#
# Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ]
# to tunnel both addresses.
+#
+# @param peer_ipaddress the ipsec endpoint address of this ipsec node
+# @param peer_networks a list of networks behind or at this ipsec node
define ipsec::network (
- Stdlib::IP::Address $peer_ipaddress = $::ipaddress,
+ Stdlib::IP::Address $peer_ipaddress = $base::public_address,
Array[Stdlib::IP::Address] $peer_networks = [],
) {
include ipsec
$ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets"
$stored_conftag = "ipsec::peer::${name}"
+ $real_peer_networks = Array($peer_networks, true).map |$a| {
+ if $a =~ Stdlib::IP::Address::V4::CIDR { $a }
+ elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" }
+ elsif $a =~ Stdlib::IP::Address::V6::CIDR { $a }
+ elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" }
+ else { fail("Do not know address type for ${a}") }
+ }
+
@@ipsec::peer{ "${name}-${::hostname}":
network_name => $name,
peer_name => $::hostname,
peer_ipaddress => $peer_ipaddress,
- peer_networks => $peer_networks,
+ peer_networks => $real_peer_networks,
ipsec_conf_file => $ipsec_conf_file,
ipsec_secrets_file => $ipsec_secrets_file,
tag => $stored_conftag,
Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> {
local_name => $::hostname,
local_ipaddress => $peer_ipaddress,
- local_networks => $peer_networks,
+ local_networks => $real_peer_networks,
}
}
# an ipsec peer, another node to connect to
+#
+# This is the stored config part of ipsec::network. Each node that
+# is part of a network stores an ipsec::peer entry for itself and
+# then collects all other nodes of that network, overwriting
+# the local_* variables for itself.
+#
+# @param network_name name of this ipsec network clique
+# @param ipsec_conf_file the target of the ipsec config file concat
+# @param ipsec_secrets_file the target of the ipsec secrets file concat
+# @param local_name the name of this node (overwritten on collecting)
+# @param local_ipaddress the ipsec endpoint address on this node (overwritten on collecting)
+# @param local_networks a list of local networks (overwritten on collecting)
+# @param peer_name the name of this peer
+# @param peer_ipaddress the ipsec endpoint address of this peer
+# @param peer_networks a list of networks behind or at this peer
define ipsec::peer(
$ipsec_conf_file,
$ipsec_secrets_file,