diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..4333d23 --- /dev/null +++ b/Gemfile @@ -0,0 +1,18 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3'] +gem 'metadata-json-lint' +gem 'puppet', puppetversion +gem 'puppetlabs_spec_helper', '>= 1.2.0' +gem 'puppet-lint', '>= 1.0.0' +gem 'facter', '>= 1.7.0' +gem 'rspec-puppet' + +# rspec must be v2 for ruby 1.8.7 +if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' + gem 'rspec', '~> 2.0' + gem 'rake', '~> 10.0' +else + # rubocop requires ruby >= 1.9 + gem 'rubocop' +end diff --git a/README.md b/README.md index 6005606..7c319ac 100644 --- a/README.md +++ b/README.md @@ -1 +1,89 @@ -# 7u83-ipsec +# ipsec + +#### Table of Contents + +1. [Description](#description) +1. [Setup - The basics of getting started with ipsec](#setup) + * [What ipsec affects](#what-ipsec-affects) + * [Setup requirements](#setup-requirements) + * [Beginning with ipsec](#beginning-with-ipsec) +1. [Usage - Configuration options and additional functionality](#usage) +1. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +1. [Limitations - OS compatibility, etc.](#limitations) +1. [Development - Guide for contributing to the module](#development) + +## Description + +Start with a one- or two-sentence summary of what the module does and/or what +problem it solves. This is your 30-second elevator pitch for your module. +Consider including OS/Puppet version it works with. + +You can give more descriptive information in a second paragraph. This paragraph +should answer the questions: "What does this module *do*?" and "Why would I use +it?" If your module has a range of functionality (installation, configuration, +management, etc.), this is the time to mention it. + +## Setup + +### What ipsec affects **OPTIONAL** + +If it's obvious what your module touches, you can skip this section. For +example, folks can probably figure out that your mysql_instance module affects +their MySQL instances. + +If there's more that they should know about, though, this is the place to mention: + +* A list of files, packages, services, or operations that the module will alter, + impact, or execute. +* Dependencies that your module automatically installs. +* Warnings or other important notices. + +### Setup Requirements **OPTIONAL** + +If your module requires anything extra before setting up (pluginsync enabled, +etc.), mention it here. + +If your most recent release breaks compatibility or requires particular steps +for upgrading, you might want to include an additional "Upgrading" section +here. + +### Beginning with ipsec + +The very basic steps needed for a user to get the module up and running. This +can include setup steps, if necessary, or it can be an example of the most +basic use of the module. + +## Usage + +This section is where you describe how to customize, configure, and do the +fancy stuff with your module here. It's especially helpful if you include usage +examples and code samples for doing things with your module. + +## Reference + +Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section. + +* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation. + +* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include: + + * The data type, if applicable. + * A description of what the element does. + * Valid values, if the data type doesn't make it obvious. + * Default value, if any. + +## Limitations + +This is where you list OS compatibility, version compatibility, etc. If there +are Known Issues, you might want to include them under their own heading here. + +## Development + +Since your module is awesome, other users will want to play with it. Let them +know what the ground rules for contributing are. + +## Release Notes/Contributors/Etc. **Optional** + +If you aren't using changelog, put your release notes here (though you should +consider using changelog). You can also add any additional sections you feel +are necessary or important to include here. Please use the `## ` header. diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..df59df7 --- /dev/null +++ b/Rakefile @@ -0,0 +1,32 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' +require 'metadata-json-lint/rake_task' + +if RUBY_VERSION >= '1.9' + require 'rubocop/rake_task' + RuboCop::RakeTask.new +end + +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.relative = true +PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp'] + +desc 'Validate manifests, templates, and ruby files' +task :validate do + Dir['manifests/**/*.pp'].each do |manifest| + sh "puppet parser validate --noop #{manifest}" + end + Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file| + sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures} + end + Dir['templates/**/*.erb'].each do |template| + sh "erb -P -x -T '-' #{template} | ruby -c" + end +end + +desc 'Run lint, validate, and spec tests.' +task :test do + [:lint, :validate, :spec].each do |test| + Rake::Task[test].invoke + end +end diff --git a/examples/init.pp b/examples/init.pp new file mode 100644 index 0000000..c2a2360 --- /dev/null +++ b/examples/init.pp @@ -0,0 +1,12 @@ +# The baseline for module testing used by Puppet Inc. is that each manifest +# should have a corresponding test manifest that declares that class or defined +# type. +# +# Tests are then run by using puppet apply --noop (to check for compilation +# errors and view a log of events) or by fully applying the test in a virtual +# environment (to compare the resulting system state to the desired state). +# +# Learn more about module testing here: +# https://docs.puppet.com/guides/tests_smoke.html +# +include ::ipsec diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..2376602 --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,126 @@ +# Class: ipsec +# =========================== +# +# Full description of class ipsec here. +# +# Parameters +# ---------- +# +# Document parameters here. +# +# * `sample parameter` +# Explanation of what this parameter affects and what it defaults to. +# e.g. "Specify one or more upstream ntp servers as an array." +# +# Variables +# ---------- +# +# Here you should define a list of variables that this module would require. +# +# * `sample variable` +# Explanation of how this variable affects the function of this class and if +# it has a default. e.g. "The parameter enc_ntp_servers must be set by the +# External Node Classifier as a comma separated list of hostnames." (Note, +# global variables should be avoided in favor of class parameters as +# of Puppet 2.6.) +# +# Examples +# -------- +# +# @example +# class { 'ipsec': +# } +# +# Authors +# ------- +# +# 7u83 <7u83@mail.ru> +# +# Copyright +# --------- +# +# Copyright 2018 7u83@mail.ru +# +class ipsec( + $version = 'latest', + $ikedaemon = undef +){ + + if $ikedaemon == undef { + case $::osfamily { + 'FreeBSD':{ + $ike_daemon = 'racoon' + } + 'OpenBSD':{ + $ike_daemon = 'isakmpd' + } + default: { + $ike_daemon = 'racoon' + } + } + } + else { + $ike_daemon = $ikedaemon + } + + $res = "ipsec::${ike_daemon}" + + class { "$res": + version => $version + } + +} + + +define ipsec::tunnel ( + $local_ip, + $remote_ip, + $nets, + $proto = "any", + $psk, + $hash = 'sha256', + $encryption = 'aes256', + $lifetime = '86400', + $dh_group = 14, + +) +{ + include ::ipsec + $ikedaemon = $::ipsec::ike_daemon + $res = "ipsec::${ikedaemon}::tunnel" + + Resource[$res] { "$title": + local_ip => $local_ip, + remote_ip => $remote_ip, + nets => $nets, + proto => $proto, + psk => $psk, + lifetime => $lifetime, + hash => $hash, + encryption => $encryption, + dh_group => 14, + } + +} + +define ipsec::transport ( + $local_ip, + $remote_ip, + $proto = "any", + $psk +) +{ + include ::ipsec + $ikedaemon = $::ipsec::ike_daemon + $res = "ipsec::${ikedaemon}::transport" + + Resource[$res] { "$title": + local_ip => $local_ip, + remote_ip => $remote_ip, + proto => $proto, + psk => $psk + } + +} + + diff --git a/manifests/isakmpd.pp b/manifests/isakmpd.pp new file mode 100644 index 0000000..dd88331 --- /dev/null +++ b/manifests/isakmpd.pp @@ -0,0 +1,61 @@ +## + +class ipsec::isakmpd ( + $version = 'latest' + +) inherits ipsec::isakmpd_params { + + if $pkg_name != false { +# if $pkg_provider_p != false { +# $provider = $pkg_provider_p +# } +# else { +# $provider = $pkg_provider +# } + + package { 'isakmpd': + name => $pkg_name, + provider => $pkg_provider + } + } + + + concat { "$ipsec_conf": + mode => '0600' + + } + + concat::fragment { "ipsec_conf_header": + target => "$ipsec_conf", + order => '00', + content => template('ipsec/isakmpd_ipsec_conf_header.erb'), + + } + + exec { "$setkey_cmd": + subscribe => Concat[ "$ipsec_conf" ], + refreshonly => true + } + + + +} + + +define ipsec::isakmpd::tunnel ( + $local_ip, + $remote_ip, + $nets, + $proto = "any", + $psk + +){ + notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": } + + concat::fragment { "$title": + target => "$::ipsec::isakmpd_params::ipsec_conf", + content => template('ipsec/isakmpd_tunnel.erb') + } + +} + diff --git a/manifests/isakmpd_params.pp b/manifests/isakmpd_params.pp new file mode 100644 index 0000000..5de299d --- /dev/null +++ b/manifests/isakmpd_params.pp @@ -0,0 +1,33 @@ +# + +class ipsec::isakmpd_params { + case $::osfamily { + 'FreeBSD':{ + $pkg_name = "security/isakmpd" + $pkg_provider = "portsng" + $ipsec_conf = '/etc/ipsec.conf' + + $isakmpd_service = 'isakmpd' + $setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf' + } + 'OpenBSD':{ + $isakmpd_service = 'isakmpd' + $pkg_name = false + $pkg_provider = undef + $ipsec_conf = '/etc/ipsec.conf' + $setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf' + } + default: { + $racoon_pkg = 'racoon' + $racoon_conf = '/etc/racoon/racoon.conf' + $racoon_pskfile = '/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/racoon-tools.conf' + $racoon_service = 'setkey' + $setkey_cmd = '/usr/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'root' + } + } +} + diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 0000000..8a3c100 --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,42 @@ + +#params + +class ipsec::params { + case $::osfamily { + 'FreeBSD':{ + $racoon_pkg = 'ipsec-tools' + $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec.conf' + $ipsec_service = 'ipsec' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + 'OpenBSD':{ + $ikedaemon = 'isakmpd' + $racoon_pkg = 'ipsec-tools' + $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec.conf' + $ipsec_service = 'ipsec' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + default: { + $racoon_pkg = 'racoon' + $racoon_conf = '/etc/racoon/racoon.conf' + $racoon_pskfile = '/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec-tools.conf' + $ipsec_service = 'setkey' + $setkey_cmd = '/usr/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'root' + } + } +} + diff --git a/manifests/racoon.pp b/manifests/racoon.pp new file mode 100644 index 0000000..29fd4d7 --- /dev/null +++ b/manifests/racoon.pp @@ -0,0 +1,128 @@ +# Racoon IPSec + +class ipsec::racoon ( + $version = 'latest' + +)inherits ipsec::racoon_params{ + + + package {'racoon': + name => "$racoon_pkg", + ensure => "$version", + } + + service {'racoon': + name => "$racoon_service", + ensure => 'running', + require => Concat["$racoon_conf"], #File['racoon_conf'], + subscribe => Concat["$racoon_conf"], + enable => true, + } + + service {'ipsec': + name => "$ipsec_service", + enable => true, + } + + exec { "$setkey_cmd -f $ipsec_conf": + subscribe => Concat[ "$ipsec_conf" ], + refreshonly => true + } + + + concat { "$racoon_conf": + ensure => present + } + + concat::fragment { "$racoon_conf header": + target => "$racoon_conf", + order => '00', + content => template('ipsec/racoon/racoon.conf.header.erb'), + } + + + + concat { "$ipsec_conf": + ensure => present + + } + + concat::fragment { "ipsec_conf_header": + target => "$ipsec_conf", + order => '00', + content => template('ipsec/ipsec_top.erb'), + } + + concat { "$racoon_pskfile": + owner => "$racoon_usr", + group => "$racoon_grp", + mode => '0600', + ensure => present + + } + concat::fragment { "pskfile_header": + target => "$racoon_pskfile", + order => '00', + content => "#racoon psks\n", + } + +} + + + +define ipsec::racoon::tunnel ( + $local_ip, + $remote_ip, + $encryption = 'blowfish', + $hash = 'sha256', + $dh_group = 'modp3072', + $lifetime = '86400 sec', + + $nets, + $proto = "any", + + $psk + +) +{ + concat::fragment { "$title": + target => "$::ipsec::racoon_params::ipsec_conf", + content => template('ipsec/ipsec_tunnel.erb') + } + + concat::fragment { "psk_$title": + target => "$::ipsec::racoon_params::racoon_pskfile", + content => "$remote_ip $psk\n" + } + + concat::fragment { "racoon_conf_$title": + target => "$::ipsec::racoon_params::racoon_conf", + content => template('ipsec/racoon/racoon.conf.erb') + } + + +} + +define ipsec::racoon::transport ( + $local_ip, + $remote_ip, + $proto = "any", + $encryption = 'blowfish', + $hash = 'sha256', + $dh_group = 'mopd3072', + $psk + +) +{ + concat::fragment { "$title": + target => "$::ipsec::racoon_params::ipsec_conf", + content => template('ipsec/racoon/ipsec.conf.transport.erb') + } + + concat::fragment { "psk_$title": + target => "$::ipsec::racoon_params::racoon_pskfile", + content => "$remote_ip $psk\n" + } + +} + diff --git a/manifests/racoon_params.pp b/manifests/racoon_params.pp new file mode 100644 index 0000000..2ce6d1d --- /dev/null +++ b/manifests/racoon_params.pp @@ -0,0 +1,39 @@ +class ipsec::racoon_params { + case $::osfamily { + 'FreeBSD':{ + $racoon_pkg = 'ipsec-tools' + $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec.conf' + $ipsec_service = 'ipsec' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + 'OpenBSD':{ + $ikedaemon = 'isakmpd' + $racoon_pkg = 'racoon-tools' +# $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' +# $racoon_conf = '/etc/racoon.conf' + $ipsec_service = 'racoon' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + default: { + $racoon_pkg = 'racoon' + $racoon_conf = '/etc/racoon/racoon.conf' + $racoon_pskfile = '/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec-tools.conf' + $ipsec_service = 'setkey' + $setkey_cmd = '/usr/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'root' + } + } +} + diff --git a/manifests/strongswan.pp b/manifests/strongswan.pp new file mode 100644 index 0000000..ffa9813 --- /dev/null +++ b/manifests/strongswan.pp @@ -0,0 +1,63 @@ +## + +class ipsec::strongswan ( + $version = 'latest', + $enable = $::ipsec::strongswan_params::service_enable +) inherits ipsec::strongswan_params { + + package { 'strongswan': + name => $pkg_name, + provider => $pkg_provider, + ensure => $version + } + + service { 'strongswan': + ensure => running, + require => Package['strongswan'], + subscribe => Concat[ "$ipsec_conf" ], + enable => $enable + } + + concat { "$secrets_file": + owner => "$secrets_usr", + group => "$secrets_grp", + mode => '0600' + } + concat::fragment { "pskfile_header": + target => "$secrets_file", + order => '00', + content => "#strongswan psks\n", + } + + concat { "$ipsec_conf": + } + + concat::fragment { "ipsec_conf_header": + target => "$ipsec_conf", + order => '00', + content => template('ipsec/strongswan/ipsec.conf.header.erb'), + } +} + + +define ipsec::strongswan::tunnel ( + $local_ip, + $remote_ip, + $nets, + $proto = "any", + $psk + +){ + + concat::fragment { "$title": + target => "$::ipsec::strongswan_params::ipsec_conf", + content => template('ipsec/strongswan/ipsec.conf.tunnel.erb') + } + + concat::fragment { "$title psk": + target => "$::ipsec::strongswan_params::secrets_file", + content => template('ipsec/strongswan/ipsec.secrets.erb') + } + +} + diff --git a/manifests/strongswan_params.pp b/manifests/strongswan_params.pp new file mode 100644 index 0000000..d16eeb1 --- /dev/null +++ b/manifests/strongswan_params.pp @@ -0,0 +1,35 @@ +# + +class ipsec::strongswan_params { + case $::osfamily { + 'FreeBSD':{ + $pkg_name = "strongswan" + $ipsec_conf = '/usr/local/etc/ipsec.conf' + $service_name = 'strongswan' + # strongswan's startup script confuses pupets + # service enable, so we cannot enable the service + $service_enable = undef + $secrets_usr = 'root' + $secrets_grp = 'wheel' + $secrets_file = '/usr/local/etc/ipsec.secrets' + + } + 'OpenBSD':{ + $isakmpd_service = 'isakmpd' + $pkg_name = false + $pkg_provider = undef + $ipsec_conf = '/etc/ipsec.conf' + $setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf' + } + default: { + $pkg_name = "strongswan" + $ipsec_conf = '/etc/ipsec.conf' + $service_name = 'strongswan' + $service_enable = true + $secrets_usr = 'root' + $secrets_grp = 'root' + $secrets_file = '/etc/ipsec.secrets' + } + } +} + diff --git a/metadata.json b/metadata.json new file mode 100644 index 0000000..d20788b --- /dev/null +++ b/metadata.json @@ -0,0 +1,23 @@ +{ + "name": "7u83-ipsec", + "version": "0.1.0", + "author": "7u83", + "summary": "IPSec with racoon", + "license": "Apache-2.0", + "source": "", + "project_page": null, + "issues_url": null, + "dependencies": [ + { + "name": "puppetlabs-stdlib", + "version_requirement": ">= 1.0.0" + }, + { + "name": "puppetlabs-concat", + "version_requirement": ">= 1.0.0" + } + + ], + "data_provider": null +} + diff --git a/pkg/7u83-ipsec-0.1.0.tar.gz b/pkg/7u83-ipsec-0.1.0.tar.gz new file mode 100644 index 0000000..e8bf6ba Binary files /dev/null and b/pkg/7u83-ipsec-0.1.0.tar.gz differ diff --git a/pkg/7u83-ipsec-0.1.0/Gemfile b/pkg/7u83-ipsec-0.1.0/Gemfile new file mode 100644 index 0000000..4333d23 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/Gemfile @@ -0,0 +1,18 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3'] +gem 'metadata-json-lint' +gem 'puppet', puppetversion +gem 'puppetlabs_spec_helper', '>= 1.2.0' +gem 'puppet-lint', '>= 1.0.0' +gem 'facter', '>= 1.7.0' +gem 'rspec-puppet' + +# rspec must be v2 for ruby 1.8.7 +if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' + gem 'rspec', '~> 2.0' + gem 'rake', '~> 10.0' +else + # rubocop requires ruby >= 1.9 + gem 'rubocop' +end diff --git a/pkg/7u83-ipsec-0.1.0/README.md b/pkg/7u83-ipsec-0.1.0/README.md new file mode 100644 index 0000000..7c319ac --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/README.md @@ -0,0 +1,89 @@ +# ipsec + +#### Table of Contents + +1. [Description](#description) +1. [Setup - The basics of getting started with ipsec](#setup) + * [What ipsec affects](#what-ipsec-affects) + * [Setup requirements](#setup-requirements) + * [Beginning with ipsec](#beginning-with-ipsec) +1. [Usage - Configuration options and additional functionality](#usage) +1. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +1. [Limitations - OS compatibility, etc.](#limitations) +1. [Development - Guide for contributing to the module](#development) + +## Description + +Start with a one- or two-sentence summary of what the module does and/or what +problem it solves. This is your 30-second elevator pitch for your module. +Consider including OS/Puppet version it works with. + +You can give more descriptive information in a second paragraph. This paragraph +should answer the questions: "What does this module *do*?" and "Why would I use +it?" If your module has a range of functionality (installation, configuration, +management, etc.), this is the time to mention it. + +## Setup + +### What ipsec affects **OPTIONAL** + +If it's obvious what your module touches, you can skip this section. For +example, folks can probably figure out that your mysql_instance module affects +their MySQL instances. + +If there's more that they should know about, though, this is the place to mention: + +* A list of files, packages, services, or operations that the module will alter, + impact, or execute. +* Dependencies that your module automatically installs. +* Warnings or other important notices. + +### Setup Requirements **OPTIONAL** + +If your module requires anything extra before setting up (pluginsync enabled, +etc.), mention it here. + +If your most recent release breaks compatibility or requires particular steps +for upgrading, you might want to include an additional "Upgrading" section +here. + +### Beginning with ipsec + +The very basic steps needed for a user to get the module up and running. This +can include setup steps, if necessary, or it can be an example of the most +basic use of the module. + +## Usage + +This section is where you describe how to customize, configure, and do the +fancy stuff with your module here. It's especially helpful if you include usage +examples and code samples for doing things with your module. + +## Reference + +Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section. + +* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation. + +* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include: + + * The data type, if applicable. + * A description of what the element does. + * Valid values, if the data type doesn't make it obvious. + * Default value, if any. + +## Limitations + +This is where you list OS compatibility, version compatibility, etc. If there +are Known Issues, you might want to include them under their own heading here. + +## Development + +Since your module is awesome, other users will want to play with it. Let them +know what the ground rules for contributing are. + +## Release Notes/Contributors/Etc. **Optional** + +If you aren't using changelog, put your release notes here (though you should +consider using changelog). You can also add any additional sections you feel +are necessary or important to include here. Please use the `## ` header. diff --git a/pkg/7u83-ipsec-0.1.0/Rakefile b/pkg/7u83-ipsec-0.1.0/Rakefile new file mode 100644 index 0000000..df59df7 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/Rakefile @@ -0,0 +1,32 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' +require 'metadata-json-lint/rake_task' + +if RUBY_VERSION >= '1.9' + require 'rubocop/rake_task' + RuboCop::RakeTask.new +end + +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.relative = true +PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp'] + +desc 'Validate manifests, templates, and ruby files' +task :validate do + Dir['manifests/**/*.pp'].each do |manifest| + sh "puppet parser validate --noop #{manifest}" + end + Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file| + sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures} + end + Dir['templates/**/*.erb'].each do |template| + sh "erb -P -x -T '-' #{template} | ruby -c" + end +end + +desc 'Run lint, validate, and spec tests.' +task :test do + [:lint, :validate, :spec].each do |test| + Rake::Task[test].invoke + end +end diff --git a/pkg/7u83-ipsec-0.1.0/checksums.json b/pkg/7u83-ipsec-0.1.0/checksums.json new file mode 100644 index 0000000..0b66030 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/checksums.json @@ -0,0 +1,29 @@ +{ + "Gemfile": "0b0ef34a57239868636b26141342423f", + "README.md": "a5b4536f36ecfaf9b006108e3eef7c19", + "Rakefile": "158b889261acd98356f6e0f2a031b6b9", + "examples/init.pp": "43f2a9901e66401685dfe3d4db835c34", + "manifests/init.pp": "93c3f7d6596d15b3fdfa1c49e4863437", + "manifests/isakmpd.pp": "424a6dae7d294cdb79c71f3f1fe8660d", + "manifests/isakmpd_params.pp": "a75273d0f3577c540a48dc71be0423d9", + "manifests/params.pp": "c4981d62b9ea633cd59a034eb9c846d0", + "manifests/racoon.pp": "0b40af7e75e6481324193c9d86fcd6e7", + "manifests/racoon_params.pp": "5582629736d3cd7d8f4c55a24603f665", + "manifests/strongswan.pp": "9652c2c317e5f910f71559744216daf4", + "manifests/strongswan_params.pp": "39fa38f2249f9f0e26620f5ece60f4df", + "metadata.json": "65900ebf8697e32ecc5c5c8232efab54", + "spec/classes/init_spec.rb": "4bf5fa4da7c89cacc52ee8de94848bc5", + "spec/spec_helper.rb": "0db89c9a486df193c0e40095422e19dc", + "templates/ipsec_top.erb": "e84bf026bd13924bba8606192219162e", + "templates/ipsec_tunnel.erb": "6419c0f349a26aa7d2623b99cd724012", + "templates/isakmpd_ipsec_conf_header.erb": "e13d611da756f7dced378eb6afb12b7f", + "templates/isakmpd_tunnel.erb": "d7155f03563e5d9ff437846d8373cc1f", + "templates/racoon/ipsec.conf.transport.erb": "b65510f46b902b6806b26055bcb474c2", + "templates/racoon/ipsec.conf.tunnel.erb": "6419c0f349a26aa7d2623b99cd724012", + "templates/racoon/racoon.conf.erb": "9f5be0e2ad7abe40c55d9ffb606931a7", + "templates/racoon/racoon.conf.header.erb": "aa534ff37ee53159ade7e952bbb8a155", + "templates/racoon.conf.erb": "2a719ba6af007ca9df04fd86a06381c0", + "templates/strongswan/ipsec.conf.header.erb": "07a651b7d80189be95a8aa81ea4e1cd7", + "templates/strongswan/ipsec.conf.tunnel.erb": "169545c847f3a04711e63b27ef63e849", + "templates/strongswan/ipsec.secrets.erb": "0b76db8372d2083ac0a1abb89aad6ab2" +} \ No newline at end of file diff --git a/pkg/7u83-ipsec-0.1.0/examples/init.pp b/pkg/7u83-ipsec-0.1.0/examples/init.pp new file mode 100644 index 0000000..c2a2360 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/examples/init.pp @@ -0,0 +1,12 @@ +# The baseline for module testing used by Puppet Inc. is that each manifest +# should have a corresponding test manifest that declares that class or defined +# type. +# +# Tests are then run by using puppet apply --noop (to check for compilation +# errors and view a log of events) or by fully applying the test in a virtual +# environment (to compare the resulting system state to the desired state). +# +# Learn more about module testing here: +# https://docs.puppet.com/guides/tests_smoke.html +# +include ::ipsec diff --git a/pkg/7u83-ipsec-0.1.0/manifests/init.pp b/pkg/7u83-ipsec-0.1.0/manifests/init.pp new file mode 100644 index 0000000..2376602 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/init.pp @@ -0,0 +1,126 @@ +# Class: ipsec +# =========================== +# +# Full description of class ipsec here. +# +# Parameters +# ---------- +# +# Document parameters here. +# +# * `sample parameter` +# Explanation of what this parameter affects and what it defaults to. +# e.g. "Specify one or more upstream ntp servers as an array." +# +# Variables +# ---------- +# +# Here you should define a list of variables that this module would require. +# +# * `sample variable` +# Explanation of how this variable affects the function of this class and if +# it has a default. e.g. "The parameter enc_ntp_servers must be set by the +# External Node Classifier as a comma separated list of hostnames." (Note, +# global variables should be avoided in favor of class parameters as +# of Puppet 2.6.) +# +# Examples +# -------- +# +# @example +# class { 'ipsec': +# } +# +# Authors +# ------- +# +# 7u83 <7u83@mail.ru> +# +# Copyright +# --------- +# +# Copyright 2018 7u83@mail.ru +# +class ipsec( + $version = 'latest', + $ikedaemon = undef +){ + + if $ikedaemon == undef { + case $::osfamily { + 'FreeBSD':{ + $ike_daemon = 'racoon' + } + 'OpenBSD':{ + $ike_daemon = 'isakmpd' + } + default: { + $ike_daemon = 'racoon' + } + } + } + else { + $ike_daemon = $ikedaemon + } + + $res = "ipsec::${ike_daemon}" + + class { "$res": + version => $version + } + +} + + +define ipsec::tunnel ( + $local_ip, + $remote_ip, + $nets, + $proto = "any", + $psk, + $hash = 'sha256', + $encryption = 'aes256', + $lifetime = '86400', + $dh_group = 14, + +) +{ + include ::ipsec + $ikedaemon = $::ipsec::ike_daemon + $res = "ipsec::${ikedaemon}::tunnel" + + Resource[$res] { "$title": + local_ip => $local_ip, + remote_ip => $remote_ip, + nets => $nets, + proto => $proto, + psk => $psk, + lifetime => $lifetime, + hash => $hash, + encryption => $encryption, + dh_group => 14, + } + +} + +define ipsec::transport ( + $local_ip, + $remote_ip, + $proto = "any", + $psk +) +{ + include ::ipsec + $ikedaemon = $::ipsec::ike_daemon + $res = "ipsec::${ikedaemon}::transport" + + Resource[$res] { "$title": + local_ip => $local_ip, + remote_ip => $remote_ip, + proto => $proto, + psk => $psk + } + +} + + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp new file mode 100644 index 0000000..dd88331 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp @@ -0,0 +1,61 @@ +## + +class ipsec::isakmpd ( + $version = 'latest' + +) inherits ipsec::isakmpd_params { + + if $pkg_name != false { +# if $pkg_provider_p != false { +# $provider = $pkg_provider_p +# } +# else { +# $provider = $pkg_provider +# } + + package { 'isakmpd': + name => $pkg_name, + provider => $pkg_provider + } + } + + + concat { "$ipsec_conf": + mode => '0600' + + } + + concat::fragment { "ipsec_conf_header": + target => "$ipsec_conf", + order => '00', + content => template('ipsec/isakmpd_ipsec_conf_header.erb'), + + } + + exec { "$setkey_cmd": + subscribe => Concat[ "$ipsec_conf" ], + refreshonly => true + } + + + +} + + +define ipsec::isakmpd::tunnel ( + $local_ip, + $remote_ip, + $nets, + $proto = "any", + $psk + +){ + notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": } + + concat::fragment { "$title": + target => "$::ipsec::isakmpd_params::ipsec_conf", + content => template('ipsec/isakmpd_tunnel.erb') + } + +} + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp new file mode 100644 index 0000000..5de299d --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp @@ -0,0 +1,33 @@ +# + +class ipsec::isakmpd_params { + case $::osfamily { + 'FreeBSD':{ + $pkg_name = "security/isakmpd" + $pkg_provider = "portsng" + $ipsec_conf = '/etc/ipsec.conf' + + $isakmpd_service = 'isakmpd' + $setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf' + } + 'OpenBSD':{ + $isakmpd_service = 'isakmpd' + $pkg_name = false + $pkg_provider = undef + $ipsec_conf = '/etc/ipsec.conf' + $setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf' + } + default: { + $racoon_pkg = 'racoon' + $racoon_conf = '/etc/racoon/racoon.conf' + $racoon_pskfile = '/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/racoon-tools.conf' + $racoon_service = 'setkey' + $setkey_cmd = '/usr/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'root' + } + } +} + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/params.pp b/pkg/7u83-ipsec-0.1.0/manifests/params.pp new file mode 100644 index 0000000..8a3c100 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/params.pp @@ -0,0 +1,42 @@ + +#params + +class ipsec::params { + case $::osfamily { + 'FreeBSD':{ + $racoon_pkg = 'ipsec-tools' + $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec.conf' + $ipsec_service = 'ipsec' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + 'OpenBSD':{ + $ikedaemon = 'isakmpd' + $racoon_pkg = 'ipsec-tools' + $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec.conf' + $ipsec_service = 'ipsec' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + default: { + $racoon_pkg = 'racoon' + $racoon_conf = '/etc/racoon/racoon.conf' + $racoon_pskfile = '/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec-tools.conf' + $ipsec_service = 'setkey' + $setkey_cmd = '/usr/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'root' + } + } +} + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/racoon.pp b/pkg/7u83-ipsec-0.1.0/manifests/racoon.pp new file mode 100644 index 0000000..29fd4d7 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/racoon.pp @@ -0,0 +1,128 @@ +# Racoon IPSec + +class ipsec::racoon ( + $version = 'latest' + +)inherits ipsec::racoon_params{ + + + package {'racoon': + name => "$racoon_pkg", + ensure => "$version", + } + + service {'racoon': + name => "$racoon_service", + ensure => 'running', + require => Concat["$racoon_conf"], #File['racoon_conf'], + subscribe => Concat["$racoon_conf"], + enable => true, + } + + service {'ipsec': + name => "$ipsec_service", + enable => true, + } + + exec { "$setkey_cmd -f $ipsec_conf": + subscribe => Concat[ "$ipsec_conf" ], + refreshonly => true + } + + + concat { "$racoon_conf": + ensure => present + } + + concat::fragment { "$racoon_conf header": + target => "$racoon_conf", + order => '00', + content => template('ipsec/racoon/racoon.conf.header.erb'), + } + + + + concat { "$ipsec_conf": + ensure => present + + } + + concat::fragment { "ipsec_conf_header": + target => "$ipsec_conf", + order => '00', + content => template('ipsec/ipsec_top.erb'), + } + + concat { "$racoon_pskfile": + owner => "$racoon_usr", + group => "$racoon_grp", + mode => '0600', + ensure => present + + } + concat::fragment { "pskfile_header": + target => "$racoon_pskfile", + order => '00', + content => "#racoon psks\n", + } + +} + + + +define ipsec::racoon::tunnel ( + $local_ip, + $remote_ip, + $encryption = 'blowfish', + $hash = 'sha256', + $dh_group = 'modp3072', + $lifetime = '86400 sec', + + $nets, + $proto = "any", + + $psk + +) +{ + concat::fragment { "$title": + target => "$::ipsec::racoon_params::ipsec_conf", + content => template('ipsec/ipsec_tunnel.erb') + } + + concat::fragment { "psk_$title": + target => "$::ipsec::racoon_params::racoon_pskfile", + content => "$remote_ip $psk\n" + } + + concat::fragment { "racoon_conf_$title": + target => "$::ipsec::racoon_params::racoon_conf", + content => template('ipsec/racoon/racoon.conf.erb') + } + + +} + +define ipsec::racoon::transport ( + $local_ip, + $remote_ip, + $proto = "any", + $encryption = 'blowfish', + $hash = 'sha256', + $dh_group = 'mopd3072', + $psk + +) +{ + concat::fragment { "$title": + target => "$::ipsec::racoon_params::ipsec_conf", + content => template('ipsec/racoon/ipsec.conf.transport.erb') + } + + concat::fragment { "psk_$title": + target => "$::ipsec::racoon_params::racoon_pskfile", + content => "$remote_ip $psk\n" + } + +} + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp b/pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp new file mode 100644 index 0000000..2ce6d1d --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp @@ -0,0 +1,39 @@ +class ipsec::racoon_params { + case $::osfamily { + 'FreeBSD':{ + $racoon_pkg = 'ipsec-tools' + $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec.conf' + $ipsec_service = 'ipsec' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + 'OpenBSD':{ + $ikedaemon = 'isakmpd' + $racoon_pkg = 'racoon-tools' +# $racoon_conf = '/usr/local/etc/racoon/racoon.conf' + $racoon_pskfile = '/usr/local/etc/racoon/psk.txt' + $racoon_service = 'racoon' +# $racoon_conf = '/etc/racoon.conf' + $ipsec_service = 'racoon' + $setkey_cmd = '/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'wheel' + } + default: { + $racoon_pkg = 'racoon' + $racoon_conf = '/etc/racoon/racoon.conf' + $racoon_pskfile = '/etc/racoon/psk.txt' + $racoon_service = 'racoon' + $ipsec_conf = '/etc/ipsec-tools.conf' + $ipsec_service = 'setkey' + $setkey_cmd = '/usr/sbin/setkey' + $racoon_usr = 'root' + $racoon_grp = 'root' + } + } +} + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp b/pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp new file mode 100644 index 0000000..ffa9813 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp @@ -0,0 +1,63 @@ +## + +class ipsec::strongswan ( + $version = 'latest', + $enable = $::ipsec::strongswan_params::service_enable +) inherits ipsec::strongswan_params { + + package { 'strongswan': + name => $pkg_name, + provider => $pkg_provider, + ensure => $version + } + + service { 'strongswan': + ensure => running, + require => Package['strongswan'], + subscribe => Concat[ "$ipsec_conf" ], + enable => $enable + } + + concat { "$secrets_file": + owner => "$secrets_usr", + group => "$secrets_grp", + mode => '0600' + } + concat::fragment { "pskfile_header": + target => "$secrets_file", + order => '00', + content => "#strongswan psks\n", + } + + concat { "$ipsec_conf": + } + + concat::fragment { "ipsec_conf_header": + target => "$ipsec_conf", + order => '00', + content => template('ipsec/strongswan/ipsec.conf.header.erb'), + } +} + + +define ipsec::strongswan::tunnel ( + $local_ip, + $remote_ip, + $nets, + $proto = "any", + $psk + +){ + + concat::fragment { "$title": + target => "$::ipsec::strongswan_params::ipsec_conf", + content => template('ipsec/strongswan/ipsec.conf.tunnel.erb') + } + + concat::fragment { "$title psk": + target => "$::ipsec::strongswan_params::secrets_file", + content => template('ipsec/strongswan/ipsec.secrets.erb') + } + +} + diff --git a/pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp b/pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp new file mode 100644 index 0000000..d16eeb1 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp @@ -0,0 +1,35 @@ +# + +class ipsec::strongswan_params { + case $::osfamily { + 'FreeBSD':{ + $pkg_name = "strongswan" + $ipsec_conf = '/usr/local/etc/ipsec.conf' + $service_name = 'strongswan' + # strongswan's startup script confuses pupets + # service enable, so we cannot enable the service + $service_enable = undef + $secrets_usr = 'root' + $secrets_grp = 'wheel' + $secrets_file = '/usr/local/etc/ipsec.secrets' + + } + 'OpenBSD':{ + $isakmpd_service = 'isakmpd' + $pkg_name = false + $pkg_provider = undef + $ipsec_conf = '/etc/ipsec.conf' + $setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf' + } + default: { + $pkg_name = "strongswan" + $ipsec_conf = '/etc/ipsec.conf' + $service_name = 'strongswan' + $service_enable = true + $secrets_usr = 'root' + $secrets_grp = 'root' + $secrets_file = '/etc/ipsec.secrets' + } + } +} + diff --git a/pkg/7u83-ipsec-0.1.0/metadata.json b/pkg/7u83-ipsec-0.1.0/metadata.json new file mode 100644 index 0000000..fdcca38 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/metadata.json @@ -0,0 +1,21 @@ +{ + "name": "7u83-ipsec", + "version": "0.1.0", + "author": "7u83", + "summary": "IPSec with racoon", + "license": "Apache-2.0", + "source": "", + "project_page": null, + "issues_url": null, + "dependencies": [ + { + "name": "puppetlabs-stdlib", + "version_requirement": ">= 1.0.0" + }, + { + "name": "puppetlabs-concat", + "version_requirement": ">= 1.0.0" + } + ], + "data_provider": null +} diff --git a/pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb b/pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb new file mode 100644 index 0000000..ea5195c --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb @@ -0,0 +1,6 @@ +require 'spec_helper' +describe 'ipsec' do + context 'with default values for all parameters' do + it { should contain_class('ipsec') } + end +end diff --git a/pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb b/pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb new file mode 100644 index 0000000..2c6f566 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb @@ -0,0 +1 @@ +require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb b/pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb new file mode 100644 index 0000000..eeb2dd9 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb @@ -0,0 +1,5 @@ +# Managed by puppet +# +flush; +spdflush; + diff --git a/pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb new file mode 100644 index 0000000..fc3d0c3 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb @@ -0,0 +1,12 @@ +# +# Tunnel +# Name: <%= @title %> +# +# + +<% @nets.each do |net| -%> +spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec + esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require; +spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec + esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require; +<% end %> diff --git a/pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb new file mode 100644 index 0000000..5176fb7 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb @@ -0,0 +1,3 @@ +# +# Managed by Puppet +# diff --git a/pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb new file mode 100644 index 0000000..06d42c7 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb @@ -0,0 +1,16 @@ +# +# Tunnel +# Name: <%= @title %> +# +# + +<% @nets.each do |net| -%> +ike esp from <%= net['local'] %> to <%= net['remote'] %> \ +local <%= @local_ip %> peer <%= @remote_ip %> \ + main auth hmac-md5 enc aes-256 group modp1024 \ + quick auth hmac-md5 enc aes-256 group modp1024 \ + psk "<%= @psk %>" +<% end %> + + + diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb new file mode 100644 index 0000000..2897df0 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb @@ -0,0 +1,28 @@ +# +# racoon.conf Managed by Puppet +# + +log notify; +path pre_shared_key "<%= @racoon_pskfile %>"; + +path certificate "/etc/racoon/certs"; + +remote anonymous { + exchange_mode main; + proposal { + encryption_algorithm aes_256; + hash_algorithm md5; + authentication_method pre_shared_key; + dh_group modp1024; + } + generate_policy on; +} + +sainfo anonymous{ + pfs_group 2; + encryption_algorithm aes_256; + authentication_algorithm hmac_md5; + compression_algorithm deflate; +} + + diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb new file mode 100644 index 0000000..50c0970 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb @@ -0,0 +1,10 @@ +# +# Transport +# Name: <%= @title %> +# + +spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec + esp/transport//require; +spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec + esp/transport//require; + diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb new file mode 100644 index 0000000..fc3d0c3 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb @@ -0,0 +1,12 @@ +# +# Tunnel +# Name: <%= @title %> +# +# + +<% @nets.each do |net| -%> +spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec + esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require; +spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec + esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require; +<% end %> diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb new file mode 100644 index 0000000..580a939 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb @@ -0,0 +1,33 @@ +# +# remote $title +# + +remote <%= @remote_ip %> { + exchange_mode main; + proposal { + encryption_algorithm <%= @encryption %>; + hash_algorithm <%= @hash %>; + dh_group <%= @dh_group %>; + lifetime time <%= @lifetime %>; + authentication_method pre_shared_key; + } + # generate_policy on; +} + +<% @nets.each do |net| -%> + <%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %> + <%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %> + <%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %> + <%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5' %> + + +sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %> +{ + pfs_group <%= @pfs_group %>; + encryption_algorithm <%= @saencryption %>; + authentication_algorithm <%= @p2hash %>; + compression_algorithm deflate; + lifetime time <%= @salifetime %>; +} +<% end -%> + diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb new file mode 100644 index 0000000..1b6f400 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb @@ -0,0 +1,29 @@ +# +# racoon.conf Managed by Puppet +# will be overwritten at next puppet run +# + +log notify; +path pre_shared_key "<%= @racoon_pskfile %>"; + +path certificate "/etc/racoon/certs"; + +#remote anonymous { +# exchange_mode main; +# proposal { +# encryption_algorithm aes_256; +# hash_algorithm md5; +# authentication_method pre_shared_key; +# dh_group modp1024; +# } +# generate_policy on; +#} + +#sainfo anonymous{ +# pfs_group 2; +# encryption_algorithm aes_256; +# authentication_algorithm hmac_md5; +# compression_algorithm deflate; +#} + + diff --git a/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb new file mode 100644 index 0000000..654ce6a --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb @@ -0,0 +1 @@ +#managed by puppet diff --git a/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb new file mode 100644 index 0000000..8ac832a --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb @@ -0,0 +1,14 @@ + +<% @nets.each do |net| -%> +conn <%= @title %> + left=<%= @local_ip %> + leftsubnet=<%= net['local'] %> + right=<%= @remote_ip %> + rightsubnet=<%= net['remote'] %> + ike=aes256-md5-modp1024 + esp=aes256-md5-modp1024! + auto=start + authby=secret + keyexchange=ikev1 +<% end %> + diff --git a/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb new file mode 100644 index 0000000..303e6e7 --- /dev/null +++ b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb @@ -0,0 +1,2 @@ +<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>" + diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb new file mode 100644 index 0000000..ea5195c --- /dev/null +++ b/spec/classes/init_spec.rb @@ -0,0 +1,6 @@ +require 'spec_helper' +describe 'ipsec' do + context 'with default values for all parameters' do + it { should contain_class('ipsec') } + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..2c6f566 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1 @@ +require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/templates/ipsec_top.erb b/templates/ipsec_top.erb new file mode 100644 index 0000000..eeb2dd9 --- /dev/null +++ b/templates/ipsec_top.erb @@ -0,0 +1,5 @@ +# Managed by puppet +# +flush; +spdflush; + diff --git a/templates/ipsec_tunnel.erb b/templates/ipsec_tunnel.erb new file mode 100644 index 0000000..fc3d0c3 --- /dev/null +++ b/templates/ipsec_tunnel.erb @@ -0,0 +1,12 @@ +# +# Tunnel +# Name: <%= @title %> +# +# + +<% @nets.each do |net| -%> +spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec + esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require; +spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec + esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require; +<% end %> diff --git a/templates/isakmpd_ipsec_conf_header.erb b/templates/isakmpd_ipsec_conf_header.erb new file mode 100644 index 0000000..5176fb7 --- /dev/null +++ b/templates/isakmpd_ipsec_conf_header.erb @@ -0,0 +1,3 @@ +# +# Managed by Puppet +# diff --git a/templates/isakmpd_tunnel.erb b/templates/isakmpd_tunnel.erb new file mode 100644 index 0000000..06d42c7 --- /dev/null +++ b/templates/isakmpd_tunnel.erb @@ -0,0 +1,16 @@ +# +# Tunnel +# Name: <%= @title %> +# +# + +<% @nets.each do |net| -%> +ike esp from <%= net['local'] %> to <%= net['remote'] %> \ +local <%= @local_ip %> peer <%= @remote_ip %> \ + main auth hmac-md5 enc aes-256 group modp1024 \ + quick auth hmac-md5 enc aes-256 group modp1024 \ + psk "<%= @psk %>" +<% end %> + + + diff --git a/templates/racoon.conf.erb b/templates/racoon.conf.erb new file mode 100644 index 0000000..2897df0 --- /dev/null +++ b/templates/racoon.conf.erb @@ -0,0 +1,28 @@ +# +# racoon.conf Managed by Puppet +# + +log notify; +path pre_shared_key "<%= @racoon_pskfile %>"; + +path certificate "/etc/racoon/certs"; + +remote anonymous { + exchange_mode main; + proposal { + encryption_algorithm aes_256; + hash_algorithm md5; + authentication_method pre_shared_key; + dh_group modp1024; + } + generate_policy on; +} + +sainfo anonymous{ + pfs_group 2; + encryption_algorithm aes_256; + authentication_algorithm hmac_md5; + compression_algorithm deflate; +} + + diff --git a/templates/racoon/ipsec.conf.transport.erb b/templates/racoon/ipsec.conf.transport.erb new file mode 100644 index 0000000..50c0970 --- /dev/null +++ b/templates/racoon/ipsec.conf.transport.erb @@ -0,0 +1,10 @@ +# +# Transport +# Name: <%= @title %> +# + +spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec + esp/transport//require; +spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec + esp/transport//require; + diff --git a/templates/racoon/ipsec.conf.tunnel.erb b/templates/racoon/ipsec.conf.tunnel.erb new file mode 100644 index 0000000..fc3d0c3 --- /dev/null +++ b/templates/racoon/ipsec.conf.tunnel.erb @@ -0,0 +1,12 @@ +# +# Tunnel +# Name: <%= @title %> +# +# + +<% @nets.each do |net| -%> +spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec + esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require; +spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec + esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require; +<% end %> diff --git a/templates/racoon/racoon.conf.erb b/templates/racoon/racoon.conf.erb new file mode 100644 index 0000000..580a939 --- /dev/null +++ b/templates/racoon/racoon.conf.erb @@ -0,0 +1,33 @@ +# +# remote $title +# + +remote <%= @remote_ip %> { + exchange_mode main; + proposal { + encryption_algorithm <%= @encryption %>; + hash_algorithm <%= @hash %>; + dh_group <%= @dh_group %>; + lifetime time <%= @lifetime %>; + authentication_method pre_shared_key; + } + # generate_policy on; +} + +<% @nets.each do |net| -%> + <%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %> + <%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %> + <%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %> + <%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5' %> + + +sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %> +{ + pfs_group <%= @pfs_group %>; + encryption_algorithm <%= @saencryption %>; + authentication_algorithm <%= @p2hash %>; + compression_algorithm deflate; + lifetime time <%= @salifetime %>; +} +<% end -%> + diff --git a/templates/racoon/racoon.conf.header.erb b/templates/racoon/racoon.conf.header.erb new file mode 100644 index 0000000..1b6f400 --- /dev/null +++ b/templates/racoon/racoon.conf.header.erb @@ -0,0 +1,29 @@ +# +# racoon.conf Managed by Puppet +# will be overwritten at next puppet run +# + +log notify; +path pre_shared_key "<%= @racoon_pskfile %>"; + +path certificate "/etc/racoon/certs"; + +#remote anonymous { +# exchange_mode main; +# proposal { +# encryption_algorithm aes_256; +# hash_algorithm md5; +# authentication_method pre_shared_key; +# dh_group modp1024; +# } +# generate_policy on; +#} + +#sainfo anonymous{ +# pfs_group 2; +# encryption_algorithm aes_256; +# authentication_algorithm hmac_md5; +# compression_algorithm deflate; +#} + + diff --git a/templates/strongswan/ipsec.conf.header.erb b/templates/strongswan/ipsec.conf.header.erb new file mode 100644 index 0000000..654ce6a --- /dev/null +++ b/templates/strongswan/ipsec.conf.header.erb @@ -0,0 +1 @@ +#managed by puppet diff --git a/templates/strongswan/ipsec.conf.tunnel.erb b/templates/strongswan/ipsec.conf.tunnel.erb new file mode 100644 index 0000000..8ac832a --- /dev/null +++ b/templates/strongswan/ipsec.conf.tunnel.erb @@ -0,0 +1,14 @@ + +<% @nets.each do |net| -%> +conn <%= @title %> + left=<%= @local_ip %> + leftsubnet=<%= net['local'] %> + right=<%= @remote_ip %> + rightsubnet=<%= net['remote'] %> + ike=aes256-md5-modp1024 + esp=aes256-md5-modp1024! + auto=start + authby=secret + keyexchange=ikev1 +<% end %> + diff --git a/templates/strongswan/ipsec.secrets.erb b/templates/strongswan/ipsec.secrets.erb new file mode 100644 index 0000000..303e6e7 --- /dev/null +++ b/templates/strongswan/ipsec.secrets.erb @@ -0,0 +1,2 @@ +<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>" +