diff options
author | Julien Dessaux | 2018-03-15 12:57:15 +0100 |
---|---|---|
committer | Julien Dessaux | 2018-03-15 18:11:22 +0100 |
commit | f6e0c851b219885e1e829514f214510a31e19a52 (patch) | |
tree | c02b35fc864c0fbdf276d364eb448255a5a04240 | |
parent | Fixed update.cf problem no copying all template files (diff) | |
download | masterfiles-f6e0c851b219885e1e829514f214510a31e19a52.tar.gz masterfiles-f6e0c851b219885e1e829514f214510a31e19a52.tar.bz2 masterfiles-f6e0c851b219885e1e829514f214510a31e19a52.zip |
Added openvpn management policy
-rw-r--r-- | cmdb/hosts/andromeda.yaml | 16 | ||||
-rw-r--r-- | cmdb/hosts/collab-jde.yaml | 8 | ||||
-rw-r--r-- | cmdb/hosts/legend.yaml | 9 | ||||
-rw-r--r-- | promises.cf | 1 | ||||
-rw-r--r-- | services/applications.cf | 1 | ||||
-rw-r--r-- | services/applications/openvpn.cf | 57 | ||||
-rw-r--r-- | services/main.cf | 12 | ||||
-rw-r--r-- | templates/openvpn/common.key.cftpl | 21 | ||||
-rw-r--r-- | templates/openvpn/tunnel.conf.cftpl | 28 |
9 files changed, 153 insertions, 0 deletions
diff --git a/cmdb/hosts/andromeda.yaml b/cmdb/hosts/andromeda.yaml new file mode 100644 index 0000000..52bce5d --- /dev/null +++ b/cmdb/hosts/andromeda.yaml @@ -0,0 +1,16 @@ +host_interface: dummy0 +host_ip: "10.1.0.255" + +tunnels: + collab: + port: 1195 + ip: "10.1.0.15" + peer: "10.1.0.14" + remote_host: collab-jde.nexen.net + remote_port: 1199 + legend: + port: 1194 + ip: "10.1.0.3" + peer: "10.1.0.2" + remote_host: legend.adyxax.org + remote_port: 1195 diff --git a/cmdb/hosts/collab-jde.yaml b/cmdb/hosts/collab-jde.yaml new file mode 100644 index 0000000..3d8064a --- /dev/null +++ b/cmdb/hosts/collab-jde.yaml @@ -0,0 +1,8 @@ +host_interface: dummy0 +host_ip: "10.1.0.253" + +tunnels: + andromeda: + port: 1199 + ip: "10.1.0.14" + peer: "10.1.0.15" diff --git a/cmdb/hosts/legend.yaml b/cmdb/hosts/legend.yaml new file mode 100644 index 0000000..a94400d --- /dev/null +++ b/cmdb/hosts/legend.yaml @@ -0,0 +1,9 @@ +host_interface: dummy0 +host_ip: "10.1.0.254" + +tunnels: + andromeda: + port: 1195 + ip: "10.1.0.2" + peer: "10.1.0.3" + diff --git a/promises.cf b/promises.cf index 3da719c..fab3431 100644 --- a/promises.cf +++ b/promises.cf @@ -7,6 +7,7 @@ body common control core_policies, @(core_policies.bundles), classify, + g, @(classify.bundles), main, }; diff --git a/services/applications.cf b/services/applications.cf index a9910b9..84b1938 100644 --- a/services/applications.cf +++ b/services/applications.cf @@ -7,6 +7,7 @@ body file control "services/applications/nagios.cf", "services/applications/nginx.cf", "services/applications/nrpe.cf", + "services/applications/openvpn.cf", "services/applications/php56.cf", "services/applications/sshd.cf", }; diff --git a/services/applications/openvpn.cf b/services/applications/openvpn.cf new file mode 100644 index 0000000..597318f --- /dev/null +++ b/services/applications/openvpn.cf @@ -0,0 +1,57 @@ +bundle agent openvpn +{ + vars: + any:: + "tunnels" slist => getindices("g.host_data[tunnels]"); + classes: + any:: + "$(tunnels)_needs_restart" or => { "openvpn_common_key_repaired", "linux.openvpn_$(tunnels)_conf_repaired" }; + files: + any:: + "/etc/openvpn/common.key" + create => "true", + edit_defaults => empty, + perms => system_owned("440"), + edit_template => "$(sys.inputdir)/templates/openvpn/common.key.cftpl", + classes => if_repaired("openvpn_common_key_repaired"); + methods: + any:: + "any" usebundle => install_package("$(this.bundle)", "openvpn"); + "any" usebundle => openvpn_tunnel("$(tunnels)"); + services: + linux:: + "openvpn@$(tunnels)" + service_policy => "start", + classes => if_repaired("tunnel_$(tunnels)_service_repaired"); + commands: + any:: + "/usr/sbin/service openvpn@$(tunnels) restart" classes => if_repaired("tunnel_$(tunnels)_service_repaired"), ifvarclass => "$(tunnels)_needs_restart"; + reports: + any:: + "$(this.bundle): common.key repaired" ifvarclass => "openvpn_common_key_repaired"; + "$(this.bundle): $(tunnels) service repaired" ifvarclass => "tunnel_$(tunnels)_service_repaired"; +} + +bundle agent openvpn_tunnel(tunnel) +{ + classes: + any:: + "$(tunnel)_needs_restart" or => { "openvpn_common_key_repaired", "linux.openvpn_$(tunnel)_conf_repaired" }; + "has_remote" and => { isvariable("g.host_data[tunnels][$(tunnel)][remote_host]"), isvariable("g.host_data[tunnels][$(tunnel)][remote_port]") }; + files: + any:: + "/etc/openvpn/$(tunnel).conf" + create => "true", + edit_defaults => empty, + perms => system_owned("440"), + edit_template => "$(sys.inputdir)/templates/openvpn/tunnel.conf.cftpl", + template_method => "cfengine", + classes => if_repaired("openvpn_$(tunnel)_conf_repaired"); + commands: + any:: + "/usr/sbin/service openvpn@$(tunnel) restart" classes => if_repaired("tunnel_$(tunnel)_service_repaired"), ifvarclass => "$(tunnel)_needs_restart"; + reports: + any:: + "$(this.bundle): $(tunnel).conf repaired" ifvarclass => "openvpn_$(tunnel)_conf_repaired"; + "$(this.bundle): $(tunnel) service repaired" ifvarclass => "tunnel_$(tunnel)_service_repaired"; +} diff --git a/services/main.cf b/services/main.cf index 786524e..51a1fcb 100644 --- a/services/main.cf +++ b/services/main.cf @@ -45,9 +45,21 @@ bundle common classify }; } +bundle common g +{ + vars: + has_host_data:: + "host_data" data => readyaml("$(sys.inputdir)/cmdb/hosts/$(sys.host).yaml", 100k); + classes: + any:: + "has_host_data" expression => fileexists("$(sys.inputdir)/cmdb/hosts/$(sys.host).yaml"); +} + bundle agent main { methods: + andromeda|collab_jde:: + "andromeda" usebundle => openvpn; nagios:: "nagios" usebundle => nagios; } diff --git a/templates/openvpn/common.key.cftpl b/templates/openvpn/common.key.cftpl new file mode 100644 index 0000000..b86a052 --- /dev/null +++ b/templates/openvpn/common.key.cftpl @@ -0,0 +1,21 @@ +# +# 2048 bit OpenVPN static key +# +-----BEGIN OpenVPN Static key V1----- +c721f5790fb7f13df8f3bee5757642dc +63a951123fc5e5fe3af4eea134dc46cb +58d690985a952378537a76935314685d +efd76938f6e799ddb19a6140ae5c8ac7 +3f3a9d48c4ff02cb46a5b412caae1723 +85172ffd29d54316f4143d994a85e1d5 +d188e062022b5f4f8867f10bc9fa50c4 +82a4b1ac9cfb2e63b380ae51fe1a1b95 +09641f1997ede00852aa4f744c418be9 +3b7ffe378ad51777425be73f4486f8fd +04caffddef32e6524f282cc7f81e4df7 +0cedf82774e43ff96463a480a673ff6d +600f59f0783d79079161a88d37221fb8 +ce065cee088aadb0d2426591a4d4c885 +64222847a09c69794a6a81b37175bfd8 +443398ac5c7d90df6d79ff41e2ce9125 +-----END OpenVPN Static key V1----- diff --git a/templates/openvpn/tunnel.conf.cftpl b/templates/openvpn/tunnel.conf.cftpl new file mode 100644 index 0000000..8c718f1 --- /dev/null +++ b/templates/openvpn/tunnel.conf.cftpl @@ -0,0 +1,28 @@ +[%CFEngine BEGIN %] +proto udp +port $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][port]) +dev-type tun +dev tun_$(openvpn_tunnel.tunnel) +comp-lzo +script-security 2 + +ping 10 +ping-restart 20 +ping-timer-rem +persist-tun +persist-key + +cipher AES-128-CBC + +secret /etc/openvpn/common.key +ifconfig $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][ip]) $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][peer]) + +user nobody +[%CFEngine centos:: %] +group nobody +[%CFEngine ubuntu:: %] +group nogroup + +[%CFEngine has_remote:: %] +remote $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][remote_host]) $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][remote_port]) +[%CFEngine END %] |