1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
# manage strongswan services
class strongswan::base {
if $use_monkeysphere {
package { 'strongswan':
ensure => installed,
require => Package['monkeysphere','gnutls-utils'],
} ->
exec { 'ipsec_privatekey':
command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::cert_dir}/private/${::fqdn}.pem",
creates => "${strongswan::cert_dir}/private/${::fqdn}.pem";
} ->
exec { 'ipsec_monkeysphere_cert':
command => "monkeysphere-host import-key ${strongswan::cert_dir}/private/${::fqdn}.pem ike://${::fqdn} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${::fqdn} > ${strongswan::cert_dir}/certs/${::fqdn}.asc",
creates => "${strongswan::cert_dir}/certs/${::fqdn}.asc",
} -> anchor{'strongswan::certs::done': }
} else {
package { 'strongswan':
ensure => installed,
}
}
File {
require => Package['strongswan'],
notify => Service['ipsec'],
owner => 'root',
group => 0,
mode => '0400',
}
$binary_name = basename($strongswan::binary)
file{
'/etc/ipsec.secrets':
content => ": RSA ${::fqdn}.pem\n";
# this is needed because if the glob-include in the config
# doesn't find anything it fails.
"${strongswan::config_dir}/hosts":
ensure => directory,
purge => true,
force => true,
recurse => true;
"${strongswan::config_dir}/hosts/__dummy__.conf":
ensure => 'present';
'/etc/ipsec.conf':
content => template('strongswan/ipsec.conf.erb');
"/usr/local/sbin/${binary_name}_connected_hosts":
content => "#!/bin/bash\n${strongswan::binary} status | grep ESTABLISHED | awk -F\\[ '{ print \$1 }'\n",
notify => undef,
mode => '0500';
"/usr/local/sbin/${binary_name}_start_unconnected":
content => template('strongswan/scripts/start_unconnected.sh.erb'),
notify => undef,
mode => '0500';
}
service { 'ipsec':
ensure => running,
enable => true,
}
}
|