1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# manage strongswan services
class strongswan::base {
package{'strongswan':
ensure => installed,
} -> exec{
'ipsec_privatekey':
command => "certtool --generate-privkey --bits 2048 --outfile ${strongswan::config_dir}/private/${::fqdn}.pem",
creates => "${strongswan::config_dir}/private/${::fqdn}.pem";
} -> exec{'ipsec_monkeysphere_cert':
command => "monkeysphere-host import-key ${strongswan::config_dir}/private/${::fqdn}.pem ike://${::fqdn} && gpg --homedir /var/lib/monkeysphere/host -a --export =ike://${::fqdn} > ${strongswan::config_dir}/certs/${::fqdn}.asc",
creates => "${strongswan::config_dir}/certs/${::fqdn}.asc",
}
file{
'/etc/ipsec.secrets':
content => ": RSA ${::fqdn}.pem\n",
require => Package['strongswan'],
notify => Service['ipsec'],
owner => 'root',
group => 0,
mode => '0400';
'/etc/ipsec.conf':
source => "puppet:///modules/site_strongswan/configs/${::fqdn}",
require => Package['strongswan'],
notify => Service['ipsec'],
owner => 'root',
group => 0,
mode => '0400';
}
service{'ipsec':
ensure => running,
enable => true,
}
if $::strongswan_cert != 'false' and $::strongswan_cert != '' {
@@strongswan::cert{$::fqdn:
cert => $::strongswan_cert,
tag => 'strongswan_cert'
}
}
Strongswan::Cert<<| tag == 'strongswan_cert' |>>
}
|
