From 22f7cd41b075edb12af6e406387f3f9bcf32d70a Mon Sep 17 00:00:00 2001 From: Tobias Knipping Date: Fri, 5 Jan 2018 21:22:05 +0100 Subject: [PATCH] add openvpn::deploy::(export/client) fix linting, add credit restructure deploy manifests fixes #231 --- lib/facter/openvpn_deploy_cert_data.rb | 24 +++++++ manifests/client.pp | 15 +++-- manifests/deploy/client.pp | 59 ++++++++++++++++ manifests/deploy/export.pp | 93 ++++++++++++++++++++++++++ manifests/deploy/install.pp | 26 +++++++ manifests/deploy/prepare.pp | 29 ++++++++ manifests/deploy/service.pp | 31 +++++++++ 7 files changed, 272 insertions(+), 5 deletions(-) create mode 100644 lib/facter/openvpn_deploy_cert_data.rb create mode 100644 manifests/deploy/client.pp create mode 100644 manifests/deploy/export.pp create mode 100644 manifests/deploy/install.pp create mode 100644 manifests/deploy/prepare.pp create mode 100644 manifests/deploy/service.pp diff --git a/lib/facter/openvpn_deploy_cert_data.rb b/lib/facter/openvpn_deploy_cert_data.rb new file mode 100644 index 00000000..08d2b83c --- /dev/null +++ b/lib/facter/openvpn_deploy_cert_data.rb @@ -0,0 +1,24 @@ +Facter.add("openvpn::deploy_cert_data") do + setcode do + clients = {} + path = '/etc/openvpn' + if File.directory?(path) + Dir.entries(path).each do |server| + if File.directory?("#{path}/#{server}/download-configs") + Dir.entries("#{path}/#{server}/download-configs").each do |client| + if File.directory?("#{path}/#{server}/download-configs/#{client}") and client !~ /^\.\.?$/ and client !~ /\.tblk$/ + clients["#{server}-#{client}-conf"] = File.open("#{path}/#{server}/download-configs/#{client}/#{client}.conf", "r").read + clients["#{server}-#{client}-ca"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ca.crt", "r").read + clients["#{server}-#{client}-crt"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/#{client}.crt", "r").read + clients["#{server}-#{client}-key"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/#{client}.key", "r").read + if File.exists?("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ta.key") + clients["#{server}-#{client}-ta"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ta.key", "r").read + end + end + end + end + end + end + clients + end +end \ No newline at end of file diff --git a/manifests/client.pp b/manifests/client.pp index 9b6f58e1..443a8028 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -258,27 +258,31 @@ ensure => directory, } - file { "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt": + file { "${server}-${name}-crt": ensure => link, + path => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt", target => "${etc_directory}/openvpn/${ca_name}/easy-rsa/keys/${name}.crt", require => Exec["generate certificate for ${name} in context of ${ca_name}"], } - file { "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key": + file { "${server}-${name}-key": ensure => link, + path => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key", target => "${etc_directory}/openvpn/${ca_name}/easy-rsa/keys/${name}.key", require => Exec["generate certificate for ${name} in context of ${ca_name}"], } - file { "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt": + file { "${server}-${name}-ca": ensure => link, + path => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt", target => "${etc_directory}/openvpn/${ca_name}/easy-rsa/keys/ca.crt", require => Exec["generate certificate for ${name} in context of ${ca_name}"], } if $tls_auth { - file { "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/ta.key": + file { "${server}-${name}-ta": ensure => link, + path => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/ta.key", target => "${etc_directory}/openvpn/${server}/easy-rsa/keys/ta.key", require => Exec["generate certificate for ${name} in context of ${server}"], before => [ @@ -314,7 +318,8 @@ before => Exec["tar the thing ${server} with ${name}"]; } - file { "${etc_directory}/openvpn/${server}/download-configs/${name}/${name}.conf": + file { "${server}-${name}-conf": + path => "${etc_directory}/openvpn/${server}/download-configs/${name}/${name}.conf", owner => root, group => $::openvpn::params::root_group, mode => '0444', diff --git a/manifests/deploy/client.pp b/manifests/deploy/client.pp new file mode 100644 index 00000000..eb0a88f6 --- /dev/null +++ b/manifests/deploy/client.pp @@ -0,0 +1,59 @@ +# == Define: openvpn::deploy::client +# +# Collect the exported configs for an Host and ensure a running Openvpn Service +# +# === Parameters +# +# $server which Openvpn::Server[$server] does the config belong to? +# String +# +# $manage_etc should the /etc/openvpn directory be managed? (warning, all unmanaged files will be purged!) +# +# === Variables +# +# None +# +# === Examples +# +# openvpn::deploy::client { 'test-client': +# server => 'test_server', +# } +# +# === Authors +# +# Phil Bayfield https://bitbucket.org/Philio/ +# + +define openvpn::deploy::client ( + String $server, + Boolean $manage_etc = true, +) { + + include openvpn::deploy::prepare + + Class['openvpn::deploy::install'] + -> Openvpn::Deploy::Client[$name] + ~> Class['openvpn::deploy::service'] + + + if ($manage_etc == true) { + file { [ + "${::openvpn::params::etc_directory}/openvpn", + "${::openvpn::params::etc_directory}/openvpn/keys", + "${::openvpn::params::etc_directory}/openvpn/keys/${name}", + ]: + ensure => directory, + purge => true, + force => true, + require => Package['openvpn']; + } + } else { + file { "${::openvpn::params::etc_directory}/openvpn/keys/${name}": + ensure => directory, + require => Package['openvpn']; + } + } + + File <<| tag == "${server}-${name}" |>> + +} \ No newline at end of file diff --git a/manifests/deploy/export.pp b/manifests/deploy/export.pp new file mode 100644 index 00000000..ecea46d9 --- /dev/null +++ b/manifests/deploy/export.pp @@ -0,0 +1,93 @@ +# == Define: openvpn::deploy::export +# +# Prepare all Openvpn-Client-Configs to be exported +# +# === Parameters +# +# $server which Openvpn::Server[$server] does the config belong to? +# String +# +# $tls_auth should the ta* files be exported too? +# +# === Variables +# +# None +# +# === Examples +# +# openvpn::deploy::export { 'test-client': +# server => 'test_server', +# } +# +# === Authors +# +# Phil Bayfield https://bitbucket.org/Philio/ +# + +define openvpn::deploy::export ( + String $server, + Boolean $tls_auth = false, +) { + + Openvpn::Server[$server] + -> Openvpn::Client[$name] + -> Openvpn::Deploy::Export[$name] + + if $::openvpn::deploy_cert_data { + $data = $::openvpn::deploy_cert_data + } else { + fail('openvpn::deploy_cert_data not defined, is pluginsync enabled?') + } + + @@file { "exported-${server}-${name}-config": + ensure => file, + path => "${::openvpn::params::etc_directory}/openvpn/${name}.conf", + owner => 'root', + group => 'root', + mode => '0600', + content => $data["exported-${server}-${name}-conf"], + tag => "${server}-${name}", + } + + @@file { "exported-${server}-${name}-ca": + ensure => file, + path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ca.crt", + owner => 'root', + group => 'root', + mode => '0600', + content => $data["${server}-${name}-ca"], + tag => "${server}-${name}", + } + + @@file { "exported-${server}-${name}-crt": + ensure => file, + path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.crt", + owner => 'root', + group => 'root', + mode => '0600', + content => $data["${server}-${name}-crt"], + tag => "${server}-${name}", + } + + @@file { "exported-${server}-${name}-key": + ensure => file, + path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.key", + owner => 'root', + group => 'root', + mode => '0600', + content => $data["${server}-${name}-key"], + tag => "${server}-${name}", + } + + if $tls_auth { + @@file { "exported-${server}-${name}-ta": + ensure => file, + path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ta.key", + owner => 'root', + group => 'root', + mode => '0600', + content => $data["${server}-${name}-ta"], + tag => "${server}-${name}", + } + } +} \ No newline at end of file diff --git a/manifests/deploy/install.pp b/manifests/deploy/install.pp new file mode 100644 index 00000000..bd4bf13b --- /dev/null +++ b/manifests/deploy/install.pp @@ -0,0 +1,26 @@ +# == Class: openvpn::deploy::install +# +# Installs the Openvpn profile +# +# === Parameters +# +# None +# +# === Variables +# +# None +# +# === Examples +# +# include openvpn::deploy::install +# +# === Authors +# +# Phil Bayfield https://bitbucket.org/Philio/ +# + +class openvpn::deploy::install { + + ensure_packages(['openvpn']) + +} \ No newline at end of file diff --git a/manifests/deploy/prepare.pp b/manifests/deploy/prepare.pp new file mode 100644 index 00000000..8019ba25 --- /dev/null +++ b/manifests/deploy/prepare.pp @@ -0,0 +1,29 @@ +# == Class: openvpn::deploy::prepare +# +# Base profile +# +# === Parameters +# +# None +# +# === Variables +# +# None +# +# === Examples +# +# include openvpn::deploy::prepare +# +# === Authors +# +# Phil Bayfield https://bitbucket.org/Philio/ +# + +class openvpn::deploy::prepare { + + class { 'openvpn::params': } + + class { 'openvpn::deploy::install': } + ~> class { 'openvpn::deploy::service': } + +} \ No newline at end of file diff --git a/manifests/deploy/service.pp b/manifests/deploy/service.pp new file mode 100644 index 00000000..e70ab39c --- /dev/null +++ b/manifests/deploy/service.pp @@ -0,0 +1,31 @@ +# == Class: openvpn::deploy::service +# +# Base profile +# +# === Parameters +# +# None +# +# === Variables +# +# None +# +# === Examples +# +# include openvpn::deploy::service +# +# === Authors +# +# Phil Bayfield https://bitbucket.org/Philio/ +# + +class openvpn::deploy::service { + + service { 'openvpn': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true; + } + +} \ No newline at end of file