document the ipsec::network and ipsec::peer manifests, change default address to...

diff --git a/modules/ipsec/manifests/network.pp b/modules/ipsec/manifests/network.pp
index b5d6979..455f1ee 100644 (file)
--- a/modules/ipsec/manifests/network.pp
+++ b/modules/ipsec/manifests/network.pp
@@ -12,8 +12,11 @@
 #
 # Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ]
 # to tunnel both addresses.
 #
 # Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ]
 # to tunnel both addresses.

+#
+# @param peer_ipaddress     the ipsec endpoint address of this ipsec node
+# @param peer_networks      a list of networks behind or at this ipsec node

 define ipsec::network (
 define ipsec::network (

-  Stdlib::IP::Address $peer_ipaddress       = $::ipaddress,
+  Stdlib::IP::Address $peer_ipaddress       = $base::public_address,

   Array[Stdlib::IP::Address] $peer_networks = [],
 ) {
   include ipsec
   Array[Stdlib::IP::Address] $peer_networks = [],
 ) {
   include ipsec


@@ -22,11 +25,19 @@ define ipsec::network (
   $ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets"
   $stored_conftag = "ipsec::peer::${name}"
 
   $ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets"
   $stored_conftag = "ipsec::peer::${name}"
 

+  $real_peer_networks = Array($peer_networks, true).map |$a| {
+    if    $a =~ Stdlib::IP::Address::V4::CIDR     { $a }
+    elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" }
+    elsif $a =~ Stdlib::IP::Address::V6::CIDR     { $a }
+    elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" }
+    else { fail("Do not know address type for ${a}") }
+  }
+

   @@ipsec::peer{ "${name}-${::hostname}":
     network_name       => $name,
     peer_name          => $::hostname,
     peer_ipaddress     => $peer_ipaddress,
   @@ipsec::peer{ "${name}-${::hostname}":
     network_name       => $name,
     peer_name          => $::hostname,
     peer_ipaddress     => $peer_ipaddress,

-    peer_networks      => $peer_networks,
+    peer_networks      => $real_peer_networks,

     ipsec_conf_file    => $ipsec_conf_file,
     ipsec_secrets_file => $ipsec_secrets_file,
     tag                => $stored_conftag,
     ipsec_conf_file    => $ipsec_conf_file,
     ipsec_secrets_file => $ipsec_secrets_file,
     tag                => $stored_conftag,


@@ -45,6 +56,6 @@ define ipsec::network (
   Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> {
     local_name      => $::hostname,
     local_ipaddress => $peer_ipaddress,
   Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> {
     local_name      => $::hostname,
     local_ipaddress => $peer_ipaddress,

-    local_networks  => $peer_networks,
+    local_networks  => $real_peer_networks,

   }
 }
   }
 }

diff --git a/modules/ipsec/manifests/peer.pp b/modules/ipsec/manifests/peer.pp
index fbbc8ac..0270f5e 100644 (file)
--- a/modules/ipsec/manifests/peer.pp
+++ b/modules/ipsec/manifests/peer.pp
@@ -1,4 +1,19 @@
 # an ipsec peer, another node to connect to
 # an ipsec peer, another node to connect to

+#
+# This is the stored config part of ipsec::network.  Each node that
+# is part of a network stores an ipsec::peer entry for itself and
+# then collects all other nodes of that network, overwriting
+# the local_* variables for itself.
+#
+# @param network_name       name of this ipsec network clique
+# @param ipsec_conf_file    the target of the ipsec config file concat
+# @param ipsec_secrets_file the target of the ipsec secrets file concat
+# @param local_name         the name of this node (overwritten on collecting)
+# @param local_ipaddress    the ipsec endpoint address on this node (overwritten on collecting)
+# @param local_networks     a list of local networks (overwritten on collecting)
+# @param peer_name          the name of this peer
+# @param peer_ipaddress     the ipsec endpoint address of this peer
+# @param peer_networks      a list of networks behind or at this peer

 define ipsec::peer(
   $ipsec_conf_file,
   $ipsec_secrets_file,
 define ipsec::peer(
   $ipsec_conf_file,
   $ipsec_secrets_file,