+++ /dev/null
-# basic ipsec configuration
-#
-# this configures all packages and required kernel modules, but
-# doesn't configure any host, see `ipsec::network` instead.
-#
-# when first loaded, this will add a list of modules to the kernel,
-# but this will only load on reboot.
-class ipsec {
- package { [
- 'strongswan',
- 'libstrongswan-standard-plugins'
- ]:
- ensure => installed
- }
-
- service { 'ipsec':
- ensure => running,
- }
-
- file {
- '/etc/ipsec.conf':
- content => template('ipsec/ipsec.conf.erb'),
- notify => Service['ipsec'];
- '/etc/ipsec.secrets':
- mode => '0400',
- content => template('ipsec/ipsec.secrets.erb'),
- notify => Service['ipsec'];
- '/etc/ipsec.conf.d':
- ensure => 'directory',
- purge => true,
- force => true,
- recurse => true,
- mode => '0755';
- '/etc/ipsec.secrets.d':
- ensure => 'directory',
- purge => true,
- force => true,
- recurse => true,
- mode => '0700';
- '/etc/ipsec.conf.d/00-default.conf':
- content => template('ipsec/ipsec.conf-00-default.conf.erb'),
- notify => Service['ipsec'];
- '/etc/strongswan.d/charon-logging.conf':
- content => template('ipsec/strongswan-charon-logging.conf'),
- notify => Service['ipsec'];
- }
-
- ferm::rule {
- 'ipsec-peers':
- description => 'ipsec protocols are allowed from the ipsec peers',
- domain => '(ip ip6)',
- chain => 'ipsec-peers',
- rule => 'DROP',
- prio => 'zzz-999';
- 'ipsec':
- description => 'ipsec protocols are allowed from the ipsec peers',
- domain => '(ip ip6)',
- rule => @(EOF),
- proto udp dport (isakmp 4500) jump ipsec-peers;
- proto esp jump ipsec-peers
- | EOF
- }
-
- # Since we disable module loading after boot, we want to load them all at boot time
- $modules = split('af_alg af_key ah4 algif_skcipher ansi_cprng authenc drbg echainiv esp4 ipcomp macvlan macvtap tunnel4 vhost vhost_net xfrm4_mode_tunnel xfrm4_tunnel xfrm6_mode_tunnel xfrm_algo xfrm_ipcomp xfrm_user', ' ') # lint:ignore:140chars
- base::linux_module { $modules: }
-}
projects / mirror / dsa-puppet.git / commitdiff