summaryrefslogtreecommitdiff
path: root/manifests/base.pp
blob: b5742c36664022192b33470f373ae84f12b2f867 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

# manage strongswan services
class strongswan::base {

    package { 'strongswan':
      ensure  => installed,
    } ->

    exec { 'ipsec_privatekey':
      command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::cert_dir}/private/${strongswan::custom_hostname}.pem",
      creates => "${strongswan::cert_dir}/private/${strongswan::custom_hostname}.pem";
    } ->

    anchor{'strongswan::certs::done': }

    if $use_monkeysphere {

      Package['strongswan'] {
        require => Package['monkeysphere','gnutls-utils'],
      }

      exec { 'ipsec_monkeysphere_cert':
        command => "monkeysphere-host import-key ${strongswan::cert_dir}/private/${strongswan::custom_hostname}.pem ike://${strongswan::custom_hostname} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${strongswan::custom_hostname} > ${strongswan::cert_dir}/certs/${strongswan::custom_hostname}.asc",
        creates => "${strongswan::cert_dir}/certs/${strongswan::custom_hostname}.asc",
        require => Exec['ipsec_privatekey'],
        before  => Anchor['strongswan::certs::done'],
      }
  }

  File {
    require => Package['strongswan'],
    notify  => Service['ipsec'],
    owner   => 'root',
    group   => 0,
    mode    => '0400',
  }

  $binary_name = basename($strongswan::binary)
  file{
    '/etc/ipsec.secrets':
      content => ": RSA ${strongswan::custom_hostname}.pem\n";
    # this is needed because if the glob-include in the config
    # doesn't find anything it fails.
    "${strongswan::config_dir}/hosts":
      ensure  => directory,
      purge   => true,
      force   => true,
      recurse => true;
    "${strongswan::config_dir}/hosts/__dummy__.conf":
      ensure  => 'present';
    '/etc/ipsec.conf':
      content => template($strongswan::ipsec_conf_template);
    "/usr/local/sbin/${binary_name}_connected_hosts":
      content => "#!/bin/bash\n${strongswan::binary} status | grep INSTALLED | awk -F\\{ '{ print \$1 }'\n",
      notify  => undef,
      mode    => '0500';
    "/usr/local/sbin/${binary_name}_start_unconnected":
      content => template('strongswan/scripts/start_unconnected.sh.erb'),
      notify  => undef,
      mode    => '0500';
  }

  service { 'ipsec':
    ensure => running,
    enable => true,
  }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-01 22:51:02 +0000