#
# Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ]
# to tunnel both addresses.
+#
+# @param peer_ipaddress the ipsec endpoint address of this ipsec node
+# @param peer_networks a list of networks behind or at this ipsec node
define ipsec::network (
- Stdlib::IP::Address $peer_ipaddress = $::ipaddress,
+ Stdlib::IP::Address $peer_ipaddress = $base::public_address,
Array[Stdlib::IP::Address] $peer_networks = [],
) {
include ipsec
$ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets"
$stored_conftag = "ipsec::peer::${name}"
+ $real_peer_networks = Array($peer_networks, true).map |$a| {
+ if $a =~ Stdlib::IP::Address::V4::CIDR { $a }
+ elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" }
+ elsif $a =~ Stdlib::IP::Address::V6::CIDR { $a }
+ elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" }
+ else { fail("Do not know address type for ${a}") }
+ }
+
@@ipsec::peer{ "${name}-${::hostname}":
network_name => $name,
peer_name => $::hostname,
peer_ipaddress => $peer_ipaddress,
- peer_networks => $peer_networks,
+ peer_networks => $real_peer_networks,
ipsec_conf_file => $ipsec_conf_file,
ipsec_secrets_file => $ipsec_secrets_file,
tag => $stored_conftag,
Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> {
local_name => $::hostname,
local_ipaddress => $peer_ipaddress,
- local_networks => $peer_networks,
+ local_networks => $real_peer_networks,
}
}
projects / mirror / dsa-puppet.git / blobdiff