From 5ce46c56e0ed95e03c3322f6eba53488a0615207 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 3 Jan 2013 18:31:05 +0100 Subject: automatically configure a subnet for all listening ips --- lib/facter/strongswan_ips.rb | 10 ++++++++++ manifests/base.pp | 3 ++- manifests/init.pp | 1 + templates/ipsec.conf.erb | 3 +++ templates/remote_host.erb | 2 +- 5 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 lib/facter/strongswan_ips.rb diff --git a/lib/facter/strongswan_ips.rb b/lib/facter/strongswan_ips.rb new file mode 100644 index 0000000..7d6f30b --- /dev/null +++ b/lib/facter/strongswan_ips.rb @@ -0,0 +1,10 @@ +Facter.add("strongswan_ips") do + setcode do + result = nil + if bin = ['/usr/sbin/ipsec', '/usr/sbin/strongswan'].find{|f| File.exists?(f) } + output = Facter::Util::Resolution.exec("#{bin} statusall | grep -E '^ [0-9a-f]'").split("\n").collect(&:strip) + result = output.join(',') unless output.empty? + end + result + end +end diff --git a/manifests/base.pp b/manifests/base.pp index 982b3f1..ce0f255 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -45,7 +45,8 @@ class strongswan::base { # export @@strongswan::remote_host{$::fqdn: right_cert_content => $::strongswan_cert, - right_ip_address => $default_left_ip_address, + right_ip_address => $strongswan::default_left_ip_address, + right_subnet => $strongswan::default_left_subnet, tag => $::fqdn } #Strongswan::Remote_Host<<| tag == 'auto' and tag != $::fqdn |>> diff --git a/manifests/init.pp b/manifests/init.pp index 06d5250..5458ed8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -5,6 +5,7 @@ class strongswan( $monkeysphere_publish_key = false, $ipsec_nat = false, $default_left_ip_address = $::ipaddress, + $default_left_subnet = reject(split($::strongswan_ips,','),$::ipaddress), $additional_options = '', $auto_remote_host = false ) { diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb index ddaf842..44225d3 100644 --- a/templates/ipsec.conf.erb +++ b/templates/ipsec.conf.erb @@ -15,6 +15,9 @@ conn %default left=<%= scope.lookupvar('strongswan::default_left_ip_address') %> leftcert=<%= scope.lookupvar('::fqdn') %>.asc leftid=@<%= scope.lookupvar('::fqdn') %> +<% unless (subn=scope.lookupvar('strongswan::default_left_subnet')).empty? -%> + leftsubnet=<%= subn.collect{|s| s.include?('/') ? s : (s.include?(':') ? "#{s}/128" : "#{s}/32" ) }.join(',') %> +<% end -%> <% unless scope.lookupvar('strongswan::additional_options').empty? -%> <%= scope.lookupvar('strongswan::additional_options') %> diff --git a/templates/remote_host.erb b/templates/remote_host.erb index 5a22ca9..a05378c 100644 --- a/templates/remote_host.erb +++ b/templates/remote_host.erb @@ -4,7 +4,7 @@ conn <%= name %> rightid=@<%= right_id %> rightcert=<%= right_cert_name %>.asc <% unless right_subnet.empty? -%> - rightsubnet=<%= right_subnet.join(',') %> + rightsubnet=<%= right_subnet.collect{|s| s.include?('/') ? s : (s.include?(':') ? "#{s}/128" : "#{s}/32" ) }.join(',') %> <% end -%> type=transport auto=start -- cgit v1.2.3