diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 19 | ||||
| -rw-r--r-- | manifests/cert.pp | 23 | ||||
| -rw-r--r-- | manifests/init.pp | 3 | ||||
| -rw-r--r-- | manifests/remote_host.pp | 35 |
4 files changed, 68 insertions, 12 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 17c219c..05d6d9f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -25,7 +25,12 @@ class strongswan::base { content => ": RSA ${::fqdn}.pem\n"; # this is needed because if the glob-include in the config # doesn't find anything it fails. - "${strongswan::config_dir}/ipsec.hosts.__dummy__.conf": + "${strongswan::config_dir}/hosts": + ensure => directory, + purge => true, + force => true, + recurse => true; + "${strongswan::config_dir}/hosts/__dummy__.conf": ensure => 'present'; '/etc/ipsec.conf': content => template('strongswan/ipsec.conf.erb'); @@ -36,12 +41,14 @@ class strongswan::base { enable => true, } - if $::strongswan_cert != 'false' and $::strongswan_cert != '' { - @@strongswan::cert{$::fqdn: - cert => $::strongswan_cert, - tag => 'strongswan_cert' + if $strongswan::auto_remote_host and ($::strongswan_cert != 'false') and ($::strongswan_cert != '') { + # export + @@strongswan::remote_host{$::fqdn: + right_cert_content => $::strongswan_cert, + right_ip_address => $default_left_ip_address, + tag => $::fqdn } + Strongswan::Remote_Host<<| tag != $::fqdn |>> } - Strongswan::Cert<<| tag == 'strongswan_cert' |>> } diff --git a/manifests/cert.pp b/manifests/cert.pp index 66ed574..d5baf90 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -1,11 +1,24 @@ # manage a cert snippet that we want to include -define strongswan::cert($cert) { +define strongswan::cert( + $ensure = 'present', + $cert = 'absent' +) { + if ($cert == 'absent') and ($ensure == 'present'){ + fail("You need to pass some \$cert content for ${name} if it should be present") + } + file{"${strongswan::config_dir}/certs/${name}.asc": - content => $cert, + ensure => $ensure, require => Package['strongswan'], notify => Service['ipsec'], - owner => 'root', - group => 0, - mode => '0400'; + } + + if $ensure == 'present' { + File["${strongswan::config_dir}/certs/${name}.asc"]{ + content => $cert, + owner => 'root', + group => 0, + mode => '0400', + } } } diff --git a/manifests/init.pp b/manifests/init.pp index e46b9a3..3b67f58 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,7 +4,8 @@ class strongswan( $monkeysphere_publish_key = false, $ipsec_nat = false, $default_left_ip_address = $::ipaddress, - $additional_options = '' + $additional_options = '', + $auto_remote_host = false ) { class{'monkeysphere': diff --git a/manifests/remote_host.pp b/manifests/remote_host.pp new file mode 100644 index 0000000..6521622 --- /dev/null +++ b/manifests/remote_host.pp @@ -0,0 +1,35 @@ +# configure a simple remote host +define strongswan::remote_host( + $right_ip_address, + $ensure = 'present', + $right_id = $name, + $right_cert_name = $name, + $right_cert_content = 'absent', +){ + file{"${strongswan::config_dir}/hosts/${name}.conf": + ensure => $ensure, + require => Package['strongswan'], + notify => Service['ipsec'], + } + + if $ensure == 'present' { + File["${strongswan::config_dir}/hosts/${name}.conf"]{ + content => template('strongswan/remote_host.erb'), + owner => 'root', + group => 0, + mode => '0400', + } + } + + strongswan::cert{$name: } + if ($right_cert_content != 'absent') and ($ensure == 'present') { + Strongswan::Cert[$name]{ + ensure => $ensure, + cert => $right_cert_content, + } + } else { + Strongswan::Cert[$name]{ + ensure => 'absent', + } + } +} |