1 # make this node a member of a common ipsec network
3 # the name of this resource a tag for an network where nodes in the
4 # same "network" will have ipsec set up between them.
6 # This is sufficient to setup a tunnel between a cluster of machines,
7 # but requires a reboot, see the parent ipsec class.
9 # WARNING: default ipsec configuration tunnels only the IP address
10 # given, which means that this default configuration only tunnels
13 # Use $peer_networks = $base::public_addresses to tunnel both addresses.
15 # @param peer_ipaddress the ipsec endpoint address of this ipsec node
16 # @param peer_networks a list of networks behind or at this ipsec node
17 define ipsec::network (
18 Stdlib::IP::Address $peer_ipaddress = $base::public_address,
19 Array[Stdlib::IP::Address] $peer_networks = [],
23 $ipsec_conf_file = "/etc/ipsec.conf.d/10-puppet-${name}.conf"
24 $ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets"
25 $stored_conftag = "ipsec::peer::${name}"
27 $real_peer_networks = Array($peer_networks, true).map |$a| {
28 if $a =~ Stdlib::IP::Address::V4::CIDR { $a }
29 elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" }
30 elsif $a =~ Stdlib::IP::Address::V6::CIDR { $a }
31 elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" }
32 else { fail("Do not know address type for ${a}") }
35 @@ipsec::peer{ "${name}-${::hostname}":
36 network_name => $name,
37 peer_name => $::hostname,
38 peer_ipaddress => $peer_ipaddress,
39 peer_networks => $real_peer_networks,
40 ipsec_conf_file => $ipsec_conf_file,
41 ipsec_secrets_file => $ipsec_secrets_file,
42 tag => $stored_conftag,
43 # those will be overriden on collection, below
45 local_ipaddress => undef,
48 concat { $ipsec_conf_file:
49 notify => Service['ipsec'],
51 concat { $ipsec_secrets_file:
52 notify => Service['ipsec'],
55 Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> {
56 local_name => $::hostname,
57 local_ipaddress => $peer_ipaddress,
58 local_networks => $real_peer_networks,