summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Dessaux2018-03-15 12:57:15 +0100
committerJulien Dessaux2018-03-15 18:11:22 +0100
commitf6e0c851b219885e1e829514f214510a31e19a52 (patch)
treec02b35fc864c0fbdf276d364eb448255a5a04240
parentFixed update.cf problem no copying all template files (diff)
downloadmasterfiles-f6e0c851b219885e1e829514f214510a31e19a52.tar.gz
masterfiles-f6e0c851b219885e1e829514f214510a31e19a52.tar.bz2
masterfiles-f6e0c851b219885e1e829514f214510a31e19a52.zip
Added openvpn management policy
-rw-r--r--cmdb/hosts/andromeda.yaml16
-rw-r--r--cmdb/hosts/collab-jde.yaml8
-rw-r--r--cmdb/hosts/legend.yaml9
-rw-r--r--promises.cf1
-rw-r--r--services/applications.cf1
-rw-r--r--services/applications/openvpn.cf57
-rw-r--r--services/main.cf12
-rw-r--r--templates/openvpn/common.key.cftpl21
-rw-r--r--templates/openvpn/tunnel.conf.cftpl28
9 files changed, 153 insertions, 0 deletions
diff --git a/cmdb/hosts/andromeda.yaml b/cmdb/hosts/andromeda.yaml
new file mode 100644
index 0000000..52bce5d
--- /dev/null
+++ b/cmdb/hosts/andromeda.yaml
@@ -0,0 +1,16 @@
+host_interface: dummy0
+host_ip: "10.1.0.255"
+
+tunnels:
+ collab:
+ port: 1195
+ ip: "10.1.0.15"
+ peer: "10.1.0.14"
+ remote_host: collab-jde.nexen.net
+ remote_port: 1199
+ legend:
+ port: 1194
+ ip: "10.1.0.3"
+ peer: "10.1.0.2"
+ remote_host: legend.adyxax.org
+ remote_port: 1195
diff --git a/cmdb/hosts/collab-jde.yaml b/cmdb/hosts/collab-jde.yaml
new file mode 100644
index 0000000..3d8064a
--- /dev/null
+++ b/cmdb/hosts/collab-jde.yaml
@@ -0,0 +1,8 @@
+host_interface: dummy0
+host_ip: "10.1.0.253"
+
+tunnels:
+ andromeda:
+ port: 1199
+ ip: "10.1.0.14"
+ peer: "10.1.0.15"
diff --git a/cmdb/hosts/legend.yaml b/cmdb/hosts/legend.yaml
new file mode 100644
index 0000000..a94400d
--- /dev/null
+++ b/cmdb/hosts/legend.yaml
@@ -0,0 +1,9 @@
+host_interface: dummy0
+host_ip: "10.1.0.254"
+
+tunnels:
+ andromeda:
+ port: 1195
+ ip: "10.1.0.2"
+ peer: "10.1.0.3"
+
diff --git a/promises.cf b/promises.cf
index 3da719c..fab3431 100644
--- a/promises.cf
+++ b/promises.cf
@@ -7,6 +7,7 @@ body common control
core_policies,
@(core_policies.bundles),
classify,
+ g,
@(classify.bundles),
main,
};
diff --git a/services/applications.cf b/services/applications.cf
index a9910b9..84b1938 100644
--- a/services/applications.cf
+++ b/services/applications.cf
@@ -7,6 +7,7 @@ body file control
"services/applications/nagios.cf",
"services/applications/nginx.cf",
"services/applications/nrpe.cf",
+ "services/applications/openvpn.cf",
"services/applications/php56.cf",
"services/applications/sshd.cf",
};
diff --git a/services/applications/openvpn.cf b/services/applications/openvpn.cf
new file mode 100644
index 0000000..597318f
--- /dev/null
+++ b/services/applications/openvpn.cf
@@ -0,0 +1,57 @@
+bundle agent openvpn
+{
+ vars:
+ any::
+ "tunnels" slist => getindices("g.host_data[tunnels]");
+ classes:
+ any::
+ "$(tunnels)_needs_restart" or => { "openvpn_common_key_repaired", "linux.openvpn_$(tunnels)_conf_repaired" };
+ files:
+ any::
+ "/etc/openvpn/common.key"
+ create => "true",
+ edit_defaults => empty,
+ perms => system_owned("440"),
+ edit_template => "$(sys.inputdir)/templates/openvpn/common.key.cftpl",
+ classes => if_repaired("openvpn_common_key_repaired");
+ methods:
+ any::
+ "any" usebundle => install_package("$(this.bundle)", "openvpn");
+ "any" usebundle => openvpn_tunnel("$(tunnels)");
+ services:
+ linux::
+ "openvpn@$(tunnels)"
+ service_policy => "start",
+ classes => if_repaired("tunnel_$(tunnels)_service_repaired");
+ commands:
+ any::
+ "/usr/sbin/service openvpn@$(tunnels) restart" classes => if_repaired("tunnel_$(tunnels)_service_repaired"), ifvarclass => "$(tunnels)_needs_restart";
+ reports:
+ any::
+ "$(this.bundle): common.key repaired" ifvarclass => "openvpn_common_key_repaired";
+ "$(this.bundle): $(tunnels) service repaired" ifvarclass => "tunnel_$(tunnels)_service_repaired";
+}
+
+bundle agent openvpn_tunnel(tunnel)
+{
+ classes:
+ any::
+ "$(tunnel)_needs_restart" or => { "openvpn_common_key_repaired", "linux.openvpn_$(tunnel)_conf_repaired" };
+ "has_remote" and => { isvariable("g.host_data[tunnels][$(tunnel)][remote_host]"), isvariable("g.host_data[tunnels][$(tunnel)][remote_port]") };
+ files:
+ any::
+ "/etc/openvpn/$(tunnel).conf"
+ create => "true",
+ edit_defaults => empty,
+ perms => system_owned("440"),
+ edit_template => "$(sys.inputdir)/templates/openvpn/tunnel.conf.cftpl",
+ template_method => "cfengine",
+ classes => if_repaired("openvpn_$(tunnel)_conf_repaired");
+ commands:
+ any::
+ "/usr/sbin/service openvpn@$(tunnel) restart" classes => if_repaired("tunnel_$(tunnel)_service_repaired"), ifvarclass => "$(tunnel)_needs_restart";
+ reports:
+ any::
+ "$(this.bundle): $(tunnel).conf repaired" ifvarclass => "openvpn_$(tunnel)_conf_repaired";
+ "$(this.bundle): $(tunnel) service repaired" ifvarclass => "tunnel_$(tunnel)_service_repaired";
+}
diff --git a/services/main.cf b/services/main.cf
index 786524e..51a1fcb 100644
--- a/services/main.cf
+++ b/services/main.cf
@@ -45,9 +45,21 @@ bundle common classify
};
}
+bundle common g
+{
+ vars:
+ has_host_data::
+ "host_data" data => readyaml("$(sys.inputdir)/cmdb/hosts/$(sys.host).yaml", 100k);
+ classes:
+ any::
+ "has_host_data" expression => fileexists("$(sys.inputdir)/cmdb/hosts/$(sys.host).yaml");
+}
+
bundle agent main
{
methods:
+ andromeda|collab_jde::
+ "andromeda" usebundle => openvpn;
nagios::
"nagios" usebundle => nagios;
}
diff --git a/templates/openvpn/common.key.cftpl b/templates/openvpn/common.key.cftpl
new file mode 100644
index 0000000..b86a052
--- /dev/null
+++ b/templates/openvpn/common.key.cftpl
@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+c721f5790fb7f13df8f3bee5757642dc
+63a951123fc5e5fe3af4eea134dc46cb
+58d690985a952378537a76935314685d
+efd76938f6e799ddb19a6140ae5c8ac7
+3f3a9d48c4ff02cb46a5b412caae1723
+85172ffd29d54316f4143d994a85e1d5
+d188e062022b5f4f8867f10bc9fa50c4
+82a4b1ac9cfb2e63b380ae51fe1a1b95
+09641f1997ede00852aa4f744c418be9
+3b7ffe378ad51777425be73f4486f8fd
+04caffddef32e6524f282cc7f81e4df7
+0cedf82774e43ff96463a480a673ff6d
+600f59f0783d79079161a88d37221fb8
+ce065cee088aadb0d2426591a4d4c885
+64222847a09c69794a6a81b37175bfd8
+443398ac5c7d90df6d79ff41e2ce9125
+-----END OpenVPN Static key V1-----
diff --git a/templates/openvpn/tunnel.conf.cftpl b/templates/openvpn/tunnel.conf.cftpl
new file mode 100644
index 0000000..8c718f1
--- /dev/null
+++ b/templates/openvpn/tunnel.conf.cftpl
@@ -0,0 +1,28 @@
+[%CFEngine BEGIN %]
+proto udp
+port $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][port])
+dev-type tun
+dev tun_$(openvpn_tunnel.tunnel)
+comp-lzo
+script-security 2
+
+ping 10
+ping-restart 20
+ping-timer-rem
+persist-tun
+persist-key
+
+cipher AES-128-CBC
+
+secret /etc/openvpn/common.key
+ifconfig $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][ip]) $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][peer])
+
+user nobody
+[%CFEngine centos:: %]
+group nobody
+[%CFEngine ubuntu:: %]
+group nogroup
+
+[%CFEngine has_remote:: %]
+remote $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][remote_host]) $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][remote_port])
+[%CFEngine END %]