9 files changed, 153 insertions, 0 deletions

diff --git a/cmdb/hosts/andromeda.yaml b/cmdb/hosts/andromeda.yaml
new file mode 100644
index 0000000..52bce5d
--- /dev/null
+++ b/cmdb/hosts/andromeda.yaml
@@ -0,0 +1,16 @@
+host_interface: dummy0
+host_ip: "10.1.0.255"
+
+tunnels:
+    collab:
+        port: 1195
+        ip: "10.1.0.15"
+        peer: "10.1.0.14"
+        remote_host: collab-jde.nexen.net
+        remote_port: 1199
+    legend:
+        port: 1194
+        ip: "10.1.0.3"
+        peer: "10.1.0.2"
+        remote_host: legend.adyxax.org
+        remote_port: 1195
diff --git a/cmdb/hosts/collab-jde.yaml b/cmdb/hosts/collab-jde.yaml
new file mode 100644
index 0000000..3d8064a
--- /dev/null
+++ b/cmdb/hosts/collab-jde.yaml
@@ -0,0 +1,8 @@
+host_interface: dummy0
+host_ip: "10.1.0.253"
+
+tunnels:
+    andromeda:
+        port: 1199
+        ip: "10.1.0.14"
+        peer: "10.1.0.15"
diff --git a/cmdb/hosts/legend.yaml b/cmdb/hosts/legend.yaml
new file mode 100644
index 0000000..a94400d
--- /dev/null
+++ b/cmdb/hosts/legend.yaml
@@ -0,0 +1,9 @@
+host_interface: dummy0
+host_ip: "10.1.0.254"
+
+tunnels:
+    andromeda:
+        port: 1195
+        ip: "10.1.0.2"
+        peer: "10.1.0.3"
+
diff --git a/promises.cf b/promises.cf
index 3da719c..fab3431 100644
--- a/promises.cf
+++ b/promises.cf
@@ -7,6 +7,7 @@ body common control
             core_policies,
             @(core_policies.bundles),
             classify,
+            g,
             @(classify.bundles),
             main,
         };
diff --git a/services/applications.cf b/services/applications.cf
index a9910b9..84b1938 100644
--- a/services/applications.cf
+++ b/services/applications.cf
@@ -7,6 +7,7 @@ body file control
         "services/applications/nagios.cf",
         "services/applications/nginx.cf",
         "services/applications/nrpe.cf",
+        "services/applications/openvpn.cf",
         "services/applications/php56.cf",
         "services/applications/sshd.cf",
     };
diff --git a/services/applications/openvpn.cf b/services/applications/openvpn.cf
new file mode 100644
index 0000000..597318f
--- /dev/null
+++ b/services/applications/openvpn.cf
@@ -0,0 +1,57 @@
+bundle agent openvpn
+{
+    vars:
+        any::
+            "tunnels" slist => getindices("g.host_data[tunnels]");
+    classes:
+        any::
+            "$(tunnels)_needs_restart" or => { "openvpn_common_key_repaired", "linux.openvpn_$(tunnels)_conf_repaired" };
+    files:
+        any::
+            "/etc/openvpn/common.key"
+                create => "true",
+                edit_defaults => empty,
+                perms => system_owned("440"),
+                edit_template => "$(sys.inputdir)/templates/openvpn/common.key.cftpl",
+                classes => if_repaired("openvpn_common_key_repaired");
+    methods:
+        any::
+            "any" usebundle => install_package("$(this.bundle)", "openvpn");
+            "any" usebundle => openvpn_tunnel("$(tunnels)");
+    services:
+        linux::
+            "openvpn@$(tunnels)"
+                service_policy => "start",
+                classes => if_repaired("tunnel_$(tunnels)_service_repaired");
+    commands:
+        any::
+            "/usr/sbin/service openvpn@$(tunnels) restart" classes => if_repaired("tunnel_$(tunnels)_service_repaired"), ifvarclass => "$(tunnels)_needs_restart";
+    reports:
+        any::
+            "$(this.bundle): common.key repaired" ifvarclass => "openvpn_common_key_repaired";
+            "$(this.bundle): $(tunnels) service repaired" ifvarclass => "tunnel_$(tunnels)_service_repaired";
+}
+
+bundle agent openvpn_tunnel(tunnel)
+{
+    classes:
+        any::
+            "$(tunnel)_needs_restart" or => { "openvpn_common_key_repaired", "linux.openvpn_$(tunnel)_conf_repaired" };
+            "has_remote" and => { isvariable("g.host_data[tunnels][$(tunnel)][remote_host]"), isvariable("g.host_data[tunnels][$(tunnel)][remote_port]") };
+    files:
+        any::
+            "/etc/openvpn/$(tunnel).conf"
+                create => "true",
+                edit_defaults => empty,
+                perms => system_owned("440"),
+                edit_template => "$(sys.inputdir)/templates/openvpn/tunnel.conf.cftpl",
+                template_method => "cfengine",
+                classes => if_repaired("openvpn_$(tunnel)_conf_repaired");
+    commands:
+        any::
+            "/usr/sbin/service openvpn@$(tunnel) restart" classes => if_repaired("tunnel_$(tunnel)_service_repaired"), ifvarclass => "$(tunnel)_needs_restart";
+    reports:
+        any::
+            "$(this.bundle): $(tunnel).conf repaired" ifvarclass => "openvpn_$(tunnel)_conf_repaired";
+            "$(this.bundle): $(tunnel) service repaired" ifvarclass => "tunnel_$(tunnel)_service_repaired";
+}
diff --git a/services/main.cf b/services/main.cf
index 786524e..51a1fcb 100644
--- a/services/main.cf
+++ b/services/main.cf
@@ -45,9 +45,21 @@ bundle common classify
             };
 }
 
+bundle common g
+{
+    vars:
+        has_host_data::
+            "host_data" data => readyaml("$(sys.inputdir)/cmdb/hosts/$(sys.host).yaml", 100k);
+    classes:
+        any::
+            "has_host_data" expression => fileexists("$(sys.inputdir)/cmdb/hosts/$(sys.host).yaml");
+}
+
 bundle agent main
 {
     methods:
+        andromeda|collab_jde::
+            "andromeda" usebundle => openvpn;
         nagios::
             "nagios"  usebundle => nagios;
 }
diff --git a/templates/openvpn/common.key.cftpl b/templates/openvpn/common.key.cftpl
new file mode 100644
index 0000000..b86a052
--- /dev/null
+++ b/templates/openvpn/common.key.cftpl
@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+c721f5790fb7f13df8f3bee5757642dc
+63a951123fc5e5fe3af4eea134dc46cb
+58d690985a952378537a76935314685d
+efd76938f6e799ddb19a6140ae5c8ac7
+3f3a9d48c4ff02cb46a5b412caae1723
+85172ffd29d54316f4143d994a85e1d5
+d188e062022b5f4f8867f10bc9fa50c4
+82a4b1ac9cfb2e63b380ae51fe1a1b95
+09641f1997ede00852aa4f744c418be9
+3b7ffe378ad51777425be73f4486f8fd
+04caffddef32e6524f282cc7f81e4df7
+0cedf82774e43ff96463a480a673ff6d
+600f59f0783d79079161a88d37221fb8
+ce065cee088aadb0d2426591a4d4c885
+64222847a09c69794a6a81b37175bfd8
+443398ac5c7d90df6d79ff41e2ce9125
+-----END OpenVPN Static key V1-----
diff --git a/templates/openvpn/tunnel.conf.cftpl b/templates/openvpn/tunnel.conf.cftpl
new file mode 100644
index 0000000..8c718f1
--- /dev/null
+++ b/templates/openvpn/tunnel.conf.cftpl
@@ -0,0 +1,28 @@
+[%CFEngine BEGIN %]
+proto udp
+port $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][port])
+dev-type tun
+dev tun_$(openvpn_tunnel.tunnel)
+comp-lzo
+script-security 2
+
+ping 10
+ping-restart 20
+ping-timer-rem
+persist-tun
+persist-key
+
+cipher AES-128-CBC
+
+secret /etc/openvpn/common.key
+ifconfig $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][ip]) $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][peer])
+
+user nobody
+[%CFEngine centos:: %]
+group nobody
+[%CFEngine ubuntu:: %]
+group nogroup
+
+[%CFEngine has_remote:: %]
+remote $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][remote_host]) $(g.host_data[tunnels][$(openvpn_tunnel.tunnel)][remote_port])
+[%CFEngine END %]