opuppet/module-tinc
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

move vpn_net to a more automagic version

Browse source 
Now, we export our configuration to other hosts in our vpn_net
setup. Also we completely rely on keys that are generated on the
master. This reduces any hands on for the vpn setup.
This commit is contained in:
mh 2010-12-29 22:44:26 +01:00
parent 1a70f0ab0c
commit 1ee9a13f11
5 changed files with 40 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
manifests/vpn_net.pp
View file

@ -4,12 +4,13 @@ define tinc::vpn_net(
$connect_on_boot = true,
$hosts_source = 'absent',
$hosts_source_is_prefix = false,
$key_source = 'file',
$key_source_prefix = 'absent',
$tinc_interface = 'absent',
$tinc_internal_interface = 'absent',
$key_source_path = 'absent',
$tinc_interface = 'eth0',
$tinc_internal_interface = 'eth1',
$tinc_internal_ip = 'absent',
$tinc_bridge_interface = 'absent',
$port = '655',
$compression = '9',
$shorewall_zone = 'absent'
){
include ::tinc
@ -38,6 +39,14 @@ define tinc::vpn_net(
notify => Service['tinc'],
}
@@file { "/etc/tinc/${vpn_net}/hosts/${name_tinc}":
ensure => $ensure,
notify => Service[tinc],
tag => "tinc_host_${name}",
owner => root, group => 0, mode => 0600;
}
if $ensure == 'present' {
File["/etc/tinc/${name}"]{
ensure => directory,
@ -59,68 +68,33 @@ define tinc::vpn_net(
owner => root, group => 0, mode => 0600;
}
if $key_source_path == 'absent' {
fail("You need to set \$key_source_prefix for $name to generate keys on the master!")
}
$tinc_keys = tinc_keygen($name,"${key_source_path}/${name}/${fqdn}")
file{"/etc/tinc/${name}/rsa_key.priv":
content => $tinc_keys[1],
notify => Service[tinc],
owner => root, group => 0, mode => 0600;
}
file{"/etc/tinc/${name}/rsa_key.pub":
content => $tinc_keys[0],
notify => Service[tinc],
owner => root, group => 0, mode => 0600;
}
if $key_source == 'file' {
File["/etc/tinc/${name}/rsa_key.priv"]{
source => $key_source_prefix ? {
'absent' => "puppet:///modules/site-tinc/keys/${name}/${fqdn}/rsa_key.priv",
default => "${key_source_prefix}/${name}/${fqdn}/rsa_key.priv",
}
}
File["/etc/tinc/${name}/rsa_key.pub"]{
source => $key_source_prefix ? {
'absent' => "puppet:///modules/site-tinc/keys/${name}/${fqdn}/rsa_key.pub",
default => "${key_source_prefix}/${name}/${fqdn}/rsa_key.pub",
}
}
} elsif $key_source == 'master' {
if $key_source_prefix == 'absent' {
fail("You need to set \$key_source_prefix for $name to generate keys on the master!")
}
$tinc_keys = tinc_keygen($name,"${key_source_prefix}/${name}/${fqdn}")
File["/etc/tinc/${name}/rsa_key.priv"]{
content => $tinc_keys[0]
}
File["/etc/tinc/${name}/rsa_key.pub"]{
content => $tinc_keys[1]
}
} else {
fail("No such \$key_source (${key_source}) available")
}
# always include myself in the hosts dir
tinc::vpn_net::host{$fqdn:
source => $hosts_source,
source_is_prefix => $hosts_source_is_prefix,
vpn_net => $name
}
# include all the hosts we should connect to
tinc::vpn_net::host{$connect_to_hosts:
source => $hosts_source,
source_is_prefix => $hosts_source_is_prefix,
vpn_net => $name
}
$real_tinc_bridge_interface = $tinc_bridge_interface ? {
'absent' => "br${name}",
default => $tinc_bridge_interface
}
$real_tinc_internal_interface = $tinc_internal_interface ? {
'absent' => 'eth1',
default => $tinc_internal_interface
}
$real_tinc_internal_ip = $tinc_internal_ip ? {
# 'absent' => $ip, ????
default => $tinc_internal_ip
if $tinc_internal_ip == 'absent' {
$tinc_orig_ifaddr = "ipaddress_${tinc_internal_interface}"
$real_tinc_internal_ip = inline_template("<%= scope.lookupvar(tinc_orig_ifaddr) %>")
} else {
$real_tinc_internal_ip = $tinc_internal_ip
}
file { "/etc/tinc/${name}/tinc-up":
content => template('tinc/tinc-up.erb'),
require => Package['bridge-utils'],
@ -133,6 +107,11 @@ define tinc::vpn_net(
notify => Service['tinc'],
owner => root, group => 0, mode => 0700;
}
File["/etc/tinc/${vpn_net}/hosts/${name_tinc}"]{
content => template('tinc/host.erb'),
}
File<<| tag == "tinc_host_${name}" |>>
if $use_shorewall {
$real_shorewall_zone = $shorewall_zone ? {

24
manifests/vpn_net/host.pp
View file

@ -1,24 +0,0 @@
# $name => Name of the host we want to connect to
define tinc::vpn_net::host(
$ensure = present,
$source = absent,
$source_is_prefix = false,
$vpn_net
){
$name_tinc = regsubst("${name}",'[._-]+','','G')
file { "/etc/tinc/${vpn_net}/hosts/${name_tinc}":
ensure => $ensure,
source => $source ? {
'absent' => "puppet:///modules/site-tinc/hosts/${vpn_net}/${name}",
default => $source_is_prefix ? {
false => $source,
default => "${source}/${name}"
}
},
notify => Service[tinc],
owner => root, group => 0, mode => 0600;
}
}

6
templates/host.erb Normal file
View file

@ -0,0 +1,6 @@
Address = <%= scope.lookupvar("ipaddress_#{tinc_interface}") %>
Port = <%= port %>
Compression = <%= compression %> # 0=no,11=best lzo
#
<%= tinc_keys[1] %>

6
templates/tinc-up.erb
View file

@ -3,10 +3,10 @@
grep <%= real_tinc_bridge_interface %> /proc/net/dev | awk -F: '{ print $1 }' | grep -q <%= real_tinc_bridge_interface %>
if [ $? -gt 0 ]; then
brctl addbr <%= real_tinc_bridge_interface %>
ifconfig <%= real_tinc_internal_interface %> 0.0.0.0
ifconfig <%= tinc_internal_interface %> 0.0.0.0
ifconfig <%= real_tinc_bridge_interface %> <%= real_tinc_internal_ip %> netmask 255.255.255.0
brctl addif <%= real_tinc_bridge_interface %> <%= real_tinc_internal_interface %>
ifconfig <%= real_tinc_internal_interface %> up
brctl addif <%= real_tinc_bridge_interface %> <%= tinc_internal_interface %>
ifconfig <%= tinc_internal_interface %> up
fi
ifconfig $INTERFACE 0.0.0.0

2
templates/tinc.conf.erb
View file

@ -5,10 +5,8 @@ Device = /dev/net/tun
Mode = switch
#Mode = router
<% unless tinc_interface.to_s == 'absent' -%>
BindToInterface = <%= tinc_interface.to_s %>
<% end -%>
<% connect_to_hosts_tinc.to_a.each do |connect_to_host| -%>
ConnectTo = <%= connect_to_host %>
<% end -%>