1 # an ipsec peer, another node to connect to
3 # This is the stored config part of ipsec::network. Each node that
4 # is part of a network stores an ipsec::peer entry for itself and
5 # then collects all other nodes of that network, overwriting
6 # the local_* variables for itself.
8 # @param network_name name of this ipsec network clique
9 # @param ipsec_conf_file the target of the ipsec config file concat
10 # @param ipsec_secrets_file the target of the ipsec secrets file concat
11 # @param local_name the name of this node (overwritten on collecting)
12 # @param local_ipaddress the ipsec endpoint address on this node (overwritten on collecting)
13 # @param local_networks a list of local networks (overwritten on collecting)
14 # @param peer_name the name of this peer
15 # @param peer_ipaddress the ipsec endpoint address of this peer
16 # @param peer_networks a list of networks behind or at this peer
29 $network_name = 'ipsec',
31 $leftsubnet = $local_networks ? {
33 default => "leftsubnet = ${$local_networks.join(', ')}"
35 $rightsubnet = $peer_networks ? {
37 default => "rightsubnet = ${$peer_networks.join(', ')}"
39 concat::fragment { "${network_name}::${ipsec_conf_file}::${name}":
40 target => $ipsec_conf_file,
43 conn ${network_name}::${peer_name}
44 # left is us (local, ${local_name})
45 left = ${local_ipaddress}
48 # right is our peer (remote, ${peer_name})
49 right = ${peer_ipaddress}
56 # create the data portion for the key derivation function
58 # It needs to be the same data on both ends of a connection, so the
59 # corresponding secrets entry at the peer gets the same PSK. We do
60 # this by putting the peer's info and our info in some arbitrary,
61 # yet canonical order by sorting.
62 $ipsec_psk_data = ("${local_name}(${local_ipaddress})" < "${peer_name}(${peer_ipaddress})") ? {
63 true => "ipsec-peer-psk-${network_name}-${local_name}(${local_ipaddress})-${peer_name}(${peer_ipaddress})",
64 false => "ipsec-peer-psk-${network_name}-${peer_name}(${peer_ipaddress})-${local_name}(${local_ipaddress})"
66 $ipsec_psk = hkdf('/etc/puppet/secret', $ipsec_psk_data)
67 concat::fragment { "${network_name}::${ipsec_secrets_file}::${name}":
68 target => $ipsec_secrets_file,
71 ${peer_ipaddress} : PSK "${ipsec_psk}"
75 ferm::rule { "${network_name}-${name}":
76 description => "allow ipsec protocols for peer ${peer_name}",
78 chain => 'ipsec-peers',
79 rule => "saddr ${peer_ipaddress} ACCEPT",