1 # make this node a member of a common ipsec network
3 # the name of this resource a tag for an network where nodes in the
4 # same "network" will have ipsec set up between them.
6 # This is sufficient to setup a tunnel between a cluster of machines,
7 # but requires a reboot, see the parent ipsec class.
9 # WARNING: default ipsec configuration tunnels only the IP address
10 # given, which means that this default configuration only tunnels
13 # Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ]
14 # to tunnel both addresses.
15 define ipsec::network (
16 Stdlib::IP::Address $peer_ipaddress = $::ipaddress,
17 Array[Stdlib::IP::Address] $peer_networks = [],
21 $ipsec_conf_file = "/etc/ipsec.conf.d/10-puppet-${name}.conf"
22 $ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets"
23 $stored_conftag = "ipsec::peer::${name}"
25 @@ipsec::peer{ "${name}-${::hostname}":
26 network_name => $name,
27 peer_name => $::hostname,
28 peer_ipaddress => $peer_ipaddress,
29 peer_networks => $peer_networks,
30 ipsec_conf_file => $ipsec_conf_file,
31 ipsec_secrets_file => $ipsec_secrets_file,
32 tag => $stored_conftag,
33 # those will be overriden on collection, below
35 local_ipaddress => undef,
38 concat { $ipsec_conf_file:
39 notify => Service['ipsec'],
41 concat { $ipsec_secrets_file:
42 notify => Service['ipsec'],
45 Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> {
46 local_name => $::hostname,
47 local_ipaddress => $peer_ipaddress,
48 local_networks => $peer_networks,