn') %>.asc + leftid=@<%= scope.lookupvar('::fqdn') %> + +<% unless scope.lookupvar('strongswan::additional_options').empty? -%> +<%= scope.lookupvar('strongswan::additional_options') %> + +<% end -%> +include <%= scope.lookupvar('strongswan::config_dir') %>/ipsec.hosts.*.conf |