add openvpn::deploy::(export/client)

fix linting, add credit restructure deploy manifests fixes voxpupuli#231
to-kn · Jan 6, 2018 · e2e0625 · e2e0625
1 parent 33bf2a5
commit e2e0625
Show file tree

Hide file tree

Showing 9 changed files with 261 additions and 16 deletions.
diff --git a/lib/facter/openvpn_deploy_cert_data.rb b/lib/facter/openvpn_deploy_cert_data.rb
@@ -0,0 +1,24 @@
+Facter.add("openvpn::deploy_cert_data") do
+  setcode do
+    clients = {}
+    path = '/etc/openvpn'
+    if File.directory?(path)
+      Dir.entries(path).each do |server|
+        if File.directory?("#{path}/#{server}/download-configs")
+          Dir.entries("#{path}/#{server}/download-configs").each do |client|
+            if File.directory?("#{path}/#{server}/download-configs/#{client}") and client !~ /^\.\.?$/ and client !~ /\.tblk$/
+              clients["#{server}-#{client}-conf"] = File.open("#{path}/#{server}/download-configs/#{client}/#{client}.conf", "r").read
+              clients["#{server}-#{client}-ca"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ca.crt", "r").read
+              clients["#{server}-#{client}-crt"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/#{client}.crt", "r").read
+              clients["#{server}-#{client}-key"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/#{client}.key", "r").read
+              if File.exists?("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ta.key")
+                clients["#{server}-#{client}-ta"] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ta.key", "r").read
+              end
+            end
+          end
+        end
+      end
+    end
+    clients
+  end
+end
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -205,14 +205,6 @@
     require  => Exec["generate server cert ${name}"],
   }
 
-  exec { "update crl.pem on ${name}":
-    command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${etc_directory}/openvpn/${name}/crl.pem -config ${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
-    cwd     => "${etc_directory}/openvpn/${name}/easy-rsa",
-    onlyif  => "openssl crl -in ${etc_directory}/openvpn/${name}/crl.pem -nextupdate -noout | awk -F= '{print \$2}' | [ `{ read crl ; date -d \"\$crl\" +%s; }` -lt `date -d '1 week' +%s` ]",
-    provider => 'shell',
-    require  => Exec["create crl.pem on ${name}"],
-  }
-
   file { "${etc_directory}/openvpn/${name}/crl.pem":
     mode    => '0640',
     group   => $group_to_set,

diff --git a/manifests/deploy/client.pp b/manifests/deploy/client.pp
@@ -0,0 +1,58 @@
+# == Define: openvpn::deploy::client
+#
+# Collect the exported configs for an Host and ensure a running Openvpn Service
+#
+# === Parameters
+#
+# $server   which Openvpn::Server[$server] does the config belong to?
+# String
+#
+# $manage_etc should the /etc/openvpn directory be managed? (warning, all unmanaged files will be purged!)
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  openvpn::deploy::client { 'test-client':
+#    server => 'test_server',
+#  }
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+define openvpn::deploy::client (
+  String $server,
+  Boolean $manage_etc = true,
+) {
+
+  include openvpn::deploy::prepare
+
+  Class['openvpn::deploy::install']
+  -> Openvpn::Deploy::Client[$name]
+  ~> Class['openvpn::deploy::service']
+
+
+  if ($manage_etc == true) {
+    file { [
+      "${::openvpn::params::etc_directory}/openvpn",
+      "${::openvpn::params::etc_directory}/openvpn/keys",
+      "${::openvpn::params::etc_directory}/openvpn/keys/${name}",
+    ]:
+      ensure  => directory,
+      require => Package['openvpn'];
+    }
+  } else {
+    file { "${::openvpn::params::etc_directory}/openvpn/keys/${name}":
+      ensure  => directory,
+      require => Package['openvpn'];
+    }
+  }
+
+  File <<| tag == "${server}-${name}" |>>
+  ~> Class['openvpn::deploy::service']
+
+}
diff --git a/manifests/deploy/export.pp b/manifests/deploy/export.pp
@@ -0,0 +1,93 @@
+# == Define: openvpn::deploy::export
+#
+# Prepare all Openvpn-Client-Configs to be exported
+#
+# === Parameters
+#
+# $server   which Openvpn::Server[$server] does the config belong to?
+# String
+#
+# $tls_auth should the ta* files be exported too?
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  openvpn::deploy::export { 'test-client':
+#    server => 'test_server',
+#  }
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+define openvpn::deploy::export (
+  String $server,
+  Boolean $tls_auth = false,
+) {
+
+  Openvpn::Server[$server]
+  -> Openvpn::Client[$name]
+  -> Openvpn::Deploy::Export[$name]
+
+  if $::openvpn::deploy_cert_data {
+    $data = $::openvpn::deploy_cert_data
+  } else {
+    fail('openvpn::deploy_cert_data not defined, is pluginsync enabled?')
+  }
+
+  @@file { "exported-${server}-${name}-config":
+    ensure  => file,
+    path    => "${::openvpn::params::etc_directory}/openvpn/${name}.conf",
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $data["${server}-${name}-conf"],
+    tag     => "${server}-${name}",
+  }
+
+  @@file { "exported-${server}-${name}-ca":
+    ensure  => file,
+    path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ca.crt",
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $data["${server}-${name}-ca"],
+    tag     => "${server}-${name}",
+  }
+
+  @@file { "exported-${server}-${name}-crt":
+    ensure  => file,
+    path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.crt",
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $data["${server}-${name}-crt"],
+    tag     => "${server}-${name}",
+  }
+
+  @@file { "exported-${server}-${name}-key":
+    ensure  => file,
+    path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.key",
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $data["${server}-${name}-key"],
+    tag     => "${server}-${name}",
+  }
+
+  if $tls_auth {
+    @@file { "exported-${server}-${name}-ta":
+      ensure  => file,
+      path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ta.key",
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $data["${server}-${name}-ta"],
+      tag     => "${server}-${name}",
+    }
+  }
+}
diff --git a/manifests/deploy/install.pp b/manifests/deploy/install.pp
@@ -0,0 +1,26 @@
+# == Class: openvpn::deploy::install
+#
+# Installs the Openvpn profile
+#
+# === Parameters
+#
+# None
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  include openvpn::deploy::install
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+class openvpn::deploy::install {
+
+  ensure_packages(['openvpn'])
+
+}
diff --git a/manifests/deploy/prepare.pp b/manifests/deploy/prepare.pp
@@ -0,0 +1,29 @@
+# == Class: openvpn::deploy::prepare
+#
+# Base profile
+#
+# === Parameters
+#
+# None
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  include openvpn::deploy::prepare
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+class openvpn::deploy::prepare {
+
+  class { 'openvpn::params': }
+
+  class { 'openvpn::deploy::install': }
+  ~> class { 'openvpn::deploy::service': }
+
+}
diff --git a/manifests/deploy/service.pp b/manifests/deploy/service.pp
@@ -0,0 +1,31 @@
+# == Class: openvpn::deploy::service
+#
+# Base profile
+#
+# === Parameters
+#
+# None
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  include openvpn::deploy::service
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+class openvpn::deploy::service {
+
+  service { 'openvpn':
+    ensure     => running,
+    enable     => true,
+    hasrestart => true,
+    hasstatus  => true;
+  }
+
+}
diff --git a/spec/classes/openvpn_install_spec.rb b/spec/classes/openvpn_install_spec.rb
@@ -46,13 +46,6 @@
         it { is_expected.to contain_package('openvpn-auth-ldap') }
         it { is_expected.to contain_package('easy-rsa') }
       end
-
-      context 'stretch' do
-        let(:operatingsystemrelease) { '9.0' }
-
-        it { is_expected.to contain_package('openvpn-auth-ldap') }
-        it { is_expected.to contain_package('easy-rsa') }
-      end
     end
 
     context 'redhat/centos' do

diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
@@ -118,7 +118,6 @@
     it { is_expected.not_to contain_schedule('renew crl.pem schedule on test_server') }
     it { is_expected.not_to contain_exec('renew crl.pem on test_server') }
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^secret}) }
-
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{verb}) }
     it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{cipher AES-256-CBC}) }
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{persist-key}) }