Add support for ocserv

3 files changed, 162 insertions, 0 deletions

diff --git a/personal_infra/puppet/modules/ocserv/manifests/init.pp b/personal_infra/puppet/modules/ocserv/manifests/init.pp
new file mode 100644
index 00000000..b9ead95b
--- /dev/null
+++ b/personal_infra/puppet/modules/ocserv/manifests/init.pp
@@ -0,0 +1,97 @@
+class ocserv($ocserv_tcp_port,
+             $ocserv_udp_port,
+             $ocserv_default_domain,
+             $ocserv_ipv4_network,
+             $ocserv_dns,
+             $ocserv_split_dns,
+             $ocserv_routes,
+             $firewall = true)
+{
+  $run_as_user =  $facts['os']['family'] ? {
+    'Debian' => 'nobody',
+    'RedHat' => 'ocserv',
+  }
+
+  $run_as_group = $facts['os']['family'] ? {
+    'Debian' => 'daemon',
+    'RedHat' => 'ocserv',
+  }
+
+  $socket_file = $facts['os']['family'] ? {
+    'Debian' => '/var/run/ocserv-socket',
+    'RedHat' => 'ocserv.sock',
+  }
+
+  $chroot_dir = $facts['os']['family'] ? {
+    'Debian' => undef,
+    'RedHat' => '/var/lib/ocserv',
+  }
+
+  $server_cert = $facts['os']['family']? {
+    'Debian' => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+    'RedHat' => '/etc/pki/ocserv/public/server.crt',
+  }
+
+  $server_key = $facts['os']['family'] ? {
+    'Debian' => '/etc/ssl/private/ssl-cert-snakeoil.key',
+    'RedHat' => '/etc/pki/ocserv/private/server.key',
+  }
+
+  package {'ocserv':}
+  ->
+  file {'/etc/ocserv/ocserv.conf':
+    content => epp('ocserv/ocserv.conf', {'tcp_port' => $ocserv_tcp_port,
+                                          'udp_port' => $ocserv_udp_port,
+                                          'run_as_user' => $run_as_user,
+                                          'run_as_group' => $run_as_group,
+                                          'socket_file' => $socket_file,
+                                          'chroot_dir' => $chroot_dir,
+                                          'server_cert' => $server_cert,
+                                          'server_key' => $server_key,
+                                          'default_domain' => $ocserv_default_domain,
+                                          'ipv4_network' => $ocserv_ipv4_network,
+                                          'dns' => $ocserv_dns,
+                                          'split_dns' => $ocserv_split_dns,
+                                          'routes' => $ocserv_routes,
+                                         }),
+  }
+  ~>
+  service {'ocserv':
+    enable => true,
+    ensure => running,
+  }
+
+  if ($facts['os']['family'] == 'RedHat' and $firewall) {
+    exec {'add masquerade for ocserv':
+      command => '/usr/bin/firewall-cmd --permanent --add-masquerade',
+      unless => '/usr/bin/firewall-cmd --query-masquerade',
+      notify => Exec['reload firewall for ocserv'],
+    }
+
+    exec {'open firewall for ocserv':
+      command => '/usr/bin/firewall-cmd --permanent --add-port=444/{tcp,udp}',
+      unless => '/usr/bin/firewall-cmd --query-port=444/udp',
+    }
+    ~>
+    exec {'reload firewall for ocserv':
+      command => '/usr/bin/firewall-cmd --reload',
+      refreshonly => true,
+    }
+  }
+
+  if ($facts['os']['family'] == 'Debian') {
+    file {'/etc/systemd/system/ocserv.socket.d/':
+      ensure => directory,
+    }
+    ->
+    file {'/etc/systemd/system/ocserv.socket.d/port.conf':
+      content => epp('ocserv/port.conf', {'tcp_port' => $ocserv_tcp_port,
+                                          'udp_port' => $ocserv_udp_port,
+                                         }),
+    }
+    ~>
+    exec {'/bin/systemctl daemon-reload && systemctl restart ocserv.socket':
+      refreshonly => true,
+    }
+  }
+}
diff --git a/personal_infra/puppet/modules/ocserv/templates/ocserv.conf.epp b/personal_infra/puppet/modules/ocserv/templates/ocserv.conf.epp
new file mode 100644
index 00000000..b4ca12e7
--- /dev/null
+++ b/personal_infra/puppet/modules/ocserv/templates/ocserv.conf.epp
@@ -0,0 +1,57 @@
+<%- | $tcp_port,
+      $udp_port,
+      $run_as_user,
+      $run_as_group,
+      $socket_file,
+      $chroot_dir,
+      $server_cert,
+      $server_key,
+      $default_domain,
+      $ipv4_network,
+      $dns,
+      $split_dns,
+      $routes,
+| -%>
+auth = "pam"
+listen-host-is-dyndns = true
+# note, those are not used on Debian
+tcp-port = <%= $tcp_port %>
+udp-port = <%= $udp_port %>
+run-as-user = <%= $run_as_user %>
+run-as-group = <%= $run_as_group %>
+socket-file = <%= $socket_file %>
+<% if $chroot_dir { -%>
+chroot-dir = <%= $chroot_dir %>
+<% } -%>
+server-cert = <%= $server_cert %>
+server-key = <%= $server_key %>
+isolate-workers = true
+keepalive = 32400
+dpd = 90
+mobile-dpd = 1800
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+compression = true
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+auth-timeout = 240
+min-reauth-time = 3
+cookie-timeout = 300
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+use-utmp = true
+pid-file = /var/run/ocserv.pid
+device = vpns
+predictable-ips = true
+default-domain = <%= $default_domain %>
+ipv4-network = <%= $ipv4_network %>
+#tunnel-all-dns = true
+dns = <%= $dns %>
+split-dns = <%= $split_dns %>
+ping-leases = true
+cisco-client-compat = true
+dtls-psk = false
+dtls-legacy = true
+<% $routes.each | $route | { -%>
+route = <%= $route %>
+<% } %>
diff --git a/personal_infra/puppet/modules/ocserv/templates/port.conf.epp b/personal_infra/puppet/modules/ocserv/templates/port.conf.epp
new file mode 100644
index 00000000..223c9961
--- /dev/null
+++ b/personal_infra/puppet/modules/ocserv/templates/port.conf.epp
@@ -0,0 +1,8 @@
+<%- | $tcp_port,
+      $udp_port,
+| -%>
+[Socket]
+ListenStream=
+ListenDatagram=
+ListenStream=<%= $tcp_port %>
+ListenDatagram=<%= $udp_port %>