From: alex <alex@pdp7.net>
Date: Sat, 16 Sep 2023 14:05:47 +0000 (+0200)
Subject: Add support for ocserv
X-Git-Tag: 20240214-emacs~276
X-Git-Url: https://xn--ix-yja.es/gitweb/?a=commitdiff_plain;h=16160b5b4ab9759534bc94cb2d0624f4675db9d3;p=alex.git

Add support for ocserv
---

diff --git a/personal_infra/puppet/modules/ocserv/manifests/init.pp b/personal_infra/puppet/modules/ocserv/manifests/init.pp
new file mode 100644
index 0000000..b9ead95
--- /dev/null
+++ b/personal_infra/puppet/modules/ocserv/manifests/init.pp
@@ -0,0 +1,97 @@
+class ocserv($ocserv_tcp_port,
+             $ocserv_udp_port,
+             $ocserv_default_domain,
+             $ocserv_ipv4_network,
+             $ocserv_dns,
+             $ocserv_split_dns,
+             $ocserv_routes,
+             $firewall = true)
+{
+  $run_as_user =  $facts['os']['family'] ? {
+    'Debian' => 'nobody',
+    'RedHat' => 'ocserv',
+  }
+
+  $run_as_group = $facts['os']['family'] ? {
+    'Debian' => 'daemon',
+    'RedHat' => 'ocserv',
+  }
+
+  $socket_file = $facts['os']['family'] ? {
+    'Debian' => '/var/run/ocserv-socket',
+    'RedHat' => 'ocserv.sock',
+  }
+
+  $chroot_dir = $facts['os']['family'] ? {
+    'Debian' => undef,
+    'RedHat' => '/var/lib/ocserv',
+  }
+
+  $server_cert = $facts['os']['family']? {
+    'Debian' => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+    'RedHat' => '/etc/pki/ocserv/public/server.crt',
+  }
+
+  $server_key = $facts['os']['family'] ? {
+    'Debian' => '/etc/ssl/private/ssl-cert-snakeoil.key',
+    'RedHat' => '/etc/pki/ocserv/private/server.key',
+  }
+
+  package {'ocserv':}
+  ->
+  file {'/etc/ocserv/ocserv.conf':
+    content => epp('ocserv/ocserv.conf', {'tcp_port' => $ocserv_tcp_port,
+                                          'udp_port' => $ocserv_udp_port,
+                                          'run_as_user' => $run_as_user,
+                                          'run_as_group' => $run_as_group,
+                                          'socket_file' => $socket_file,
+                                          'chroot_dir' => $chroot_dir,
+                                          'server_cert' => $server_cert,
+                                          'server_key' => $server_key,
+                                          'default_domain' => $ocserv_default_domain,
+                                          'ipv4_network' => $ocserv_ipv4_network,
+                                          'dns' => $ocserv_dns,
+                                          'split_dns' => $ocserv_split_dns,
+                                          'routes' => $ocserv_routes,
+                                         }),
+  }
+  ~>
+  service {'ocserv':
+    enable => true,
+    ensure => running,
+  }
+
+  if ($facts['os']['family'] == 'RedHat' and $firewall) {
+    exec {'add masquerade for ocserv':
+      command => '/usr/bin/firewall-cmd --permanent --add-masquerade',
+      unless => '/usr/bin/firewall-cmd --query-masquerade',
+      notify => Exec['reload firewall for ocserv'],
+    }
+
+    exec {'open firewall for ocserv':
+      command => '/usr/bin/firewall-cmd --permanent --add-port=444/{tcp,udp}',
+      unless => '/usr/bin/firewall-cmd --query-port=444/udp',
+    }
+    ~>
+    exec {'reload firewall for ocserv':
+      command => '/usr/bin/firewall-cmd --reload',
+      refreshonly => true,
+    }
+  }
+
+  if ($facts['os']['family'] == 'Debian') {
+    file {'/etc/systemd/system/ocserv.socket.d/':
+      ensure => directory,
+    }
+    ->
+    file {'/etc/systemd/system/ocserv.socket.d/port.conf':
+      content => epp('ocserv/port.conf', {'tcp_port' => $ocserv_tcp_port,
+                                          'udp_port' => $ocserv_udp_port,
+                                         }),
+    }
+    ~>
+    exec {'/bin/systemctl daemon-reload && systemctl restart ocserv.socket':
+      refreshonly => true,
+    }
+  }
+}
diff --git a/personal_infra/puppet/modules/ocserv/templates/ocserv.conf.epp b/personal_infra/puppet/modules/ocserv/templates/ocserv.conf.epp
new file mode 100644
index 0000000..b4ca12e
--- /dev/null
+++ b/personal_infra/puppet/modules/ocserv/templates/ocserv.conf.epp
@@ -0,0 +1,57 @@
+<%- | $tcp_port,
+      $udp_port,
+      $run_as_user,
+      $run_as_group,
+      $socket_file,
+      $chroot_dir,
+      $server_cert,
+      $server_key,
+      $default_domain,
+      $ipv4_network,
+      $dns,
+      $split_dns,
+      $routes,
+| -%>
+auth = "pam"
+listen-host-is-dyndns = true
+# note, those are not used on Debian
+tcp-port = <%= $tcp_port %>
+udp-port = <%= $udp_port %>
+run-as-user = <%= $run_as_user %>
+run-as-group = <%= $run_as_group %>
+socket-file = <%= $socket_file %>
+<% if $chroot_dir { -%>
+chroot-dir = <%= $chroot_dir %>
+<% } -%>
+server-cert = <%= $server_cert %>
+server-key = <%= $server_key %>
+isolate-workers = true
+keepalive = 32400
+dpd = 90
+mobile-dpd = 1800
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+compression = true
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+auth-timeout = 240
+min-reauth-time = 3
+cookie-timeout = 300
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+use-utmp = true
+pid-file = /var/run/ocserv.pid
+device = vpns
+predictable-ips = true
+default-domain = <%= $default_domain %>
+ipv4-network = <%= $ipv4_network %>
+#tunnel-all-dns = true
+dns = <%= $dns %>
+split-dns = <%= $split_dns %>
+ping-leases = true
+cisco-client-compat = true
+dtls-psk = false
+dtls-legacy = true
+<% $routes.each | $route | { -%>
+route = <%= $route %>
+<% } %>
diff --git a/personal_infra/puppet/modules/ocserv/templates/port.conf.epp b/personal_infra/puppet/modules/ocserv/templates/port.conf.epp
new file mode 100644
index 0000000..223c996
--- /dev/null
+++ b/personal_infra/puppet/modules/ocserv/templates/port.conf.epp
@@ -0,0 +1,8 @@
+<%- | $tcp_port,
+      $udp_port,
+| -%>
+[Socket]
+ListenStream=
+ListenDatagram=
+ListenStream=<%= $tcp_port %>
+ListenDatagram=<%= $udp_port %>
diff --git a/personal_infra/puppet/site/01-tinc.pp b/personal_infra/puppet/site/01-tinc.pp
index a883e89..6acbbd2 100644
--- a/personal_infra/puppet/site/01-tinc.pp
+++ b/personal_infra/puppet/site/01-tinc.pp
@@ -12,6 +12,7 @@ $tinc_locations = Hash($tinc_hosts.map |$host_name| { [
 $tinc_connect_to = $tinc_other_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.tinc.location") }
 
 $tinc_other_networks = $tinc_other_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.self_internal_network") }
+$ocserv_networks = $tinc_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.self_internal_network") }
 
 if 'tinc' in lookup("group_names") {
   class {'tinc':
@@ -24,4 +25,15 @@ if 'tinc' in lookup("group_names") {
     tinc_other_networks => $tinc_other_networks,
     firewall            => !lookup({"name" => "network.disable_firewall", "default_value" => false}),
   }
+
+  class {'ocserv':
+    ocserv_tcp_port       => 444,
+    ocserv_udp_port       => 444,
+    ocserv_default_domain => "int.pdp7.net",
+    ocserv_ipv4_network   => lookup("network.ocserv.network"),
+    ocserv_dns            => lookup("network.self_internal_ip"),
+    ocserv_split_dns      => lookup("tinc_global.ocserv_domain"),
+    ocserv_routes         => $ocserv_networks,
+    firewall              => !lookup({"name" => "network.disable_firewall", "default_value" => false}),
+  }
 }