From ed49b84720cd826054cbab61f78acf4f41bab33a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Sat, 20 Oct 2018 23:49:26 +0200 Subject: [PATCH] * Add defaults for unsupported OS * Add Data in modules * Remove root_group parameter * Removed top scope variables * Removed create_resources * Removed params.pp * Remove systemd option in favor of facts provided by stdlib --- Dockerfile | 17 ++++ data/defaults.yaml | 14 ++++ data/family/Archlinux.yaml | 9 ++ data/family/Debian.yaml | 9 ++ data/family/FreeBSD.yaml | 8 ++ data/family/RedHat.yaml | 7 ++ data/family/RedHat/6.yaml | 2 + data/family/RedHat/7.yaml | 2 + hiera.yaml | 16 ++++ manifests/ca.pp | 16 ++-- manifests/client.pp | 8 +- manifests/client_specific_config.pp | 2 +- manifests/config.pp | 7 +- manifests/deploy/client.pp | 8 +- manifests/deploy/export.pp | 10 +-- manifests/deploy/prepare.pp | 10 ++- manifests/init.pp | 110 ++++++++++++++++++++---- manifests/install.pp | 10 ++- manifests/params.pp | 121 --------------------------- manifests/revoke.pp | 2 +- manifests/server.pp | 37 ++++---- manifests/service.pp | 2 +- metadata.json | 3 +- spec/classes/openvpn_init_spec.rb | 17 ++-- spec/classes/openvpn_install_spec.rb | 2 +- spec/defines/openvpn_client_spec.rb | 8 -- templates/server.erb | 2 +- 27 files changed, 247 insertions(+), 212 deletions(-) create mode 100644 Dockerfile create mode 100644 data/defaults.yaml create mode 100644 data/family/Archlinux.yaml create mode 100644 data/family/Debian.yaml create mode 100644 data/family/FreeBSD.yaml create mode 100644 data/family/RedHat.yaml create mode 100644 data/family/RedHat/6.yaml create mode 100644 data/family/RedHat/7.yaml create mode 100644 hiera.yaml delete mode 100644 manifests/params.pp diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..5e26a23f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,17 @@ +FROM ruby:2.4 + +WORKDIR /opt/puppet + +ENV PUPPET_VERSION "~> 5" +ENV PARALLEL_TEST_PROCESSORS=4 + +# Cache gems +COPY Gemfile . +RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} + +COPY . . + +RUN bundle install +RUN bundle exec rake rubocop +RUN bundle exec rake test +RUN bundle exec rake test_with_coveralls diff --git a/data/defaults.yaml b/data/defaults.yaml new file mode 100644 index 00000000..d6c23bac --- /dev/null +++ b/data/defaults.yaml @@ -0,0 +1,14 @@ +openvpn::autostart_all: true +openvpn::manage_service: true +openvpn::etc_directory: '/etc' +openvpn::group: 'nobody' +openvpn::link_openssl_cnf: true +openvpn::pam_module_path: ~ +openvpn::namespecific_rclink: false +openvpn::default_easyrsa_ver: '2.0' +openvpn::easyrsa_source: '/usr/share/easy-rsa/' +openvpn::additional_packages: ['easy-rsa'] +openvpn::ldap_auth_plugin_location: ~ +openvpn::systemd: false + +openvpn::deploy::prepare::etc_directory: "%{alias('openvpn::etc_directory')}" diff --git a/data/family/Archlinux.yaml b/data/family/Archlinux.yaml new file mode 100644 index 00000000..2735b275 --- /dev/null +++ b/data/family/Archlinux.yaml @@ -0,0 +1,9 @@ +openvpn::default_easyrsa_ver: '3.0' +openvpn::etc_directory: '/etc' +openvpn::additional_packages: ['easy-rsa'] +openvpn::easyrsa_source: '/usr/share/easy-rsa/' +openvpn::group: 'nobody' +openvpn::ldap_auth_plugin_location: ~ +openvpn::pam_module_path: ~ +openvpn::link_openssl_cnf: true +openvpn::namespecific_rclink: false diff --git a/data/family/Debian.yaml b/data/family/Debian.yaml new file mode 100644 index 00000000..4bf7af38 --- /dev/null +++ b/data/family/Debian.yaml @@ -0,0 +1,9 @@ +openvpn::etc_directory: '/etc' +openvpn::group: 'nogroup' +openvpn::link_openssl_cnf: true +openvpn::namespecific_rclink: false +openvpn::default_easyrsa_ver: '2.0' +openvpn::additional_packages: ['easy-rsa','openvpn-auth-ldap'] +openvpn::easyrsa_source: '/usr/share/easy-rsa/' +openvpn::ldap_auth_plugin_location: '/usr/lib/openvpn/openvpn-auth-ldap.so' +openvpn::pam_module_path: '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' diff --git a/data/family/FreeBSD.yaml b/data/family/FreeBSD.yaml new file mode 100644 index 00000000..6a07ce4d --- /dev/null +++ b/data/family/FreeBSD.yaml @@ -0,0 +1,8 @@ +openvpn::etc_directory: '/usr/local/etc' +openvpn::group: 'nogroup' +openvpn::link_openssl_cnf: true +openvpn::pam_module_path: '/usr/local/lib/openvpn/openvpn-auth-pam.so' +openvpn::additional_packages: ['easy-rsa2'] +openvpn::easyrsa_source: '/usr/local/share/easy-rsa' +openvpn::default_easyrsa_ver: '2.0' +openvpn::namespecific_rclink: true diff --git a/data/family/RedHat.yaml b/data/family/RedHat.yaml new file mode 100644 index 00000000..45325fe3 --- /dev/null +++ b/data/family/RedHat.yaml @@ -0,0 +1,7 @@ +openvpn::etc_directory: '/etc' +openvpn::group: 'nobody' +openvpn::link_openssl_cnf: true +openvpn::pam_module_path: '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' +openvpn::namespecific_rclink: false +openvpn::default_easyrsa_ver: '3.0' +openvpn::easyrsa_source: '/usr/share/easy-rsa/3' diff --git a/data/family/RedHat/6.yaml b/data/family/RedHat/6.yaml new file mode 100644 index 00000000..85e9ab9c --- /dev/null +++ b/data/family/RedHat/6.yaml @@ -0,0 +1,2 @@ +openvpn::additional_packages: ['easy-rsa','openvpn-auth-ldap'] +openvpn::ldap_auth_plugin_location: '/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so' diff --git a/data/family/RedHat/7.yaml b/data/family/RedHat/7.yaml new file mode 100644 index 00000000..293a1e56 --- /dev/null +++ b/data/family/RedHat/7.yaml @@ -0,0 +1,2 @@ +openvpn::additional_packages: ['easy-rsa'] +openvpn::ldap_auth_plugin_location: ~ diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 00000000..62db496b --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,16 @@ +--- +version: 5 + +defaults: + datadir: 'data' + data_hash: yaml_data + +hierarchy: + - name: 'OS Major Release Overrides' + path: "family/%{facts.os.family}/%{facts.os.release.major}.yaml" + - name: 'Operating System' + path: "os/%{facts.os.name}.yaml" + - name: 'Operating System Family' + path: "family/%{facts.os.family}.yaml" + - name: 'Defaults' + path: 'defaults.yaml' diff --git a/manifests/ca.pp b/manifests/ca.pp index 083e27cd..b05c7a85 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -25,7 +25,7 @@ # # [*group*] # String. User to drop privileges to after startup -# Default: depends on your $::osfamily +# Default: depends on your $facts['os']['family'] # # [*ssl_key_size*] # String. Length of SSL keys (in bits) generated by this module. @@ -109,7 +109,7 @@ include openvpn $group_to_set = $group ? { - undef => $openvpn::params::group, + undef => $openvpn::group, default => $group } @@ -117,7 +117,7 @@ group => $group_to_set, } - $etc_directory = $::openvpn::params::etc_directory + $etc_directory = $openvpn::etc_directory ensure_resource('file', "${etc_directory}/openvpn/${name}", { ensure => directory, @@ -130,7 +130,7 @@ links => 'follow', source_permissions => 'use', group => 0, - source => "file:${openvpn::params::easyrsa_source}", + source => "file:${openvpn::easyrsa_source}", require => File["${etc_directory}/openvpn/${name}"], } @@ -141,7 +141,7 @@ require => File["${etc_directory}/openvpn/${name}/easy-rsa"], } - case $openvpn::params::easyrsa_version { + case $openvpn::easyrsa_version { '2.0': { file { "${etc_directory}/openvpn/${name}/easy-rsa/vars": ensure => file, @@ -150,7 +150,7 @@ require => File["${etc_directory}/openvpn/${name}/easy-rsa"], } - if $openvpn::params::link_openssl_cnf == true { + if $openvpn::link_openssl_cnf == true { File["${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf"] { ensure => link, target => "${etc_directory}/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf", @@ -216,7 +216,7 @@ require => File["${etc_directory}/openvpn/${name}/easy-rsa"], } - if $openvpn::params::link_openssl_cnf == true { + if $openvpn::link_openssl_cnf == true { File["${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf"] { ensure => link, target => "${etc_directory}/openvpn/${name}/easy-rsa/openssl-1.0.cnf", @@ -264,7 +264,7 @@ } default: { - fail("unexepected value for EasyRSA version, got '${openvpn::params::easyrsa_version}', expect 2.0 or 3.0.") + fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.") } } diff --git a/manifests/client.pp b/manifests/client.pp index cfe76626..a0da5fe7 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -244,7 +244,7 @@ Openvpn::Ca[$ca_name] -> Openvpn::Client[$name] - $etc_directory = $::openvpn::params::etc_directory + $etc_directory = $openvpn::etc_directory if $expire { if is_integer($expire) { @@ -256,7 +256,7 @@ $env_expire = '' } - case $openvpn::params::easyrsa_version { + case $openvpn::easyrsa_version { '2.0': { exec { "generate certificate for ${name} in context of ${ca_name}": command => ". ./vars && ${env_expire} ./pkitool ${name}", @@ -298,7 +298,7 @@ } } default: { - fail("unexepected value for EasyRSA version, got '${openvpn::params::easyrsa_version}', expect 2.0 or 3.0.") + fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.") } } @@ -354,7 +354,7 @@ file { "${etc_directory}/openvpn/${server}/download-configs/${name}/${name}.conf": owner => root, - group => $::openvpn::params::root_group, + group => 0, mode => '0444', content => template('openvpn/client.erb', 'openvpn/client_external_auth.erb'), } diff --git a/manifests/client_specific_config.pp b/manifests/client_specific_config.pp index e5772515..75ff94a5 100644 --- a/manifests/client_specific_config.pp +++ b/manifests/client_specific_config.pp @@ -91,7 +91,7 @@ -> Openvpn::Client[$name] -> Openvpn::Client_specific_config[$name] - file { "${::openvpn::params::etc_directory}/openvpn/${server}/client-configs/${name}": + file { "${openvpn::etc_directory}/openvpn/${server}/client-configs/${name}": ensure => $ensure, content => template('openvpn/client_specific_config.erb'), } diff --git a/manifests/config.pp b/manifests/config.pp index 720fef9b..af98a292 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -29,12 +29,11 @@ # See the License for the specific language governing permissions and # limitations under the License. # -class openvpn::config inherits openvpn::params { - - if $::osfamily == 'Debian' { +class openvpn::config { + if $facts['os']['family'] == 'Debian' { concat { '/etc/default/openvpn': owner => root, - group => $openvpn::params::root_group, + group => 0, mode => '0644', warn => true, } diff --git a/manifests/deploy/client.pp b/manifests/deploy/client.pp index 55802ac5..639c349d 100644 --- a/manifests/deploy/client.pp +++ b/manifests/deploy/client.pp @@ -38,15 +38,15 @@ if $manage_etc { file { [ - "${::openvpn::params::etc_directory}/openvpn", - "${::openvpn::params::etc_directory}/openvpn/keys", - "${::openvpn::params::etc_directory}/openvpn/keys/${name}", + "${openvpn::deploy::prepare::etc_directory}/openvpn", + "${openvpn::deploy::prepare::etc_directory}/openvpn/keys", + "${openvpn::deploy::prepare::etc_directory}/openvpn/keys/${name}", ]: ensure => directory, require => Package['openvpn']; } } else { - file { "${::openvpn::params::etc_directory}/openvpn/keys/${name}": + file { "${openvpn::deploy::prepare::etc_directory}/openvpn/keys/${name}": ensure => directory, require => Package['openvpn']; } diff --git a/manifests/deploy/export.pp b/manifests/deploy/export.pp index 40e71962..6a422c01 100644 --- a/manifests/deploy/export.pp +++ b/manifests/deploy/export.pp @@ -40,7 +40,7 @@ @@file { "exported-${server}-${name}-config": ensure => file, - path => "${::openvpn::params::etc_directory}/openvpn/${name}.conf", + path => "${openvpn::etc_directory}/openvpn/${name}.conf", owner => 'root', group => 'root', mode => '0600', @@ -50,7 +50,7 @@ @@file { "exported-${server}-${name}-ca": ensure => file, - path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ca.crt", + path => "${openvpn::etc_directory}/openvpn/keys/${name}/ca.crt", owner => 'root', group => 'root', mode => '0600', @@ -60,7 +60,7 @@ @@file { "exported-${server}-${name}-crt": ensure => file, - path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.crt", + path => "${openvpn::etc_directory}/openvpn/keys/${name}/${name}.crt", owner => 'root', group => 'root', mode => '0600', @@ -70,7 +70,7 @@ @@file { "exported-${server}-${name}-key": ensure => file, - path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.key", + path => "${openvpn::etc_directory}/openvpn/keys/${name}/${name}.key", owner => 'root', group => 'root', mode => '0600', @@ -81,7 +81,7 @@ if $tls_auth { @@file { "exported-${server}-${name}-ta": ensure => file, - path => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ta.key", + path => "${openvpn::etc_directory}/openvpn/keys/${name}/ta.key", owner => 'root', group => 'root', mode => '0600', diff --git a/manifests/deploy/prepare.pp b/manifests/deploy/prepare.pp index 089c4631..fa968565 100644 --- a/manifests/deploy/prepare.pp +++ b/manifests/deploy/prepare.pp @@ -4,7 +4,9 @@ # # === Parameters # -# None +# [*etc_directory*] +# String. Path of the configuration directory. +# Default: /etc # # === Variables # @@ -19,9 +21,9 @@ # Phil Bayfield https://bitbucket.org/Philio/ # -class openvpn::deploy::prepare { - - class { 'openvpn::params': } +class openvpn::deploy::prepare( + String $etc_directory, +) { class { 'openvpn::deploy::install': } ~> class { 'openvpn::deploy::service': } diff --git a/manifests/init.pp b/manifests/init.pp index ad89fe69..b3665460 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -11,6 +11,33 @@ # [*manage_service*] # Boolean. Wether the openvpn service should be managed by puppet. # Default: true +# [*etc_directory*] +# String. Path of the configuration directory. +# Default: /etc +# [*group*] +# String. File group of the generated config files. +# Default: nobody +# [*link_openssl_cnf*] +# Boolean. Link easy-rsa/openssl.cnf to easy-rsa/openssl-1.0.0.cnf +# Default: true +# [*pam_module_path*] +# String. Path to openvpn-auth-pam.so +# Default: undef +# [*namespecific_rclink*] +# Boolean. Enable namespecific rclink's (BSD-style) +# Default: false +# [*default_easyrsa_ver*] +# String. Expected version of easyrsa. +# Default: 2.0 +# [*easyrsa_source*] +# String. Location of easyrsa. +# Default: /usr/share/easy-rsa/ +# [*additional_packages*] +# Array. Additional packages +# Default: ['easy-rsa'] +# [*ldap_auth_plugin_location*] +# String. Path to the ldap auth pam module +# Default: undef # [*client_defaults*] # Hash of defaults for clients passed to openvpn::client defined type. # Default: {} @@ -69,35 +96,82 @@ # limitations under the License. # class openvpn ( - Boolean $autostart_all = true, - Boolean $manage_service = true, - Hash $client_defaults = {}, - Hash $clients = {}, - Hash $client_specific_config_defaults = {}, - Hash $client_specific_configs = {}, - Hash $revoke_defaults = {}, - Hash $revokes = {}, - Hash $server_defaults = {}, - Hash $servers = {}, + Boolean $autostart_all, + Boolean $manage_service, + String $etc_directory, + String $group, + Boolean $link_openssl_cnf, + Optional[Stdlib::Unixpath] $pam_module_path, + Boolean $namespecific_rclink, + Pattern[/^[23]\.0$/] $default_easyrsa_ver, + Stdlib::Unixpath $easyrsa_source, + Variant[String, Array] $additional_packages, + Optional[Stdlib::Unixpath] $ldap_auth_plugin_location, + + Hash $client_defaults = {}, + Hash $clients = {}, + Hash $client_specific_config_defaults = {}, + Hash $client_specific_configs = {}, + Hash $revoke_defaults = {}, + Hash $revokes = {}, + Hash $server_defaults = {}, + Hash $servers = {}, ) { + $easyrsa_version = $facts['easyrsa'] ? { + undef => $default_easyrsa_ver, + default => $facts['easyrsa'], + } + + include openvpn::install + include openvpn::config - class { 'openvpn::params': } - -> class { 'openvpn::install': } - -> class { 'openvpn::config': } + Class['openvpn::install'] + -> Class['openvpn::config'] -> Class['openvpn'] - if !$::openvpn::params::systemd { + if $facts['service_provider'] != 'systemd' { class { 'openvpn::service': subscribe => [Class['openvpn::config'], Class['openvpn::install'] ], } + if empty($servers) { Class['openvpn::service'] -> Class['openvpn'] } } - create_resources('openvpn::client', $clients, $client_defaults) - create_resources('openvpn::client_specific_config', $client_specific_configs, $client_specific_config_defaults) - create_resources('openvpn::revoke', $revokes, $revoke_defaults) - create_resources('openvpn::server', $servers, $server_defaults) + $clients.each |$name, $params| { + openvpn::client { + default: + * => $client_defaults; + $name: + * => $params; + } + } + $client_specific_configs.each |$name, $params| { + openvpn::client_specific_config { + default: + * => $client_specific_config_defaults; + $name: + * => $params; + } + } + + $revokes.each |$name, $params| { + openvpn::revoke { + default: + * => $revoke_defaults; + $name: + * => $params; + } + } + + $servers.each |$name, $params| { + openvpn::server { + default: + * => $server_defaults; + $name: + * => $params; + } + } } diff --git a/manifests/install.pp b/manifests/install.pp index 7e8386b3..d64e3384 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -31,15 +31,17 @@ # See the License for the specific language governing permissions and # limitations under the License. # -class openvpn::install inherits openvpn::params { +class openvpn::install { + + include openvpn ensure_packages(['openvpn']) - if $::openvpn::params::additional_packages != undef { - ensure_packages( any2array($::openvpn::params::additional_packages) ) + if $openvpn::additional_packages != undef { + ensure_packages( any2array($openvpn::additional_packages) ) } file { - [ "${::openvpn::params::etc_directory}/openvpn", "${::openvpn::params::etc_directory}/openvpn/keys", '/var/log/openvpn', ]: + [ "${openvpn::etc_directory}/openvpn", "${openvpn::etc_directory}/openvpn/keys", '/var/log/openvpn', ]: ensure => directory, require => Package['openvpn']; } diff --git a/manifests/params.pp b/manifests/params.pp deleted file mode 100644 index 9c319670..00000000 --- a/manifests/params.pp +++ /dev/null @@ -1,121 +0,0 @@ -# === License -# -# Copyright 2013 Raffael Schmid, -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class openvpn::params { - - case $facts['os']['family'] { - 'RedHat': { # RedHat/CentOS - $etc_directory = '/etc' - $root_group = 'root' - $group = 'nobody' - $link_openssl_cnf = true - $pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' - $namespecific_rclink = false - $default_easyrsa_ver = '3.0' - $easyrsa_source = '/usr/share/easy-rsa/3' - - case $facts['os']['release']['major'] { - '7': { - $additional_packages = ['easy-rsa'] - $ldap_auth_plugin_location = undef - $systemd = true - } - '6': { - $additional_packages = ['easy-rsa','openvpn-auth-ldap'] - $ldap_auth_plugin_location = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so' - $systemd = false - } - default: { - fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") - } - } - } - 'Debian': { # Debian/Ubuntu - $etc_directory = '/etc' - $root_group = 'root' - $group = 'nogroup' - $link_openssl_cnf = true - $namespecific_rclink = false - $default_easyrsa_ver = '2.0' - $additional_packages = ['easy-rsa','openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' - $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $pam_module_path = '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' - - case $facts['os']['name'] { - 'Debian': { - case $facts['os']['release']['major'] { - '8','9': { - $systemd = true - } - default: { - fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") - } - } - } - 'Ubuntu': { - case $facts['os']['release']['major'] { - '16.04': { - $systemd = true - } - '14.04': { - $systemd = false - } - default: { - fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") - } - } - } - default: { - fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") - } - } - } - 'Archlinux': { - $default_easyrsa_ver = '3.0' - $etc_directory = '/etc' - $root_group = 'root' - $additional_packages = ['easy-rsa'] - $easyrsa_source = '/usr/share/easy-rsa/' - $group = 'nobody' - $ldap_auth_plugin_location = undef # unsupported - $pam_module_path = undef - $link_openssl_cnf = true - $systemd = true - $namespecific_rclink = false - } - 'FreeBSD': { - $etc_directory = '/usr/local/etc' - $root_group = 'wheel' - $group = 'nogroup' - $link_openssl_cnf = true - $pam_module_path = '/usr/local/lib/openvpn/openvpn-auth-pam.so' - $additional_packages = ['easy-rsa2'] - $easyrsa_source = '/usr/local/share/easy-rsa' - $default_easyrsa_ver = '2.0' - $namespecific_rclink = true - $systemd = false - } - default: { - fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") - } - } - - $easyrsa_version = $facts['easyrsa'] ? { - undef => $default_easyrsa_ver, - default => $facts['easyrsa'], - } -} diff --git a/manifests/revoke.pp b/manifests/revoke.pp index c0a64def..bc7270c8 100644 --- a/manifests/revoke.pp +++ b/manifests/revoke.pp @@ -57,7 +57,7 @@ Openvpn::Client[$name] -> Openvpn::Revoke[$name] - $etc_directory = $::openvpn::params::etc_directory + $etc_directory = $openvpn::etc_directory exec { "revoke certificate for ${name} in context of ${server}": command => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}", diff --git a/manifests/server.pp b/manifests/server.pp index e6ce7ac7..cc7993b2 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -54,7 +54,7 @@ # # [*group*] # String. User to drop privileges to after startup -# Default: depends on your $::osfamily +# Default: depends on your $facts['os']['family'] # # [*ipp*] # Boolean. Persist ifconfig information to a file to retain client IP @@ -539,14 +539,14 @@ Class['openvpn::install'] -> Openvpn::Server[$name] - if $::openvpn::params::systemd and $::openvpn::params::namespecific_rclink { + if $facts['service_provider'] == 'systemd' and $openvpn::namespecific_rclink { fail("Using systemd and namespecific rclink's (BSD-style) is not allowed") } - if $::openvpn::manage_service { - if $::openvpn::params::systemd { + if $openvpn::manage_service { + if $facts['service_provider'] == 'systemd' { $lnotify = Service["openvpn@${name}"] - } elsif $::openvpn::params::namespecific_rclink { + } elsif $openvpn::namespecific_rclink { $lnotify = Service["openvpn_${name}"] } else { $lnotify = Service['openvpn'] @@ -572,12 +572,11 @@ } } - $pam_module_path = $::openvpn::params::pam_module_path - $etc_directory = $::openvpn::params::etc_directory - $root_group = $::openvpn::params::root_group + $pam_module_path = $openvpn::pam_module_path + $etc_directory = $openvpn::etc_directory $group_to_set = $group ? { - undef => $openvpn::params::group, + undef => $openvpn::group, default => $group } @@ -654,8 +653,8 @@ repeat => $crl_renew_schedule_repeat, } exec { "renew crl.pem on ${name}": - command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${::openvpn::params::etc_directory}/openvpn/${name}/crl.pem -config ${::openvpn::params::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf", - cwd => "${::openvpn::params::etc_directory}/openvpn/${name}/easy-rsa", + command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${openvpn::etc_directory}/openvpn/${name}/crl.pem -config ${openvpn::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf", + cwd => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa", provider => 'shell', schedule => "renew crl.pem schedule on ${name}", } @@ -688,7 +687,7 @@ } } - if $::osfamily == 'Debian' and !$::openvpn::autostart_all and $autostart { + if $facts['os']['family'] == 'Debian' and !$openvpn::autostart_all and $autostart { concat::fragment { "openvpn.default.autostart.${name}": content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", target => '/etc/default/openvpn', @@ -697,10 +696,10 @@ } # template use $_easyrsa_version - $_easyrsa_version = $openvpn::params::easyrsa_version + $_easyrsa_version = $openvpn::easyrsa_version file { "${etc_directory}/openvpn/${name}.conf": owner => root, - group => $root_group, + group => 0, mode => '0440', content => template('openvpn/server.erb'), notify => $lnotify, @@ -730,8 +729,8 @@ } } - if $::openvpn::params::systemd { - if $::openvpn::manage_service { + if $facts['service_provider'] == 'systemd' { + if $openvpn::manage_service { service { "openvpn@${name}": ensure => running, enable => true, @@ -744,7 +743,7 @@ } } - if $::openvpn::params::namespecific_rclink { + if $openvpn::namespecific_rclink { file { "/usr/local/etc/rc.d/openvpn_${name}": ensure => link, target => "${etc_directory}/rc.d/openvpn", @@ -752,12 +751,12 @@ file { "/etc/rc.conf.d/openvpn_${name}": owner => root, - group => $root_group, + group => 0, mode => '0644', content => template('openvpn/etc-rc.d-openvpn.erb'), } - if $::openvpn::manage_service { + if $openvpn::manage_service { service { "openvpn_${name}": ensure => running, enable => true, diff --git a/manifests/service.pp b/manifests/service.pp index d873cb71..47aad110 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -30,7 +30,7 @@ # limitations under the License. # class openvpn::service { - if $::openvpn::manage_service and !$::openvpn::params::namespecific_rclink { + if $openvpn::manage_service and !$openvpn::namespecific_rclink { service { 'openvpn': ensure => running, enable => true, diff --git a/metadata.json b/metadata.json index 12bf1a07..c9436178 100644 --- a/metadata.json +++ b/metadata.json @@ -13,7 +13,8 @@ "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "14.04", - "16.04" + "16.04", + "18.04" ] }, { diff --git a/spec/classes/openvpn_init_spec.rb b/spec/classes/openvpn_init_spec.rb index e0d59e2a..e4bd828e 100644 --- a/spec/classes/openvpn_init_spec.rb +++ b/spec/classes/openvpn_init_spec.rb @@ -4,9 +4,6 @@ on_supported_os.each do |os, facts| context "on #{os}" do let(:pre_condition) { 'class { "openvpn" : manage_service => true }' } - let(:facts) do - facts - end it { is_expected.to compile.with_all_deps } @@ -14,19 +11,25 @@ os_release = facts[:os]['release']['major'] case "#{os_name}-#{os_release}" when 'Ubuntu-14.04', 'CentOS-6', 'RedHat-6', %r{FreeBSD} + let(:facts) do + facts + end + context 'system without systemd' do it { is_expected.to create_class('openvpn') } it { is_expected.to contain_class('openvpn::service') } end when 'Ubuntu-16.04', 'CentOS-7', 'RedHat-7', 'Debian-8', 'Debian-9', %r{Archlinux} + let(:facts) do + facts.merge( + service_provider: 'systemd' + ) + end + context 'system with systemd' do it { is_expected.to create_class('openvpn') } it { is_expected.not_to contain_class('openvpn::service') } end - else - context 'unsupported systems' do - it { is_expected.to raise_error(%r{unsupported OS}) } - end end end end diff --git a/spec/classes/openvpn_install_spec.rb b/spec/classes/openvpn_install_spec.rb index 95e8eaba..501eecde 100644 --- a/spec/classes/openvpn_install_spec.rb +++ b/spec/classes/openvpn_install_spec.rb @@ -4,7 +4,7 @@ on_supported_os.each do |os, facts| context "on #{os}" do let(:pre_condition) do - 'include openvpn::params' + 'include openvpn' end let(:facts) do facts diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index 3f42fb85..79c0d7ab 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -59,10 +59,6 @@ ) } end - else - context 'unsupported systems' do - it { is_expected.to raise_error(%r{unsupported OS}) } - end end it { @@ -250,10 +246,6 @@ ) } end - else - context 'unsupported systems' do - it { is_expected.to raise_error(%r{unsupported OS}) } - end end end diff --git a/templates/server.erb b/templates/server.erb index 881d0cca..4f11ea82 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -157,7 +157,7 @@ down "<%= @down %>" username-as-common-name <% end -%> <% if @ldap_enabled == true -%> -plugin <%= scope.lookupvar('::openvpn::params::ldap_auth_plugin_location') %> "<%= @etc_directory -%>/openvpn/<%= @name %>/auth/ldap.conf" +plugin <%= scope.lookupvar('::openvpn::ldap_auth_plugin_location') %> "<%= @etc_directory -%>/openvpn/<%= @name %>/auth/ldap.conf" <% end -%> <% if @client_cert_not_required -%> client-cert-not-required