diff options
| author | alex <alex@pdp7.net> | 2023-09-16 16:05:47 +0200 |
|---|---|---|
| committer | alex <alex@pdp7.net> | 2023-09-16 16:05:47 +0200 |
| commit | 16160b5b4ab9759534bc94cb2d0624f4675db9d3 (patch) | |
| tree | bf3041a6df2c7fc0f6c4f328ebed38baf86836a3 /personal_infra/puppet/modules/ocserv/manifests | |
| parent | d3062de6cf2e74ba6d6945e64e7f316cb4d83c7a (diff) | |
Add support for ocserv
Diffstat (limited to 'personal_infra/puppet/modules/ocserv/manifests')
| -rw-r--r-- | personal_infra/puppet/modules/ocserv/manifests/init.pp | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/personal_infra/puppet/modules/ocserv/manifests/init.pp b/personal_infra/puppet/modules/ocserv/manifests/init.pp new file mode 100644 index 00000000..b9ead95b --- /dev/null +++ b/personal_infra/puppet/modules/ocserv/manifests/init.pp @@ -0,0 +1,97 @@ +class ocserv($ocserv_tcp_port, + $ocserv_udp_port, + $ocserv_default_domain, + $ocserv_ipv4_network, + $ocserv_dns, + $ocserv_split_dns, + $ocserv_routes, + $firewall = true) +{ + $run_as_user = $facts['os']['family'] ? { + 'Debian' => 'nobody', + 'RedHat' => 'ocserv', + } + + $run_as_group = $facts['os']['family'] ? { + 'Debian' => 'daemon', + 'RedHat' => 'ocserv', + } + + $socket_file = $facts['os']['family'] ? { + 'Debian' => '/var/run/ocserv-socket', + 'RedHat' => 'ocserv.sock', + } + + $chroot_dir = $facts['os']['family'] ? { + 'Debian' => undef, + 'RedHat' => '/var/lib/ocserv', + } + + $server_cert = $facts['os']['family']? { + 'Debian' => '/etc/ssl/certs/ssl-cert-snakeoil.pem', + 'RedHat' => '/etc/pki/ocserv/public/server.crt', + } + + $server_key = $facts['os']['family'] ? { + 'Debian' => '/etc/ssl/private/ssl-cert-snakeoil.key', + 'RedHat' => '/etc/pki/ocserv/private/server.key', + } + + package {'ocserv':} + -> + file {'/etc/ocserv/ocserv.conf': + content => epp('ocserv/ocserv.conf', {'tcp_port' => $ocserv_tcp_port, + 'udp_port' => $ocserv_udp_port, + 'run_as_user' => $run_as_user, + 'run_as_group' => $run_as_group, + 'socket_file' => $socket_file, + 'chroot_dir' => $chroot_dir, + 'server_cert' => $server_cert, + 'server_key' => $server_key, + 'default_domain' => $ocserv_default_domain, + 'ipv4_network' => $ocserv_ipv4_network, + 'dns' => $ocserv_dns, + 'split_dns' => $ocserv_split_dns, + 'routes' => $ocserv_routes, + }), + } + ~> + service {'ocserv': + enable => true, + ensure => running, + } + + if ($facts['os']['family'] == 'RedHat' and $firewall) { + exec {'add masquerade for ocserv': + command => '/usr/bin/firewall-cmd --permanent --add-masquerade', + unless => '/usr/bin/firewall-cmd --query-masquerade', + notify => Exec['reload firewall for ocserv'], + } + + exec {'open firewall for ocserv': + command => '/usr/bin/firewall-cmd --permanent --add-port=444/{tcp,udp}', + unless => '/usr/bin/firewall-cmd --query-port=444/udp', + } + ~> + exec {'reload firewall for ocserv': + command => '/usr/bin/firewall-cmd --reload', + refreshonly => true, + } + } + + if ($facts['os']['family'] == 'Debian') { + file {'/etc/systemd/system/ocserv.socket.d/': + ensure => directory, + } + -> + file {'/etc/systemd/system/ocserv.socket.d/port.conf': + content => epp('ocserv/port.conf', {'tcp_port' => $ocserv_tcp_port, + 'udp_port' => $ocserv_udp_port, + }), + } + ~> + exec {'/bin/systemctl daemon-reload && systemctl restart ocserv.socket': + refreshonly => true, + } + } +} |