- godard.debian.org
debsources:
- sor.debian.org
+ ipsec:
+ - fasolo.debian.org
+ - storace.debian.org
--- /dev/null
+class ipsec {
+ $ipsec_config = @(EOF)
+ ---
+
+ storace.debian.org:
+ address: 93.94.130.161
+
+ fasolo.debian.org:
+ address: 138.16.160.17
+
+ | EOF
+
+ package { [
+ 'strongswan',
+ 'libstrongswan-standard-plugins'
+ ]:
+ ensure => installed
+ }
+
+ service { 'ipsec':
+ ensure => running,
+ }
+
+ file { '/etc/ipsec.conf':
+ content => template("ipsec/ipsec.conf.erb"),
+ notify => Service['ipsec'],
+ }
+ file { '/etc/ipsec.secrets':
+ mode => '0400',
+ content => template("ipsec/ipsec.secrets.erb"),
+ notify => Service['ipsec'],
+ }
+
+ file { '/etc/ipsec.conf.d':
+ mode => '0755',
+ ensure => 'directory',
+ }
+ file { '/etc/ipsec.secrets.d':
+ ensure => 'directory',
+ mode => '0700',
+ }
+
+ file { '/etc/ipsec.conf.d/00-default.conf':
+ content => template("ipsec/ipsec.conf-00-default.conf.erb"),
+ notify => Service['ipsec'],
+ }
+
+ file { '/etc/ipsec.conf.d/10-puppet-peers.conf':
+ content => template("ipsec/ipsec.conf-10-puppet-peers.conf.erb"),
+ notify => Service['ipsec'],
+ }
+ file { '/etc/ipsec.secrets.d/10-puppet-peers.secrets':
+ mode => '0400',
+ content => template("ipsec/ipsec.secrets-10-puppet-peers.secrets.erb"),
+ notify => Service['ipsec'],
+ }
+
+ file {
+ "/etc/ferm/dsa.d/10-ipsec":
+ mode => '0400',
+ content => template("ipsec/ferm.erb"),
+ notify => Service['ferm'],
+ }
+}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+<%
+config = YAML.load(@ipsec_config)
+
+unless config.keys.include?(@fqdn) then
+ fail("Host #{@fqdn} not found in ipsec config.")
+end
+
+peers = []
+config.keys.each do |host|
+ next if @fqdn == host
+ peers << config[host]['address']
+end
+%>
+
+domain ip table filter {
+ chain ipsec-peers {
+ saddr (<%= peers.join(" ") %>) ACCEPT;
+ }
+
+ chain INPUT {
+ proto udp dport (isakmp) jump ipsec-peers;
+ proto esp jump ipsec-peers;
+ }
+}
--- /dev/null
+config setup
+ #charondebug="all"
+ uniqueids=yes
+
+conn %default
+ #ikelifetime=3h
+ #keylife=1h
+ #rekeymargin=9m
+ keyingtries=1
+ keyexchange=ikev2
+
+ mobike=no
+ authby=secret
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+<%=
+
+lines = []
+
+config = YAML.load(@ipsec_config)
+
+unless config.keys.include?(@fqdn) then
+ fail("Host #{@fqdn} not found in ipsec config.")
+end
+
+config.keys.each do |host|
+ next if @fqdn == host
+
+ pair = [@fqdn, host]
+ pair.sort!
+ connname = pair.join('-')
+
+ lines << "conn #{connname}"
+ lines << " # left is us (local): #{@fqdn}"
+ lines << " left = #{config[@fqdn]['address']}"
+
+ lines << " # right is our peer (remote): #{host}"
+ lines << " right = #{config[host]['address']}"
+
+ if config[@fqdn].include?('subnet') or config[host].include?('subnet')
+ lines << " type = tunnel"
+ if config[@fqdn].include?('subnet')
+ lines << " leftsubnet = #{config[@fqdn]['subnet'].join(', ')}"
+ end
+ if config[host].include?('subnet')
+ lines << " rightsubnet = #{config[host]['subnet'].join(', ')}"
+ end
+ else
+ lines << " type = transport"
+ end
+ lines << ""
+ lines << " auto=start"
+ lines << " closeaction=restart"
+ lines << ""
+end
+lines.join("\n")
+
+%>
--- /dev/null
+# ipsec.conf - strongSwan IPsec configuration file
+
+# basic configuration
+
+config setup
+ # strictcrlpolicy=yes
+ # uniqueids = no
+
+# Add connections here.
+
+# Sample VPN connections
+
+#conn sample-self-signed
+# leftsubnet=10.1.0.0/16
+# leftcert=selfCert.der
+# leftsendcert=never
+# right=192.168.0.2
+# rightsubnet=10.2.0.0/16
+# rightcert=peerCert.der
+# auto=start
+
+#conn sample-with-ca-cert
+# leftsubnet=10.1.0.0/16
+# leftcert=myCert.pem
+# right=192.168.0.2
+# rightsubnet=10.2.0.0/16
+# rightid="C=CH, O=Linux strongSwan CN=peer name"
+# auto=start
+
+include /var/lib/strongswan/ipsec.conf.inc
+include /etc/ipsec.conf.d/*.conf
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+<%=
+
+lines = []
+
+config = YAML.load(@ipsec_config)
+
+unless config.keys.include?(@fqdn) then
+ fail("Host #{@fqdn} not found in ipsec config.")
+end
+
+config.keys.each do |host|
+ next if @fqdn == host
+
+ pair = [@fqdn, host]
+ pair.sort!
+ connname = pair.join('-')
+ key = scope.function_hkdf(['/etc/puppet/secret', "puppet-key-ipsec:PSK:tor:#{connname}"])
+
+ lines << "#{config[pair[0]]['address']} #{config[pair[1]]['address']} : PSK \"#{key}\""
+end
+lines.join("\n")
+
+%>
--- /dev/null
+# This file holds shared secrets or RSA private keys for authentication.
+
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.
+
+# this file is managed with debconf and will contain the automatically created private key
+include /var/lib/strongswan/ipsec.secrets.inc
+
+include /etc/ipsec.secrets.d/*.secrets
if has_role('debsources') {
include roles::debsources
}
+
+ if has_role('ipsec') {
+ include ipsec
+ }
}
projects / mirror / dsa-puppet.git / commitdiff