From 16160b5b4ab9759534bc94cb2d0624f4675db9d3 Mon Sep 17 00:00:00 2001 From: alex Date: Sat, 16 Sep 2023 16:05:47 +0200 Subject: Add support for ocserv --- .../puppet/modules/ocserv/manifests/init.pp | 97 ++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 personal_infra/puppet/modules/ocserv/manifests/init.pp (limited to 'personal_infra/puppet/modules/ocserv/manifests') diff --git a/personal_infra/puppet/modules/ocserv/manifests/init.pp b/personal_infra/puppet/modules/ocserv/manifests/init.pp new file mode 100644 index 00000000..b9ead95b --- /dev/null +++ b/personal_infra/puppet/modules/ocserv/manifests/init.pp @@ -0,0 +1,97 @@ +class ocserv($ocserv_tcp_port, + $ocserv_udp_port, + $ocserv_default_domain, + $ocserv_ipv4_network, + $ocserv_dns, + $ocserv_split_dns, + $ocserv_routes, + $firewall = true) +{ + $run_as_user = $facts['os']['family'] ? { + 'Debian' => 'nobody', + 'RedHat' => 'ocserv', + } + + $run_as_group = $facts['os']['family'] ? { + 'Debian' => 'daemon', + 'RedHat' => 'ocserv', + } + + $socket_file = $facts['os']['family'] ? { + 'Debian' => '/var/run/ocserv-socket', + 'RedHat' => 'ocserv.sock', + } + + $chroot_dir = $facts['os']['family'] ? { + 'Debian' => undef, + 'RedHat' => '/var/lib/ocserv', + } + + $server_cert = $facts['os']['family']? { + 'Debian' => '/etc/ssl/certs/ssl-cert-snakeoil.pem', + 'RedHat' => '/etc/pki/ocserv/public/server.crt', + } + + $server_key = $facts['os']['family'] ? { + 'Debian' => '/etc/ssl/private/ssl-cert-snakeoil.key', + 'RedHat' => '/etc/pki/ocserv/private/server.key', + } + + package {'ocserv':} + -> + file {'/etc/ocserv/ocserv.conf': + content => epp('ocserv/ocserv.conf', {'tcp_port' => $ocserv_tcp_port, + 'udp_port' => $ocserv_udp_port, + 'run_as_user' => $run_as_user, + 'run_as_group' => $run_as_group, + 'socket_file' => $socket_file, + 'chroot_dir' => $chroot_dir, + 'server_cert' => $server_cert, + 'server_key' => $server_key, + 'default_domain' => $ocserv_default_domain, + 'ipv4_network' => $ocserv_ipv4_network, + 'dns' => $ocserv_dns, + 'split_dns' => $ocserv_split_dns, + 'routes' => $ocserv_routes, + }), + } + ~> + service {'ocserv': + enable => true, + ensure => running, + } + + if ($facts['os']['family'] == 'RedHat' and $firewall) { + exec {'add masquerade for ocserv': + command => '/usr/bin/firewall-cmd --permanent --add-masquerade', + unless => '/usr/bin/firewall-cmd --query-masquerade', + notify => Exec['reload firewall for ocserv'], + } + + exec {'open firewall for ocserv': + command => '/usr/bin/firewall-cmd --permanent --add-port=444/{tcp,udp}', + unless => '/usr/bin/firewall-cmd --query-port=444/udp', + } + ~> + exec {'reload firewall for ocserv': + command => '/usr/bin/firewall-cmd --reload', + refreshonly => true, + } + } + + if ($facts['os']['family'] == 'Debian') { + file {'/etc/systemd/system/ocserv.socket.d/': + ensure => directory, + } + -> + file {'/etc/systemd/system/ocserv.socket.d/port.conf': + content => epp('ocserv/port.conf', {'tcp_port' => $ocserv_tcp_port, + 'udp_port' => $ocserv_udp_port, + }), + } + ~> + exec {'/bin/systemctl daemon-reload && systemctl restart ocserv.socket': + refreshonly => true, + } + } +} -- cgit v1.2.3