From 492468d87aa6ea31b137fb2361b6bf7da88f3d1d Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Mon, 31 Dec 2012 18:51:06 +0100
Subject: fully auto remote host configuration

we do not only export the certificate, but also the config snippet itself
so hosts configure themself fully with an ipsec configuration.
---
 manifests/base.pp         | 19 +++++++++++++------
 manifests/cert.pp         | 23 ++++++++++++++++++-----
 manifests/init.pp         |  3 ++-
 manifests/remote_host.pp  | 35 +++++++++++++++++++++++++++++++++++
 templates/ipsec.conf.erb  |  2 +-
 templates/remote_host.erb |  8 ++++++++
 6 files changed, 77 insertions(+), 13 deletions(-)
 create mode 100644 manifests/remote_host.pp
 create mode 100644 templates/remote_host.erb

diff --git a/manifests/base.pp b/manifests/base.pp
index 17c219c..05d6d9f 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -25,7 +25,12 @@ class strongswan::base {
       content => ": RSA ${::fqdn}.pem\n";
     # this is needed because if the glob-include in the config
     # doesn't find anything it fails.
-    "${strongswan::config_dir}/ipsec.hosts.__dummy__.conf":
+    "${strongswan::config_dir}/hosts":
+      ensure => directory,
+      purge   => true,
+      force   => true,
+      recurse => true;
+    "${strongswan::config_dir}/hosts/__dummy__.conf":
       ensure  => 'present';
     '/etc/ipsec.conf':
       content => template('strongswan/ipsec.conf.erb');
@@ -36,12 +41,14 @@ class strongswan::base {
     enable => true,
   }
 
-  if $::strongswan_cert != 'false' and $::strongswan_cert != '' {
-    @@strongswan::cert{$::fqdn:
-      cert => $::strongswan_cert,
-      tag  => 'strongswan_cert'
+  if $strongswan::auto_remote_host and ($::strongswan_cert != 'false') and ($::strongswan_cert != '') {
+    # export
+    @@strongswan::remote_host{$::fqdn:
+      right_cert_content  => $::strongswan_cert,
+      right_ip_address    => $default_left_ip_address,
+      tag                 => $::fqdn
     }
+    Strongswan::Remote_Host<<| tag != $::fqdn |>>
   }
 
-  Strongswan::Cert<<| tag == 'strongswan_cert' |>>
 }
diff --git a/manifests/cert.pp b/manifests/cert.pp
index 66ed574..d5baf90 100644
--- a/manifests/cert.pp
+++ b/manifests/cert.pp
@@ -1,11 +1,24 @@
 # manage a cert snippet that we want to include
-define strongswan::cert($cert) {
+define strongswan::cert(
+  $ensure = 'present',
+  $cert   = 'absent'
+) {
+  if ($cert == 'absent') and ($ensure == 'present'){
+    fail("You need to pass some \$cert content for ${name} if it should be present")
+  }
+
   file{"${strongswan::config_dir}/certs/${name}.asc":
-    content => $cert,
+    ensure  => $ensure,
     require => Package['strongswan'],
     notify  => Service['ipsec'],
-    owner   => 'root',
-    group   => 0,
-    mode    => '0400';
+  }
+
+  if $ensure == 'present' {
+    File["${strongswan::config_dir}/certs/${name}.asc"]{
+      content => $cert,
+      owner   => 'root',
+      group   => 0,
+      mode    => '0400',
+    }
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index e46b9a3..3b67f58 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -4,7 +4,8 @@ class strongswan(
   $monkeysphere_publish_key = false,
   $ipsec_nat                = false,
   $default_left_ip_address  = $::ipaddress,
-  $additional_options       = ''
+  $additional_options       = '',
+  $auto_remote_host         = false
 ) {
 
   class{'monkeysphere':
diff --git a/manifests/remote_host.pp b/manifests/remote_host.pp
new file mode 100644
index 0000000..6521622
--- /dev/null
+++ b/manifests/remote_host.pp
@@ -0,0 +1,35 @@
+# configure a simple remote host
+define strongswan::remote_host(
+  $right_ip_address,
+  $ensure             = 'present',
+  $right_id           = $name,
+  $right_cert_name    = $name,
+  $right_cert_content = 'absent',
+){
+  file{"${strongswan::config_dir}/hosts/${name}.conf":
+    ensure  => $ensure,
+    require => Package['strongswan'],
+    notify  => Service['ipsec'],
+  }
+
+  if $ensure == 'present' {
+    File["${strongswan::config_dir}/hosts/${name}.conf"]{
+      content => template('strongswan/remote_host.erb'),
+      owner   => 'root',
+      group   => 0,
+      mode    => '0400',
+    }
+  }
+
+  strongswan::cert{$name: }
+  if ($right_cert_content != 'absent') and ($ensure == 'present') {
+    Strongswan::Cert[$name]{
+      ensure  => $ensure,
+      cert    => $right_cert_content,
+    }
+  } else {
+    Strongswan::Cert[$name]{
+      ensure => 'absent',
+    }
+  }
+}
diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb
index ca0daa9..5527c5f 100644
--- a/templates/ipsec.conf.erb
+++ b/templates/ipsec.conf.erb
@@ -20,4 +20,4 @@ conn %default
 <%= scope.lookupvar('strongswan::additional_options') %>
 
 <% end -%>
-include <%= scope.lookupvar('strongswan::config_dir') %>/ipsec.hosts.*.conf
+include <%= scope.lookupvar('strongswan::config_dir') %>/hosts/*.conf
diff --git a/templates/remote_host.erb b/templates/remote_host.erb
new file mode 100644
index 0000000..4193506
--- /dev/null
+++ b/templates/remote_host.erb
@@ -0,0 +1,8 @@
+# host <%= name %>
+conn <%= name %>
+        right=<%= right_ip_address %>
+        rightid=@<%= right_id %>
+        rightcert=<%= right_cert_name %>.asc
+        type=transport
+        auto=start
+
-- 
cgit v1.2.3