init.sls 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
  1. #
  2. # OpenVPN
  3. #
  4. include:
  5. - certs
  6. - network
  7. openvpn:
  8. pkg.installed:
  9. - name: openvpn
  10. - require:
  11. - file: /etc/network/interfaces
  12. service.running:
  13. - enable: True
  14. - reload: True
  15. /etc/systemd/system/openvpn@.service:
  16. file.managed:
  17. - source: salt://openvpn/openvpn@.service
  18. - require:
  19. - pkg: openvpn
  20. /etc/openvpn/ifup:
  21. file.managed:
  22. - source: salt://openvpn/ifup
  23. - user: root
  24. - group: root
  25. - mode: 755
  26. - require:
  27. - pkg: openvpn
  28. /etc/openvpn/ifup_real:
  29. file.managed:
  30. - source: salt://openvpn/ifup_real
  31. - user: root
  32. - group: root
  33. - mode: 755
  34. - require:
  35. - pkg: openvpn
  36. /etc/openvpn/ifdown:
  37. file.managed:
  38. - source: salt://openvpn/ifdown
  39. - user: root
  40. - group: root
  41. - mode: 755
  42. - require:
  43. - pkg: openvpn
  44. # Create log directory for status log
  45. /var/log/openvpn:
  46. file.directory:
  47. - user: root
  48. - group: root
  49. - mode: 755
  50. - makedirs: True
  51. # Set up configuration for each and every network configured for this node
  52. {% for netname, network in salt['pillar.get']('ovpn', {}).items () %}
  53. {% if grains['id'] in network %}
  54. {% set network_config = network.get ('config') %}
  55. {% set host_stanza = network.get (grains['id'], {}) %}
  56. {% set host_config = host_stanza.get ('config', {}) %}
  57. {# Merge network_config and host_config with host_config inheriting network_config an overwriting options #}
  58. {% set config = {} %}
  59. {% for keyword, net_argument in network_config.items () if keyword[0] != '_' %}
  60. {% do config.update ({ keyword : net_argument }) %}
  61. {% endfor %}
  62. {#- If there's a "config:" entry in host YAML without any content it will
  63. # wind up as an empty string here. Be kind and silenty handle that. #}
  64. {% if host_config is not string or host_config != "" %}
  65. {% for keyword, host_argument in host_config.items () %}
  66. {% do config.update ({ keyword : host_argument }) %}
  67. {% endfor %}
  68. {% endif %}
  69. {# END merge #}
  70. # Create systemd start link
  71. openvpn@{{ netname }}:
  72. service.running:
  73. - enable: True
  74. - reload: True
  75. - require:
  76. - file: /etc/systemd/system/openvpn@.service
  77. {% if config.get ('mode', '') == "server" %}
  78. - file: Cleanup /etc/openvpn/{{ netname }}
  79. {% endif %}
  80. /etc/openvpn/{{ netname }}.conf:
  81. file.managed:
  82. - source: salt://openvpn/openvpn.conf.tmpl
  83. - template: jinja
  84. - context:
  85. netname : {{ netname }}
  86. network_config: {{ network_config }}
  87. host_config: {{ host_config }}
  88. config: {{ config }}
  89. - require:
  90. - pkg: openvpn
  91. - watch_in:
  92. - service: openvpn@{{ netname }}
  93. {% if config.get ('mode', '') == "server" %}
  94. # Create config dir
  95. Create /etc/openvpn/{{ netname }}:
  96. file.directory:
  97. - name: /etc/openvpn/{{ netname }}
  98. - user: root
  99. - group: root
  100. - mode: 755
  101. - makedirs: True
  102. - require:
  103. - pkg: openvpn
  104. Cleanup /etc/openvpn/{{ netname }}:
  105. file.directory:
  106. - name: /etc/openvpn/{{ netname }}
  107. - clean: true
  108. {% for host, host_stanza in network.items () if not host == 'config' and host != grains['id'] %}
  109. /etc/openvpn/{{ netname }}/{{ host }}:
  110. file.managed:
  111. - source: salt://openvpn/ccd.tmpl
  112. - template: jinja
  113. - context:
  114. host_stanza: {{ host_stanza }}
  115. network_config: {{ network_config }}
  116. - require:
  117. - file: Create /etc/openvpn/{{ netname }}
  118. - require_in:
  119. - file: Cleanup /etc/openvpn/{{ netname }}
  120. {% endfor %}
  121. {% endif %}
  122. {% endif %}
  123. {% endfor %}
  124. #
  125. # OPS VPN?
  126. #
  127. {% if 'ops-vpn' in salt['pillar.get']('node:roles', []) %}
  128. libpam-ldap:
  129. pkg.installed
  130. /etc/pam.d/openvpn:
  131. file.managed:
  132. - source: salt://openvpn/ldap-auth/openvpn.pam.d
  133. /etc/ldap/ldap.conf:
  134. file.managed:
  135. - source: salt://openvpn/ldap-auth/ldap.conf.tmpl
  136. - template: jinja
  137. - context:
  138. server_uri: {{ salt['pillar.get']('ldap:global:server_uri') }}
  139. base_dn: {{ salt['pillar.get']('ldap:global:base_dn') }}
  140. /etc/pam_ldap.conf:
  141. file.managed:
  142. - source: salt://openvpn/ldap-auth/pam_ldap.conf.tmpl
  143. - template: jinja
  144. - context:
  145. server_uri: {{ salt['pillar.get']('ldap:global:server_uri') }}
  146. base_dn: {{ salt['pillar.get']('ldap:global:base_dn') }}
  147. bind_dn: {{ salt['pillar.get']('ldap:openvpn:bind_dn') }}
  148. bind_pw: {{ salt['pillar.get']('ldap:openvpn:bind_pw') }}
  149. /etc/openvpn/ops.conf:
  150. file.managed:
  151. - source: salt://openvpn/ops.conf.tmpl
  152. - template: jinja
  153. - context:
  154. config: {{ salt['pillar.get']('ops:openvpn') }}
  155. - require:
  156. - pkg: libpam-ldap
  157. - file: /etc/pam.d/openvpn
  158. - file: /etc/pam_ldap.conf
  159. - file: /etc/ldap/ldap.conf
  160. - watch_in:
  161. - service: openvpn@ops
  162. openvpn@ops:
  163. service.running:
  164. - enable: True
  165. - reload: True
  166. - require:
  167. - file: /etc/systemd/system/openvpn@.service
  168. - file: /etc/openvpn/ops.conf
  169. {% else %}
  170. /etc/pam.d/openvpn:
  171. file.absent
  172. /etc/ldap/ldap.conf:
  173. file.absent
  174. /etc/pam_ldap.conf:
  175. file.absent
  176. {% endif %}