X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=blobdiff_plain;f=modules%2Fipsec%2Fmanifests%2Fnetwork.pp;h=455f1ee55f956eda34d83997afab5d34b241e341;hp=b5d6979ddfe0c20505453049c6fdcaebe24acb0a;hb=431cf940f960105adc64c79fca6f333ae545e39f;hpb=6d227b8973b5f73b3cb558312bdcc895ab70e04b diff --git a/modules/ipsec/manifests/network.pp b/modules/ipsec/manifests/network.pp index b5d6979dd..455f1ee55 100644 --- a/modules/ipsec/manifests/network.pp +++ b/modules/ipsec/manifests/network.pp @@ -12,8 +12,11 @@ # # Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ] # to tunnel both addresses. +# +# @param peer_ipaddress the ipsec endpoint address of this ipsec node +# @param peer_networks a list of networks behind or at this ipsec node define ipsec::network ( - Stdlib::IP::Address $peer_ipaddress = $::ipaddress, + Stdlib::IP::Address $peer_ipaddress = $base::public_address, Array[Stdlib::IP::Address] $peer_networks = [], ) { include ipsec @@ -22,11 +25,19 @@ define ipsec::network ( $ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets" $stored_conftag = "ipsec::peer::${name}" + $real_peer_networks = Array($peer_networks, true).map |$a| { + if $a =~ Stdlib::IP::Address::V4::CIDR { $a } + elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" } + elsif $a =~ Stdlib::IP::Address::V6::CIDR { $a } + elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" } + else { fail("Do not know address type for ${a}") } + } + @@ipsec::peer{ "${name}-${::hostname}": network_name => $name, peer_name => $::hostname, peer_ipaddress => $peer_ipaddress, - peer_networks => $peer_networks, + peer_networks => $real_peer_networks, ipsec_conf_file => $ipsec_conf_file, ipsec_secrets_file => $ipsec_secrets_file, tag => $stored_conftag, @@ -45,6 +56,6 @@ define ipsec::network ( Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> { local_name => $::hostname, local_ipaddress => $peer_ipaddress, - local_networks => $peer_networks, + local_networks => $real_peer_networks, } }