From 9eea0ce0a67aa24badf63bfbdc773a78842e110a Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 10 Jan 2018 22:43:01 +0100 Subject: [PATCH] Try to get ipsec between storace and fasolo --- hieradata/common.yaml | 3 + modules/ipsec/manifests/init.pp | 64 +++++++++++++++++++ modules/ipsec/templates/ferm.erb | 28 ++++++++ .../templates/ipsec.conf-00-default.conf.erb | 13 ++++ .../ipsec.conf-10-puppet-peers.conf.erb | 47 ++++++++++++++ modules/ipsec/templates/ipsec.conf.erb | 31 +++++++++ .../ipsec.secrets-10-puppet-peers.secrets.erb | 27 ++++++++ modules/ipsec/templates/ipsec.secrets.erb | 9 +++ modules/roles/manifests/init.pp | 4 ++ 9 files changed, 226 insertions(+) create mode 100644 modules/ipsec/manifests/init.pp create mode 100644 modules/ipsec/templates/ferm.erb create mode 100644 modules/ipsec/templates/ipsec.conf-00-default.conf.erb create mode 100644 modules/ipsec/templates/ipsec.conf-10-puppet-peers.conf.erb create mode 100644 modules/ipsec/templates/ipsec.conf.erb create mode 100644 modules/ipsec/templates/ipsec.secrets-10-puppet-peers.secrets.erb create mode 100644 modules/ipsec/templates/ipsec.secrets.erb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 1d2a70cf1..eb668108c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -318,3 +318,6 @@ roles: - godard.debian.org debsources: - sor.debian.org + ipsec: + - fasolo.debian.org + - storace.debian.org diff --git a/modules/ipsec/manifests/init.pp b/modules/ipsec/manifests/init.pp new file mode 100644 index 000000000..2cd0f9ab0 --- /dev/null +++ b/modules/ipsec/manifests/init.pp @@ -0,0 +1,64 @@ +class ipsec { + $ipsec_config = @(EOF) + --- + + storace.debian.org: + address: 93.94.130.161 + + fasolo.debian.org: + address: 138.16.160.17 + + | EOF + + package { [ + 'strongswan', + 'libstrongswan-standard-plugins' + ]: + ensure => installed + } + + service { 'ipsec': + ensure => running, + } + + file { '/etc/ipsec.conf': + content => template("ipsec/ipsec.conf.erb"), + notify => Service['ipsec'], + } + file { '/etc/ipsec.secrets': + mode => '0400', + content => template("ipsec/ipsec.secrets.erb"), + notify => Service['ipsec'], + } + + file { '/etc/ipsec.conf.d': + mode => '0755', + ensure => 'directory', + } + file { '/etc/ipsec.secrets.d': + ensure => 'directory', + mode => '0700', + } + + file { '/etc/ipsec.conf.d/00-default.conf': + content => template("ipsec/ipsec.conf-00-default.conf.erb"), + notify => Service['ipsec'], + } + + file { '/etc/ipsec.conf.d/10-puppet-peers.conf': + content => template("ipsec/ipsec.conf-10-puppet-peers.conf.erb"), + notify => Service['ipsec'], + } + file { '/etc/ipsec.secrets.d/10-puppet-peers.secrets': + mode => '0400', + content => template("ipsec/ipsec.secrets-10-puppet-peers.secrets.erb"), + notify => Service['ipsec'], + } + + file { + "/etc/ferm/dsa.d/10-ipsec": + mode => '0400', + content => template("ipsec/ferm.erb"), + notify => Service['ferm'], + } +} diff --git a/modules/ipsec/templates/ferm.erb b/modules/ipsec/templates/ferm.erb new file mode 100644 index 000000000..82b8a6bcb --- /dev/null +++ b/modules/ipsec/templates/ferm.erb @@ -0,0 +1,28 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## + +<% +config = YAML.load(@ipsec_config) + +unless config.keys.include?(@fqdn) then + fail("Host #{@fqdn} not found in ipsec config.") +end + +peers = [] +config.keys.each do |host| + next if @fqdn == host + peers << config[host]['address'] +end +%> + +domain ip table filter { + chain ipsec-peers { + saddr (<%= peers.join(" ") %>) ACCEPT; + } + + chain INPUT { + proto udp dport (isakmp) jump ipsec-peers; + proto esp jump ipsec-peers; + } +} diff --git a/modules/ipsec/templates/ipsec.conf-00-default.conf.erb b/modules/ipsec/templates/ipsec.conf-00-default.conf.erb new file mode 100644 index 000000000..d96d22464 --- /dev/null +++ b/modules/ipsec/templates/ipsec.conf-00-default.conf.erb @@ -0,0 +1,13 @@ +config setup + #charondebug="all" + uniqueids=yes + +conn %default + #ikelifetime=3h + #keylife=1h + #rekeymargin=9m + keyingtries=1 + keyexchange=ikev2 + + mobike=no + authby=secret diff --git a/modules/ipsec/templates/ipsec.conf-10-puppet-peers.conf.erb b/modules/ipsec/templates/ipsec.conf-10-puppet-peers.conf.erb new file mode 100644 index 000000000..bde49ce56 --- /dev/null +++ b/modules/ipsec/templates/ipsec.conf-10-puppet-peers.conf.erb @@ -0,0 +1,47 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## + +<%= + +lines = [] + +config = YAML.load(@ipsec_config) + +unless config.keys.include?(@fqdn) then + fail("Host #{@fqdn} not found in ipsec config.") +end + +config.keys.each do |host| + next if @fqdn == host + + pair = [@fqdn, host] + pair.sort! + connname = pair.join('-') + + lines << "conn #{connname}" + lines << " # left is us (local): #{@fqdn}" + lines << " left = #{config[@fqdn]['address']}" + + lines << " # right is our peer (remote): #{host}" + lines << " right = #{config[host]['address']}" + + if config[@fqdn].include?('subnet') or config[host].include?('subnet') + lines << " type = tunnel" + if config[@fqdn].include?('subnet') + lines << " leftsubnet = #{config[@fqdn]['subnet'].join(', ')}" + end + if config[host].include?('subnet') + lines << " rightsubnet = #{config[host]['subnet'].join(', ')}" + end + else + lines << " type = transport" + end + lines << "" + lines << " auto=start" + lines << " closeaction=restart" + lines << "" +end +lines.join("\n") + +%> diff --git a/modules/ipsec/templates/ipsec.conf.erb b/modules/ipsec/templates/ipsec.conf.erb new file mode 100644 index 000000000..9f18f90f8 --- /dev/null +++ b/modules/ipsec/templates/ipsec.conf.erb @@ -0,0 +1,31 @@ +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + # strictcrlpolicy=yes + # uniqueids = no + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start + +include /var/lib/strongswan/ipsec.conf.inc +include /etc/ipsec.conf.d/*.conf diff --git a/modules/ipsec/templates/ipsec.secrets-10-puppet-peers.secrets.erb b/modules/ipsec/templates/ipsec.secrets-10-puppet-peers.secrets.erb new file mode 100644 index 000000000..8bd790dfb --- /dev/null +++ b/modules/ipsec/templates/ipsec.secrets-10-puppet-peers.secrets.erb @@ -0,0 +1,27 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## + +<%= + +lines = [] + +config = YAML.load(@ipsec_config) + +unless config.keys.include?(@fqdn) then + fail("Host #{@fqdn} not found in ipsec config.") +end + +config.keys.each do |host| + next if @fqdn == host + + pair = [@fqdn, host] + pair.sort! + connname = pair.join('-') + key = scope.function_hkdf(['/etc/puppet/secret', "puppet-key-ipsec:PSK:tor:#{connname}"]) + + lines << "#{config[pair[0]]['address']} #{config[pair[1]]['address']} : PSK \"#{key}\"" +end +lines.join("\n") + +%> diff --git a/modules/ipsec/templates/ipsec.secrets.erb b/modules/ipsec/templates/ipsec.secrets.erb new file mode 100644 index 000000000..03935570a --- /dev/null +++ b/modules/ipsec/templates/ipsec.secrets.erb @@ -0,0 +1,9 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +include /var/lib/strongswan/ipsec.secrets.inc + +include /etc/ipsec.secrets.d/*.secrets diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 2a2bb4932..101058d15 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -367,4 +367,8 @@ class roles { if has_role('debsources') { include roles::debsources } + + if has_role('ipsec') { + include ipsec + } } -- 2.20.1