Puppet Class: strongswan

Defined in:
modules/strongswan/manifests/init.pp

Overview

Parameters:

  • puppet_certname (Any) (defaults to: '')
  • hosts (Any) (defaults to: [])
  • mtu_hosts (Any) (defaults to: undef)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'modules/strongswan/manifests/init.pp', line 1

class strongswan (
    $puppet_certname = '',
    $hosts           = [],
    $mtu_hosts       = undef,
)
{
    package { 'strongswan':
        ensure => present,
    }

    if $mtu_hosts and $hosts {
        $hosts.each | $dest_host | {
            $dest_ip4 = ipresolve($dest_host,4)
            $dest_ip6 = ipresolve($dest_host,6)
            if $dest_ip4 {
                interface::route { "${dest_ip4}_MTU_${mtu_hosts}":
                    mtu       => $mtu_hosts,
                    address   => $dest_ip4,
                    nexthop   => $facts['default_routes']['ipv4'],
                    ipversion => 4
                }
            }
            if $dest_ip6 {
                interface::route { "${dest_ip6}_MTU_${mtu_hosts}":
                    mtu       => $mtu_hosts,
                    address   => $dest_ip6,
                    interface => $facts['interface_primary'],
                    nexthop   => $facts['default_routes']['ipv6'],
                    ipversion => 6
                }
            }
        }
    }

    # On Debian we need an extra package which is only "recommended"
    # rather than being a strict dependency.
    # If you don't install this, on startup strongswan will say:
    #   loading certificate from 'i-00000894.eqiad.wmflabs.pem' failed
    # and 'pki --verify --in /etc/ipsec.d/certs/i-00000894.eqiad.wmflabs.pem \
    # --ca /etc/ipsec.d/cacerts/ca.pem' will say:
    #  building CRED_CERTIFICATE - X509 failed, tried 3 builders
    #  parsing certificate failed
    package { 'libstrongswan-standard-plugins':
        ensure  => present,
        before  => Service['strongswan'],
        require => Package['strongswan'],
    }

    file { '/etc/strongswan.d/wmf.conf':
        content => template('strongswan/wmf.conf.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        notify  => Service['strongswan'],
        require => Package['strongswan'],
    }

    file { '/etc/ipsec.secrets':
        content => template('strongswan/ipsec.secrets.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0400',
        notify  => Service['strongswan'],
        require => Package['strongswan'],
    }

    file { '/etc/ipsec.conf':
        content => template('strongswan/ipsec.conf.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        notify  => Service['strongswan'],
        require => Package['strongswan'],
    }

    # For SSL certs, reuse Puppet client's certs.
    # Strongswan won't accept symlinks, so make copies.
    file { '/etc/ipsec.d/cacerts/ca.pem':
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        source  => '/var/lib/puppet/ssl/certs/ca.pem',
        notify  => Service['strongswan'],
        require => Package['strongswan'],
    }

    file { "/etc/ipsec.d/certs/${puppet_certname}.pem":
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        source  => "/var/lib/puppet/ssl/certs/${puppet_certname}.pem",
        notify  => Service['strongswan'],
        require => Package['strongswan'],
    }

    file { "/etc/ipsec.d/private/${puppet_certname}.pem":
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        source  => "/var/lib/puppet/ssl/private_keys/${puppet_certname}.pem",
        notify  => Service['strongswan'],
        require => Package['strongswan'],
    }

    file { '/usr/local/sbin/ipsec-global':
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/strongswan/ipsec-global',
    }

    systemd::service { 'strongswan':
        content => systemd_template('strongswan'),
        restart => true,
        require => Package['strongswan'],
    }
}