Mr

manifests/client.pp

@@ -59,6 +59,10 @@
 #   String,  Cipher to use for packet encryption
 #   Default: None
 #
+# [*tls_cipher*]
+#   String, TLS Ciphers to use
+#   Default: None
+#
 # [*resolv_retry*]
 #   Integer/String. How many seconds should the openvpn client try to resolve
 #     the server's hostname
@@ -127,6 +131,16 @@
 # [*custom_options*]
 #   Hash of additional options that you want to append to the configuration file.
 #
+# [*expire*]
+#   Integer. Set a custom expiry time to pass to script. Value is the number of
+#   days the certificate is valid for.
+#   Default: undef
+#
+# [*readme*]
+#   String. Text to place in a README file which is included in download-configs
+#   archive.
+#   Default: undef
+#
 # === Examples
 #
 #   openvpn::client {
@@ -178,6 +192,7 @@
   $verb                 = '3',
   $pam                  = false,
   $cipher               = undef,
+  $tls_cipher           = undef,
   $authuserpass         = false,
   $setenv               = {},
   $setenv_safe          = {},
@@ -189,6 +204,8 @@
   $rcvbuf               = undef,
   $shared_ca            = undef,
   $custom_options       = {},
+  $expire               = undef,
+  $readme               = undef,
 ) {
 
   if $pam {
@@ -202,8 +219,18 @@
   Openvpn::Ca[$ca_name] ->
   Openvpn::Client[$name]
 
+  if $expire {
+    if is_integer($expire){
+      $env_expire = "KEY_EXPIRE=${expire}"
+    } else {
+      warning("Custom expiry time ignored: only integer is accepted but ${expire} is given.")
+    }
+  } else {
+    $env_expire = ''
+  }
+
   exec { "generate certificate for ${name} in context of ${ca_name}":
-    command  => ". ./vars && ./pkitool ${name}",
+    command  => ". ./vars && ${env_expire} ./pkitool ${name}",
     cwd      => "/etc/openvpn/${ca_name}/easy-rsa",
     creates  => "/etc/openvpn/${ca_name}/easy-rsa/keys/${name}.crt",
     provider => 'shell';
@@ -243,6 +270,17 @@
     }
   }
 
+  if $readme {
+    file {"/etc/openvpn/${server}/download-configs/${name}/README":
+      ensure  => file,
+      owner   => root,
+      group   => root,
+      mode    => '0444',
+      content => $readme,
+      notify  => Exec["tar the thing ${server} with ${name}"];
+    }
+  }
+
   file { "/etc/openvpn/${server}/download-configs/${name}/${name}.conf":
     owner   => root,
     group   => root,
@@ -264,9 +302,10 @@
     notify      => Exec["generate ${name}.ovpn in ${server}"],
   }
 
+  $name_escaped = regsubst(regsubst($name, '\.', '\\.', 'G'), '@', '\\@', 'G')
   exec { "generate ${name}.ovpn in ${server}":
     cwd         => "/etc/openvpn/${server}/download-configs/",
-    command     => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name}/ca.crt|){ chomp(\$ca=`cat ${name}/keys/${name}/ca.crt`); print \"<ca>\n\$ca\n</ca>\"} elsif(m|^cert keys/${name}/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}/${name}.crt`); print \"<cert>\n\$crt\n</cert>\"} elsif(m|^key keys/${name}/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}/${name}.key`); print \"<key>\n\$key\n</key>\"} else { print} ' > ${name}.ovpn",
+    command     => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name_escaped}/ca.crt|){ chomp(\$ca=`cat ${name_escaped}/keys/${name_escaped}/ca.crt`); print \"<ca>\n\$ca\n</ca>\"} elsif(m|^cert keys/${name_escaped}/${name_escaped}.crt|) { chomp(\$crt=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.crt`); print \"<cert>\n\$crt\n</cert>\"} elsif(m|^key keys/${name_escaped}/${name_escaped}.key|){ chomp(\$key=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.key`); print \"<key>\n\$key\n</key>\"} elsif(m|^(tls-auth) (keys/${name_escaped}/ta.key)( .+)?|){ chomp(\$tlsauth=`cat ${name_escaped}/keys/${name_escaped}/ta.key`); print \"<tls-auth>\n\$tlsauth\n</tls-auth>\nkey-direction 1\"} else { print} ' > ${name}.ovpn",
     refreshonly => true,
     require     => [
       File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"],

manifests/revoke.pp

@@ -58,7 +58,7 @@
   Openvpn::Revoke[$name]
 
   exec { "revoke certificate for ${name} in context of ${server}":
-    command  => ". ./vars && ./revoke-full ${name} ; test $? -eq 2 && touch revoked/${name}",
+    command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
     cwd      => "/etc/openvpn/${server}/easy-rsa",
     creates  => "/etc/openvpn/${server}/easy-rsa/revoked/${name}",
     provider => 'shell',

manifests/server.pp

@@ -237,6 +237,10 @@
 #   String,  Cipher to use for packet encryption
 #   Default: None
 #
+# [*tls_cipher*]
+#   String, TLS Ciphers to use
+#   Default: None
+#
 # [*persist_key*]
 #   Boolean.  Try to retain access to resources that may be unavailable
 #     because of privilege downgrades
@@ -418,6 +422,7 @@
   $key_ou                    = '',
   $verb                      = '',
   $cipher                    = '',
+  $tls_cipher                = undef,
   $persist_key               = false,
   $persist_tun               = false,
   $tls_auth                  = false,

spec/defines/openvpn_client_spec.rb

@@ -75,6 +75,7 @@
       'persist_key'           => false,
       'persist_tun'           => false,
       'cipher'                => 'BF-CBC',
+      'tls_cipher'            => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA',
       'port'                  => '123',
       'proto'                 => 'udp',
       'remote_host'           => 'somewhere',
@@ -87,6 +88,7 @@
       'x509_name'             => 'test_server',
       'sndbuf'                => 393216,
       'rcvbuf'                => 393215,
+      'readme'                => 'readme text',
     } }
     let(:facts) { {
       :fqdn => 'somehost',
@@ -111,10 +113,12 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^setenv\s+CLIENT_CERT\s+0$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^setenv_safe\s+FORWARD_COMPATIBLE\s+1$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cipher\s+BF-CBC$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^tls-client$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verify-x509-name\s+"test_server"\s+name$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^sndbuf\s+393216$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^rcvbuf\s+393215$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/README').with_content(/^readme text$/)}
   end
 
   context "omitting the cipher key" do

spec/defines/openvpn_revoke_spec.rb

@@ -26,6 +26,6 @@
   end
 
   it { should contain_exec('revoke certificate for test_client in context of test_server').with(
-    'command' => '. ./vars && ./revoke-full test_client ; test $? -eq 2 && touch revoked/test_client'
+    'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
   )}
 end

spec/defines/openvpn_server_spec.rb

@@ -142,6 +142,7 @@
       'key_ou'          => 'NSA',
       'verb'            => 'mute',
       'cipher'          => 'DES-CBC',
+      'tls_cipher'      => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA',
       'persist_key'     => true,
       'persist_tun'     => true,
       'duplicate_cn'    => true,
@@ -190,6 +191,7 @@
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^management\s+1.3.3.7 1337$/) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^verb mute$/) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^cipher DES-CBC$/) }
+    it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$/)}
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^persist-key$/) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^persist-tun$/) }
 

templates/client.erb

@@ -22,6 +22,9 @@ persist-tun
 <% if @cipher -%>
 cipher <%= @cipher %>
 <% end -%>
+<% if @tls_cipher -%>
+tls-cipher <%= @tls_cipher %>
+<% end -%>
 <% if @mute_replay_warnings -%>
 mute-replay-warnings
 <% end -%>

templates/server.erb

@@ -93,6 +93,9 @@ verb <%= @verb %>
 <% if @cipher != '' -%>
 cipher <%= @cipher %>
 <% end -%>
+<% if @tls_cipher -%>
+tls-cipher <%= @tls_cipher %>
+<% end -%>
 <% if @c2c -%>
 client-to-client
 <% end -%>