X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fipsec%2Fmanifests%2Finit.pp;h=d20860c8ba41ae85d821690fb32f3e5e1f8a76d2;hb=008e94cf18c557dc199f2286f282e111e846b615;hp=6952c0656fae57af5b2029e9d7f0df9a4155526c;hpb=ecfbb7c216e5cbfd8ab8994b6c3c753e8a4f04b0;p=mirror%2Fdsa-puppet.git diff --git a/modules/ipsec/manifests/init.pp b/modules/ipsec/manifests/init.pp index 6952c0656..d20860c8b 100644 --- a/modules/ipsec/manifests/init.pp +++ b/modules/ipsec/manifests/init.pp @@ -1,64 +1,67 @@ +# basic ipsec configuration +# +# this configures all packages and required kernel modules, but +# doesn't configure any host, see `ipsec::network` instead. +# +# when first loaded, this will add a list of modules to the kernel, +# but this will only load on reboot. class ipsec { - $ipsec_config = @(EOF) - --- + package { [ + 'strongswan', + 'libstrongswan-standard-plugins' + ]: + ensure => installed + } - storace.debian.org: - address: 93.94.130.161 + service { 'ipsec': + ensure => running, + } - fasolo.debian.org: - address: 138.16.160.17 + file { + '/etc/ipsec.conf': + content => template('ipsec/ipsec.conf.erb'), + notify => Service['ipsec']; + '/etc/ipsec.secrets': + mode => '0400', + content => template('ipsec/ipsec.secrets.erb'), + notify => Service['ipsec']; + '/etc/ipsec.conf.d': + ensure => 'directory', + purge => true, + force => true, + recurse => true, + mode => '0755'; + '/etc/ipsec.secrets.d': + ensure => 'directory', + purge => true, + force => true, + recurse => true, + mode => '0700'; + '/etc/ipsec.conf.d/00-default.conf': + content => template('ipsec/ipsec.conf-00-default.conf.erb'), + notify => Service['ipsec']; + '/etc/strongswan.d/charon-logging.conf': + content => template('ipsec/strongswan-charon-logging.conf'), + notify => Service['ipsec']; + } - | EOF + ferm::rule { + 'ipsec-peers': + description => 'ipsec protocols are allowed from the ipsec peers', + domain => '(ip ip6)', + chain => 'ipsec-peers', + rule => 'DROP', + prio => 'zzz-999'; + 'ipsec': + description => 'ipsec protocols are allowed from the ipsec peers', + domain => '(ip ip6)', + rule => @(EOF), + proto udp dport (isakmp 4500) jump ipsec-peers; + proto esp jump ipsec-peers + | EOF + } - package { [ - 'strongswan', - 'libstrongswan-standard-plugins' - ]: - ensure => installed - } - - service { 'ipsec': - ensure => running, - } - - file { '/etc/ipsec.conf': - content => template("ipsec/ipsec.conf.erb"), - notify => Service['ipsec'], - } - file { '/etc/ipsec.secrets': - mode => '0400', - content => template("ipsec/ipsec.secrets.erb"), - notify => Service['ipsec'], - } - - file { '/etc/ipsec.conf.d': - mode => '0755', - ensure => 'directory', - } - file { '/etc/ipsec.secrets.d': - ensure => 'directory', - mode => '0700', - } - - file { '/etc/ipsec.conf.d/00-default.conf': - content => template("ipsec/ipsec.conf-00-default.conf.erb"), - notify => Service['ipsec'], - } - - file { '/etc/ipsec.conf.d/10-puppet-peers.conf': - content => template("ipsec/ipsec.conf-10-puppet-peers.conf.erb"), - notify => Service['ipsec'], - } - file { '/etc/ipsec.secrets.d/10-puppet-peers.secrets': - mode => '0400', - content => template("ipsec/ipsec.secrets-10-puppet-peers.secrets.erb"), - notify => Service['ipsec'], - } - - file { - "/etc/ferm/dsa.d/10-ipsec": - mode => '0400', - content => template("ipsec/ferm.erb"), - notify => Exec['ferm reload'], - } + # Since we disable module loading after boot, we want to load them all at boot time + $modules = split('af_alg af_key ah4 algif_skcipher ansi_cprng authenc drbg echainiv esp4 ipcomp macvlan macvtap tunnel4 vhost vhost_net xfrm4_mode_tunnel xfrm4_tunnel xfrm6_mode_tunnel xfrm_algo xfrm_ipcomp xfrm_user', ' ') # lint:ignore:140chars + base::linux_module { $modules: } }