init.sls 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
  1. #
  2. # OpenVPN
  3. #
  4. include:
  5. - certs
  6. - network.interfaces
  7. openvpn:
  8. pkg.installed:
  9. - name: openvpn
  10. - require:
  11. - file: /etc/network/interfaces
  12. service.running:
  13. - enable: True
  14. - reload: True
  15. /etc/systemd/system/openvpn@.service:
  16. file.managed:
  17. - source: salt://openvpn/openvpn@.service
  18. - require:
  19. - pkg: openvpn
  20. /etc/openvpn/ifup:
  21. file.managed:
  22. - source: salt://openvpn/ifup
  23. - user: root
  24. - group: root
  25. - mode: 755
  26. - require:
  27. - pkg: openvpn
  28. /etc/openvpn/ifup_real:
  29. file.managed:
  30. - source: salt://openvpn/ifup_real
  31. - user: root
  32. - group: root
  33. - mode: 755
  34. - require:
  35. - pkg: openvpn
  36. /etc/openvpn/ifdown:
  37. file.managed:
  38. - source: salt://openvpn/ifdown
  39. - user: root
  40. - group: root
  41. - mode: 755
  42. - require:
  43. - pkg: openvpn
  44. # Create 1024 bit DH params, if not present already
  45. /etc/openvpn/dh1024.pem:
  46. cmd.run:
  47. - name: openssl dhparam -out /etc/openvpn/dh1024.pem 1024
  48. # - creates: /etc/openvpn/dh1024.pem
  49. - unless: ls /etc/openvpn/dh1024.pem
  50. # Create log directory for status log
  51. /var/log/openvpn:
  52. file.directory:
  53. - user: root
  54. - group: root
  55. - mode: 755
  56. - makedirs: True
  57. # Set up configuration for each and every network configured for this node
  58. {% for netname, network in salt['pillar.get']('ovpn', {}).items () %}
  59. {% if grains['id'] in network %}
  60. {% set network_config = network.get ('config') %}
  61. {% set host_stanza = network.get (grains['id'], {}) %}
  62. {% set host_config = host_stanza.get ('config', {}) %}
  63. {# Merge network_config and host_config with host_config inheriting network_config an overwriting options #}
  64. {% set config = {} %}
  65. {% for keyword, net_argument in network_config.items () if keyword[0] != '_' %}
  66. {% do config.update ({ keyword : net_argument }) %}
  67. {% endfor %}
  68. {#- If there's a "config:" entry in host YAML without any content it will
  69. # wind up as an empty string here. Be kind and silenty handle that. #}
  70. {% if host_config is not string or host_config != "" %}
  71. {% for keyword, host_argument in host_config.items () %}
  72. {% do config.update ({ keyword : host_argument }) %}
  73. {% endfor %}
  74. {% endif %}
  75. {# END merge #}
  76. # Create systemd start link
  77. openvpn@{{ netname }}:
  78. service.running:
  79. - enable: True
  80. - reload: True
  81. - require:
  82. - file: /etc/systemd/system/openvpn@.service
  83. {% if config.get ('mode', '') == "server" %}
  84. - file: Cleanup /etc/openvpn/{{ netname }}
  85. {% endif %}
  86. /etc/openvpn/{{ netname }}.conf:
  87. file.managed:
  88. - source: salt://openvpn/openvpn.conf.tmpl
  89. - template: jinja
  90. - context:
  91. netname : {{ netname }}
  92. network_config: {{ network_config }}
  93. host_config: {{ host_config }}
  94. config: {{ config }}
  95. - require:
  96. - pkg: openvpn
  97. - watch_in:
  98. - service: openvpn@{{ netname }}
  99. {% if config.get ('mode', '') == "server" %}
  100. # Create config dir
  101. Create /etc/openvpn/{{ netname }}:
  102. file.directory:
  103. - name: /etc/openvpn/{{ netname }}
  104. - user: root
  105. - group: root
  106. - mode: 755
  107. - makedirs: True
  108. - require:
  109. - pkg: openvpn
  110. Cleanup /etc/openvpn/{{ netname }}:
  111. file.directory:
  112. - name: /etc/openvpn/{{ netname }}
  113. - clean: true
  114. {% for host, host_stanza in network.items () if not host == 'config' and host != grains['id'] %}
  115. /etc/openvpn/{{ netname }}/{{ host }}:
  116. file.managed:
  117. - source: salt://openvpn/ccd.tmpl
  118. - template: jinja
  119. - context:
  120. host_stanza: {{ host_stanza }}
  121. network_config: {{ network_config }}
  122. - require:
  123. - file: Create /etc/openvpn/{{ netname }}
  124. - require_in:
  125. - file: Cleanup /etc/openvpn/{{ netname }}
  126. {% endfor %}
  127. {% endif %}
  128. {% endif %}
  129. {% endfor %}
  130. #
  131. # OPS VPN?
  132. #
  133. {% if 'ops-vpn' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
  134. /etc/pam.d/openvpn:
  135. file.managed:
  136. - source: salt://openvpn/ldap-auth/openvpn.pam.d
  137. /etc/ldap/ldap.conf:
  138. file.managed:
  139. - source: salt://openvpn/ldap-auth/ldap.conf.tmpl
  140. - template: jinja
  141. - context:
  142. server_uri: {{ salt['pillar.get']('ldap:global:server_uri') }}
  143. base_dn: {{ salt['pillar.get']('ldap:global:base_dn') }}
  144. bind_dn: {{ salt['pillar.get']('ldap:openvpn:bind_dn') }}
  145. bind_pw: {{ salt['pillar.get']('ldap:openvpn:bind_pw') }}
  146. {% else %}
  147. /etc/pam.d/openvpn:
  148. file.absent
  149. /etc/ldap/ldap.conf:
  150. file.absent
  151. {% endif %}