personal_infra/puppet/modules/ocserv/manifests/init.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

class ocserv($ocserv_tcp_port,
             $ocserv_udp_port,
             $ocserv_default_domain,
             $ocserv_ipv4_network,
             $ocserv_dns,
             $ocserv_split_dns,
             $ocserv_routes,
             $firewall = true)
{
  $run_as_user =  $facts['os']['family'] ? {
    'Debian' => 'nobody',
    'RedHat' => 'ocserv',
  }

  $run_as_group = $facts['os']['family'] ? {
    'Debian' => 'daemon',
    'RedHat' => 'ocserv',
  }

  $socket_file = $facts['os']['family'] ? {
    'Debian' => '/var/run/ocserv-socket',
    'RedHat' => 'ocserv.sock',
  }

  $chroot_dir = $facts['os']['family'] ? {
    'Debian' => undef,
    'RedHat' => '/var/lib/ocserv',
  }

  $server_cert = $facts['os']['family']? {
    'Debian' => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
    'RedHat' => '/etc/pki/ocserv/public/server.crt',
  }

  $server_key = $facts['os']['family'] ? {
    'Debian' => '/etc/ssl/private/ssl-cert-snakeoil.key',
    'RedHat' => '/etc/pki/ocserv/private/server.key',
  }

  package {'ocserv':}
  ->
  file {'/etc/ocserv/ocserv.conf':
    content => epp('ocserv/ocserv.conf', {'tcp_port' => $ocserv_tcp_port,
                                          'udp_port' => $ocserv_udp_port,
                                          'run_as_user' => $run_as_user,
                                          'run_as_group' => $run_as_group,
                                          'socket_file' => $socket_file,
                                          'chroot_dir' => $chroot_dir,
                                          'server_cert' => $server_cert,
                                          'server_key' => $server_key,
                                          'default_domain' => $ocserv_default_domain,
                                          'ipv4_network' => $ocserv_ipv4_network,
                                          'dns' => $ocserv_dns,
                                          'split_dns' => $ocserv_split_dns,
                                          'routes' => $ocserv_routes,
                                         }),
  }
  ~>
  service {'ocserv':
    enable => true,
    ensure => running,
  }

  if ($facts['os']['family'] == 'RedHat' and $firewall) {
    exec {'add masquerade for ocserv':
      command => '/usr/bin/firewall-cmd --permanent --add-masquerade',
      unless => '/usr/bin/firewall-cmd --query-masquerade',
      notify => Exec['reload firewall for ocserv'],
    }

    exec {'open firewall for ocserv':
      command => '/usr/bin/firewall-cmd --permanent --add-port=444/{tcp,udp}',
      unless => '/usr/bin/firewall-cmd --query-port=444/udp',
    }
    ~>
    exec {'reload firewall for ocserv':
      command => '/usr/bin/firewall-cmd --reload',
      refreshonly => true,
    }
  }

  if ($facts['os']['family'] == 'Debian') {
    file {'/etc/systemd/system/ocserv.socket.d/':
      ensure => directory,
    }
    ->
    file {'/etc/systemd/system/ocserv.socket.d/port.conf':
      content => epp('ocserv/port.conf', {'tcp_port' => $ocserv_tcp_port,
                                          'udp_port' => $ocserv_udp_port,
                                         }),
    }
    ~>
    exec {'/bin/systemctl daemon-reload && systemctl restart ocserv.socket':
      refreshonly => true,
    }
  }
}