From: Peter Palfrader Date: Tue, 8 Oct 2019 05:59:03 +0000 (+0200) Subject: document the ipsec::network and ipsec::peer manifests, change default address to... X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=431cf940f960105adc64c79fca6f333ae545e39f document the ipsec::network and ipsec::peer manifests, change default address to the one in base::, and add proper prefixlengths to raw ip addresses in the networks list --- diff --git a/modules/ipsec/manifests/network.pp b/modules/ipsec/manifests/network.pp index b5d6979dd..455f1ee55 100644 --- a/modules/ipsec/manifests/network.pp +++ b/modules/ipsec/manifests/network.pp @@ -12,8 +12,11 @@ # # Use $peer_networks = [ "${::ipaddress}/32", "${::ipaddress6}/128" ] # to tunnel both addresses. +# +# @param peer_ipaddress the ipsec endpoint address of this ipsec node +# @param peer_networks a list of networks behind or at this ipsec node define ipsec::network ( - Stdlib::IP::Address $peer_ipaddress = $::ipaddress, + Stdlib::IP::Address $peer_ipaddress = $base::public_address, Array[Stdlib::IP::Address] $peer_networks = [], ) { include ipsec @@ -22,11 +25,19 @@ define ipsec::network ( $ipsec_secrets_file = "/etc/ipsec.secrets.d/10-puppet-${name}.secrets" $stored_conftag = "ipsec::peer::${name}" + $real_peer_networks = Array($peer_networks, true).map |$a| { + if $a =~ Stdlib::IP::Address::V4::CIDR { $a } + elsif $a =~ Stdlib::IP::Address::V4::Nosubnet { "${a}/32" } + elsif $a =~ Stdlib::IP::Address::V6::CIDR { $a } + elsif $a =~ Stdlib::IP::Address::V6::Nosubnet { "${a}/128" } + else { fail("Do not know address type for ${a}") } + } + @@ipsec::peer{ "${name}-${::hostname}": network_name => $name, peer_name => $::hostname, peer_ipaddress => $peer_ipaddress, - peer_networks => $peer_networks, + peer_networks => $real_peer_networks, ipsec_conf_file => $ipsec_conf_file, ipsec_secrets_file => $ipsec_secrets_file, tag => $stored_conftag, @@ -45,6 +56,6 @@ define ipsec::network ( Ipsec::Peer <<| tag == $stored_conftag and peer_name != $::hostname|>> { local_name => $::hostname, local_ipaddress => $peer_ipaddress, - local_networks => $peer_networks, + local_networks => $real_peer_networks, } } diff --git a/modules/ipsec/manifests/peer.pp b/modules/ipsec/manifests/peer.pp index fbbc8ac9b..0270f5e90 100644 --- a/modules/ipsec/manifests/peer.pp +++ b/modules/ipsec/manifests/peer.pp @@ -1,4 +1,19 @@ # an ipsec peer, another node to connect to +# +# This is the stored config part of ipsec::network. Each node that +# is part of a network stores an ipsec::peer entry for itself and +# then collects all other nodes of that network, overwriting +# the local_* variables for itself. +# +# @param network_name name of this ipsec network clique +# @param ipsec_conf_file the target of the ipsec config file concat +# @param ipsec_secrets_file the target of the ipsec secrets file concat +# @param local_name the name of this node (overwritten on collecting) +# @param local_ipaddress the ipsec endpoint address on this node (overwritten on collecting) +# @param local_networks a list of local networks (overwritten on collecting) +# @param peer_name the name of this peer +# @param peer_ipaddress the ipsec endpoint address of this peer +# @param peer_networks a list of networks behind or at this peer define ipsec::peer( $ipsec_conf_file, $ipsec_secrets_file,