--- /dev/null
+class ocserv($ocserv_tcp_port,
+ $ocserv_udp_port,
+ $ocserv_default_domain,
+ $ocserv_ipv4_network,
+ $ocserv_dns,
+ $ocserv_split_dns,
+ $ocserv_routes,
+ $firewall = true)
+{
+ $run_as_user = $facts['os']['family'] ? {
+ 'Debian' => 'nobody',
+ 'RedHat' => 'ocserv',
+ }
+
+ $run_as_group = $facts['os']['family'] ? {
+ 'Debian' => 'daemon',
+ 'RedHat' => 'ocserv',
+ }
+
+ $socket_file = $facts['os']['family'] ? {
+ 'Debian' => '/var/run/ocserv-socket',
+ 'RedHat' => 'ocserv.sock',
+ }
+
+ $chroot_dir = $facts['os']['family'] ? {
+ 'Debian' => undef,
+ 'RedHat' => '/var/lib/ocserv',
+ }
+
+ $server_cert = $facts['os']['family']? {
+ 'Debian' => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+ 'RedHat' => '/etc/pki/ocserv/public/server.crt',
+ }
+
+ $server_key = $facts['os']['family'] ? {
+ 'Debian' => '/etc/ssl/private/ssl-cert-snakeoil.key',
+ 'RedHat' => '/etc/pki/ocserv/private/server.key',
+ }
+
+ package {'ocserv':}
+ ->
+ file {'/etc/ocserv/ocserv.conf':
+ content => epp('ocserv/ocserv.conf', {'tcp_port' => $ocserv_tcp_port,
+ 'udp_port' => $ocserv_udp_port,
+ 'run_as_user' => $run_as_user,
+ 'run_as_group' => $run_as_group,
+ 'socket_file' => $socket_file,
+ 'chroot_dir' => $chroot_dir,
+ 'server_cert' => $server_cert,
+ 'server_key' => $server_key,
+ 'default_domain' => $ocserv_default_domain,
+ 'ipv4_network' => $ocserv_ipv4_network,
+ 'dns' => $ocserv_dns,
+ 'split_dns' => $ocserv_split_dns,
+ 'routes' => $ocserv_routes,
+ }),
+ }
+ ~>
+ service {'ocserv':
+ enable => true,
+ ensure => running,
+ }
+
+ if ($facts['os']['family'] == 'RedHat' and $firewall) {
+ exec {'add masquerade for ocserv':
+ command => '/usr/bin/firewall-cmd --permanent --add-masquerade',
+ unless => '/usr/bin/firewall-cmd --query-masquerade',
+ notify => Exec['reload firewall for ocserv'],
+ }
+
+ exec {'open firewall for ocserv':
+ command => '/usr/bin/firewall-cmd --permanent --add-port=444/{tcp,udp}',
+ unless => '/usr/bin/firewall-cmd --query-port=444/udp',
+ }
+ ~>
+ exec {'reload firewall for ocserv':
+ command => '/usr/bin/firewall-cmd --reload',
+ refreshonly => true,
+ }
+ }
+
+ if ($facts['os']['family'] == 'Debian') {
+ file {'/etc/systemd/system/ocserv.socket.d/':
+ ensure => directory,
+ }
+ ->
+ file {'/etc/systemd/system/ocserv.socket.d/port.conf':
+ content => epp('ocserv/port.conf', {'tcp_port' => $ocserv_tcp_port,
+ 'udp_port' => $ocserv_udp_port,
+ }),
+ }
+ ~>
+ exec {'/bin/systemctl daemon-reload && systemctl restart ocserv.socket':
+ refreshonly => true,
+ }
+ }
+}
--- /dev/null
+<%- | $tcp_port,
+ $udp_port,
+ $run_as_user,
+ $run_as_group,
+ $socket_file,
+ $chroot_dir,
+ $server_cert,
+ $server_key,
+ $default_domain,
+ $ipv4_network,
+ $dns,
+ $split_dns,
+ $routes,
+| -%>
+auth = "pam"
+listen-host-is-dyndns = true
+# note, those are not used on Debian
+tcp-port = <%= $tcp_port %>
+udp-port = <%= $udp_port %>
+run-as-user = <%= $run_as_user %>
+run-as-group = <%= $run_as_group %>
+socket-file = <%= $socket_file %>
+<% if $chroot_dir { -%>
+chroot-dir = <%= $chroot_dir %>
+<% } -%>
+server-cert = <%= $server_cert %>
+server-key = <%= $server_key %>
+isolate-workers = true
+keepalive = 32400
+dpd = 90
+mobile-dpd = 1800
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+compression = true
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+auth-timeout = 240
+min-reauth-time = 3
+cookie-timeout = 300
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+use-utmp = true
+pid-file = /var/run/ocserv.pid
+device = vpns
+predictable-ips = true
+default-domain = <%= $default_domain %>
+ipv4-network = <%= $ipv4_network %>
+#tunnel-all-dns = true
+dns = <%= $dns %>
+split-dns = <%= $split_dns %>
+ping-leases = true
+cisco-client-compat = true
+dtls-psk = false
+dtls-legacy = true
+<% $routes.each | $route | { -%>
+route = <%= $route %>
+<% } %>
$tinc_connect_to = $tinc_other_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.tinc.location") }
$tinc_other_networks = $tinc_other_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.self_internal_network") }
+$ocserv_networks = $tinc_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.self_internal_network") }
if 'tinc' in lookup("group_names") {
class {'tinc':
tinc_other_networks => $tinc_other_networks,
firewall => !lookup({"name" => "network.disable_firewall", "default_value" => false}),
}
+
+ class {'ocserv':
+ ocserv_tcp_port => 444,
+ ocserv_udp_port => 444,
+ ocserv_default_domain => "int.pdp7.net",
+ ocserv_ipv4_network => lookup("network.ocserv.network"),
+ ocserv_dns => lookup("network.self_internal_ip"),
+ ocserv_split_dns => lookup("tinc_global.ocserv_domain"),
+ ocserv_routes => $ocserv_networks,
+ firewall => !lookup({"name" => "network.disable_firewall", "default_value" => false}),
+ }
}
projects / alex.git / commitdiff