From 690f05e2888bb862ce300125045f1cb21a0f5856 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Mon, 31 Dec 2012 17:58:22 +0100
Subject: generate the base config from a template -> include everything else

---
 manifests/base.pp        | 26 ++++++++++++++------------
 manifests/init.pp        |  9 +++++----
 templates/ipsec.conf.erb | 23 +++++++++++++++++++++++
 3 files changed, 42 insertions(+), 16 deletions(-)
 create mode 100644 templates/ipsec.conf.erb

diff --git a/manifests/base.pp b/manifests/base.pp
index 4f72ae6..17c219c 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -12,21 +12,23 @@ class strongswan::base {
       creates => "${strongswan::config_dir}/certs/${::fqdn}.asc",
   }
 
+  File {
+    require => Package['strongswan'],
+    notify  => Service['ipsec'],
+    owner   => 'root',
+    group   => 0,
+    mode    => '0400',
+  }
+
   file{
     '/etc/ipsec.secrets':
-      content => ": RSA ${::fqdn}.pem\n",
-      require => Package['strongswan'],
-      notify  => Service['ipsec'],
-      owner   => 'root',
-      group   => 0,
-      mode    => '0400';
+      content => ": RSA ${::fqdn}.pem\n";
+    # this is needed because if the glob-include in the config
+    # doesn't find anything it fails.
+    "${strongswan::config_dir}/ipsec.hosts.__dummy__.conf":
+      ensure  => 'present';
     '/etc/ipsec.conf':
-      source  => "puppet:///modules/site_strongswan/configs/${::fqdn}",
-      require => Package['strongswan'],
-      notify  => Service['ipsec'],
-      owner   => 'root',
-      group   => 0,
-      mode    => '0400';
+      content => template('strongswan/ipsec.conf.erb');
   }
 
   service{'ipsec':
diff --git a/manifests/init.pp b/manifests/init.pp
index 0ef3818..e46b9a3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,14 +1,16 @@
 # manage a strongswan
 class strongswan(
-  $manage_shorewall = false,
+  $manage_shorewall         = false,
   $monkeysphere_publish_key = false,
-  $ipsec_nat = false
+  $ipsec_nat                = false,
+  $default_left_ip_address  = $::ipaddress,
+  $additional_options       = ''
 ) {
 
   class{'monkeysphere':
     publish_key => $monkeysphere_publish_key
   } -> class{'certtool': }
-  
+
   case $::operatingsystem {
     centos: {
       case $::lsbmajdistrelease {
@@ -39,6 +41,5 @@ class strongswan(
     if $ipsec_nat {
       include shorewall::rules::ipsec_nat
     }
-  
   }
 }
diff --git a/templates/ipsec.conf.erb b/templates/ipsec.conf.erb
new file mode 100644
index 0000000..40a04c1
--- /dev/null
+++ b/templates/ipsec.conf.erb
@@ -0,0 +1,23 @@
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+conn %default
+        ikelifetime=60m
+        keylife=20m
+        rekeymargin=3m
+        keyingtries=1
+        mobike=no
+        keyexchange=ikev2
+        rightsendcert=never
+        leftsendcert=never
+        left=<%= scope.lookupvar('strongswan::default_left_ip_address') %>.asc
+        leftcert=<%= scope.lookupvar('::fqdn') %>.asc
+        leftid=@<%= scope.lookupvar('::fqdn') %>
+
+<% unless scope.lookupvar('strongswan::additional_options').empty? -%>
+<%= scope.lookupvar('strongswan::additional_options') %>
+
+<% end -%>
+include <%= scope.lookupvar('strongswan::config_dir') %>/ipsec.hosts.*.conf
-- 
cgit v1.2.3