diff options
-rw-r--r-- | manifests/base.pp | 33 | ||||
-rw-r--r-- | manifests/cert.pp | 4 | ||||
-rw-r--r-- | manifests/init.pp | 30 | ||||
-rw-r--r-- | manifests/remote_host.pp | 4 |
4 files changed, 44 insertions, 27 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 1a0b4bf..6f28d12 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,17 +1,26 @@ # manage strongswan services class strongswan::base { - package{'strongswan': - ensure => installed, - require => Package['monkeysphere','gnutls-utils']; - } -> exec{ - 'ipsec_privatekey': - command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::cert_dir}/private/${::fqdn}.pem", - creates => "${strongswan::cert_dir}/private/${::fqdn}.pem"; - } -> exec{'ipsec_monkeysphere_cert': - command => "monkeysphere-host import-key ${strongswan::cert_dir}/private/${::fqdn}.pem ike://${::fqdn} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${::fqdn} > ${strongswan::cert_dir}/certs/${::fqdn}.asc", - creates => "${strongswan::cert_dir}/certs/${::fqdn}.asc", - } -> anchor{'strongswan::certs::done': } + if $use_monkeysphere { + package { 'strongswan': + ensure => installed, + require => Package['monkeysphere','gnutls-utils'], + } -> + + exec { 'ipsec_privatekey': + command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::cert_dir}/private/${::fqdn}.pem", + creates => "${strongswan::cert_dir}/private/${::fqdn}.pem"; + } -> + + exec { 'ipsec_monkeysphere_cert': + command => "monkeysphere-host import-key ${strongswan::cert_dir}/private/${::fqdn}.pem ike://${::fqdn} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${::fqdn} > ${strongswan::cert_dir}/certs/${::fqdn}.asc", + creates => "${strongswan::cert_dir}/certs/${::fqdn}.asc", + } -> anchor{'strongswan::certs::done': } + } else { + package { 'strongswan': + ensure => installed, + } + } File { require => Package['strongswan'], @@ -46,7 +55,7 @@ class strongswan::base { mode => '0500'; } - service{'ipsec': + service { 'ipsec': ensure => running, enable => true, } diff --git a/manifests/cert.pp b/manifests/cert.pp index ae7e5ef..6b9f685 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -1,5 +1,5 @@ # manage a cert snippet that we want to include -define strongswan::cert( +define strongswan::cert ( $ensure = 'present', $cert = 'absent' ) { @@ -7,7 +7,7 @@ define strongswan::cert( fail("You need to pass some \$cert content for ${name} if it should be present") } - file{"${strongswan::cert_dir}/certs/${name}.asc": + file { "${strongswan::cert_dir}/certs/${name}.asc": ensure => $ensure, require => Package['strongswan'], notify => Service['ipsec'], diff --git a/manifests/init.pp b/manifests/init.pp index 88cf48c..e099166 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,6 +2,7 @@ class strongswan( $manage_shorewall = false, $shorewall_source = 'net', + $use_monkeysphere = false, $monkeysphere_publish_key = false, $ipsec_nat = false, $default_left_ip_address = $::ipaddress, @@ -10,9 +11,16 @@ class strongswan( $auto_remote_host = false ) { - class{'monkeysphere': - publish_key => $monkeysphere_publish_key - } -> class{'certtool': } + if $use_monkeysphere != false { + class { 'monkeysphere': + publish_key => $monkeysphere_publish_key + } -> class { 'certtool': } + + $require_monkeysphere = $use_monkeysphere ? { + true => Class['monkeysphere'], + false => '' + } + } case $::operatingsystem { centos: { @@ -22,16 +30,16 @@ class strongswan( $cert_dir = '/etc/ipsec.d' $binary = '/usr/sbin/ipsec' - class{'strongswan::centos::five': - require => Class['monkeysphere'], + class { 'strongswan::centos::five': + require => $require_monkeysphere } } default: { $config_dir = '/etc/strongswan' $cert_dir = '/etc/strongswan/ipsec.d' $binary = '/usr/sbin/strongswan' - class{'strongswan::centos::six': - require => Class['monkeysphere'], + class { 'strongswan::centos::six': + require => $require_monkeysphere } } } @@ -40,15 +48,15 @@ class strongswan( $config_dir = '/etc/ipsec.d' $cert_dir = '/etc/ipsec.d' $binary = '/usr/sbin/ipsec' - class{'strongswan::base': - require => Class['monkeysphere'], + class { 'strongswan::base': + require => $require_monkeysphere } } } if $auto_remote_host and ($::strongswan_cert != 'false') and ($::strongswan_cert != '') { # export myself - @@strongswan::remote_host{$::fqdn: + @@strongswan::remote_host { $::fqdn: right_cert_content => $::strongswan_cert, right_ip_address => $strongswan::default_left_ip_address, right_subnet => $strongswan::default_left_subnet, @@ -60,7 +68,7 @@ class strongswan( } if $manage_shorewall { - shorewall::rules::ipsec{ + shorewall::rules::ipsec { $strongswan::shorewall_source: } if $ipsec_nat { diff --git a/manifests/remote_host.pp b/manifests/remote_host.pp index f61b7fd..ca0c71d 100644 --- a/manifests/remote_host.pp +++ b/manifests/remote_host.pp @@ -10,7 +10,7 @@ define strongswan::remote_host( $right_cert_name = $name, $right_cert_content = 'absent' ){ - file{"${strongswan::config_dir}/hosts/${name}.conf": + file { "${strongswan::config_dir}/hosts/${name}.conf": ensure => $ensure, require => Package['strongswan'], notify => Service['ipsec'], @@ -26,7 +26,7 @@ define strongswan::remote_host( } if $right_cert_content != 'unmanaged' { - strongswan::cert{$right_cert_name: } + strongswan::cert { $right_cert_name: } if ($right_cert_content != 'absent') and ($ensure == 'present') { Strongswan::Cert[$right_cert_name]{ ensure => $ensure, |