(openvpn) openvpn install with lets encrypt

hieradata/node/vpn01.cp.lsst.org.yaml

@@ -0,0 +1,44 @@
+---
+nm::connections:
+  enp65s0f0:
+    content:
+      connection:
+        id: "enp65s0f0"
+        uuid: "682a815d-eedf-a30b-774c-aae04c2d5ccb"
+        type: "ethernet"
+        interface-name: "enp65s0f0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.160.82/24,139.229.160.254"
+        dns: "139.229.160.53;139.229.160.54;139.229.160.55;"
+        dns-search: "cp.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
+  enp65s0f1:
+    content:
+      connection:
+        id: "enp65s0f1"
+        uuid: "de9904c8-9577-1a17-36b1-34b94132f06a"
+        type: "ethernet"
+        autoconnect: "false"
+        interface-name: "enp65s0f1"
+      ethernet: {}
+      ipv4:
+        method: "disabled"
+      ipv6:
+        method: "disabled"
+  enp12s0f4u1u2c2:
+    content:
+      connection:
+        id: "enp12s0f4u1u2c2"
+        uuid: "de9904c8-9577-1a17-36b1-34b94132f06a"
+        type: "ethernet"
+        autoconnect: "false"
+        interface-name: "enp12s0f4u1u2c2"
+      ethernet: {}
+      ipv4:
+        method: "disabled"
+      ipv6:
+        method: "disabled"

hieradata/node/vpn01.dev.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  ens192:
+    content:
+      connection:
+        id: "ens192"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "ens192"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.134.64/24,139.229.134.254"
+        dns: "139.229.134.53;139.229.134.54;139.229.134.55;"
+        dns-search: "dev.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}

hieradata/node/vpn01.ls.lsst.org.yaml

@@ -0,0 +1,70 @@
+---
+nm::connections:
+  enp129s0f1:
+    content:
+      connection:
+        id: "enp129s0f1"
+        uuid: "46d19ce1-bcab-7e77-6fc7-b730b26c54b1"
+        type: "ethernet"
+        interface-name: "enp129s0f1"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.138.20/24,139.229.138.254"
+        dns: "139.229.135.53;139.229.135.54;139.229.135.55;"
+        dns-search: "ls.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
+  enp129s0f0:
+    content:
+      connection:
+        id: "enp129s0f0"
+        uuid: "de9904c8-9577-1a17-36b1-34b94132f06a"
+        type: "ethernet"
+        autoconnect: "false"
+        interface-name: "enp129s0f0"
+      ethernet: {}
+      ipv4:
+        method: "disabled"
+      ipv6:
+        method: "disabled"
+  eno1np0:
+    content:
+      connection:
+        id: "eno1np0"
+        uuid: "de9904c8-9577-1a17-36b1-34b94132f06a"
+        type: "ethernet"
+        autoconnect: "false"
+        interface-name: "eno1np0"
+      ethernet: {}
+      ipv4:
+        method: "disabled"
+      ipv6:
+        method: "disabled"
+  eno1np1:
+    content:
+      connection:
+        id: "eno1np1"
+        uuid: "de9904c8-9577-1a17-36b1-34b94132f06a"
+        type: "ethernet"
+        autoconnect: "false"
+        interface-name: "eno1np1"
+      ethernet: {}
+      ipv4:
+        method: "disabled"
+      ipv6:
+        method: "disabled"
+  enp4s0f3u2u2c2:
+    content:
+      connection:
+        id: "enp4s0f3u2u2c2"
+        uuid: "de9904c8-9577-1a17-36b1-34b94132f06a"
+        type: "ethernet"
+        autoconnect: "false"
+        interface-name: "enp4s0f3u2u2c2"
+      ethernet: {}
+      ipv4:
+        method: "disabled"
+      ipv6:
+        method: "disabled"

hieradata/node/vpn02.cp.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  ens192:
+    content:
+      connection:
+        id: "ens192"
+        uuid: "51e4ccf4-1dd1-3081-9b28-0aa1291b79ac"
+        type: "ethernet"
+        interface-name: "ens192"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.160.83/24,139.229.160.254"
+        dns: "139.229.160.53;139.229.160.54;139.229.160.55;"
+        dns-search: "cp.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}

hieradata/node/vpn02.dev.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  ens192:
+    content:
+      connection:
+        id: "ens192"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "ens192"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.134.99/24,139.229.134.254"
+        dns: "139.229.134.53;139.229.134.54;139.229.134.55;"
+        dns-search: "dev.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}

hieradata/node/vpn02.ls.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  ens192:
+    content:
+      connection:
+        id: "ens192"
+        uuid: "36e2d4c8-3d89-49c8-95f0-048af8c5fe28"
+        type: "ethernet"
+        interface-name: "ens192"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.138.21/24,139.229.138.254"
+        dns: "139.229.135.53;139.229.135.54;139.229.135.55;"
+        dns-search: "ls.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}

hieradata/role/openvpn.yaml

@@ -0,0 +1,7 @@
+---
+classes:
+  - "profile::core::common"
+  - "profile::core::openvpn"
+
+profile::core::openvpn::version: "3.0.0_2b84043e"
+profile::core::openvpn::cluster: "vpn.%{::site}.lsst.org"

site/profile/manifests/core/openvpn.pp

@@ -0,0 +1,86 @@
+# @summary
+#   Installs openvpn connect server.
+#
+# @param version
+#   Sets version lock for openvpn package.
+#
+# @param cluster
+#   Generates an additional certificate for vpn round robin setup.
+#
+class profile::core::openvpn (
+  String[1] $version,
+  String[1] $cluster,
+) {
+  include yum::plugin::versionlock
+  include profile::core::letsencrypt
+
+  yumrepo { 'as-repo-rhel9':
+    ensure   => 'present',
+    name     => 'openvpn-access-server',
+    descr    => 'OpenVPN Access Server',
+    baseurl  => 'http://as-repository.openvpn.net/as/yum/rhel9/',
+    gpgkey   => 'https://as-repository.openvpn.net/as-repo-public.gpg',
+    gpgcheck => '1',
+    enabled  => '1',
+  }
+
+  package { 'openvpn-as':
+    ensure  => $version,
+    require => Yumrepo['as-repo-rhel9'],
+    notify  => Yum::Versionlock['openvpn-as'],
+  }
+
+  yum::versionlock { 'openvpn-as':
+    ensure  => 'present',
+    version => $version,
+    release => '1.el9',
+    arch    => 'x86_64',
+  }
+
+  # Host FQDN
+  $fqdn = fact('networking.fqdn')
+
+  # Signed Certificate Location
+  $le_root = "/etc/letsencrypt/live/${fqdn}"
+
+  # Generate and sign certificate
+  letsencrypt::certonly { $fqdn:
+    plugin      => 'dns-route53',
+    manage_cron => true,
+  }
+
+  # Generate an additional certificate for round robin setup.
+  letsencrypt::certonly { $cluster:
+    plugin      => 'dns-route53',
+    manage_cron => true,
+  }
+
+  # Create symbolic links for certificates
+  file { '/usr/local/openvpn_as/etc/web-ssl/server.crt':
+    ensure  => 'link',
+    target  => "${le_root}/cert.pem",
+    force   => true,
+    require => Letsencrypt::Certonly[$fqdn],
+  }
+
+  file { '/usr/local/openvpn_as/etc/web-ssl/server.key':
+    ensure  => 'link',
+    target  => "${le_root}/privkey.pem",
+    force   => true,
+    require => Letsencrypt::Certonly[$fqdn],
+  }
+
+  file { '/usr/local/openvpn_as/etc/web-ssl/ca.crt':
+    ensure  => 'link',
+    target  => "${le_root}/fullchain.pem",
+    force   => true,
+    require => Letsencrypt::Certonly[$fqdn],
+  }
+
+  # Manage OpenVPN Access Server service
+  service { 'openvpnas':
+    ensure  => 'running',
+    enable  => true,
+    require => Package['openvpn-as'],
+  }
+}

spec/classes/core/openvpn_spec.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'profile::core::openvpn' do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'with default parameters' do
+        let(:params) do
+          {
+            version: '3.0.0_2b84043e',
+            cluster: 'vpn.%{::site}.lsst.org',
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it { is_expected.to contain_class('profile::core::letsencrypt') }
+
+        it do
+          is_expected.to contain_package('openvpn-as').with(
+            ensure: '3.0.0_2b84043e',
+            require: 'Yumrepo[as-repo-rhel9]'
+          )
+        end
+
+        it do
+          is_expected.to contain_letsencrypt__certonly('vpn.%{::site}.lsst.org').with(
+            plugin: 'dns-route53',
+            manage_cron: true
+          )
+        end
+
+        it do
+          is_expected.to contain_yumrepo('as-repo-rhel9').with(
+            ensure: 'present',
+            name: 'openvpn-access-server',
+            descr: 'OpenVPN Access Server',
+            baseurl: 'http://as-repository.openvpn.net/as/yum/rhel9/',
+            gpgkey: 'https://as-repository.openvpn.net/as-repo-public.gpg',
+            gpgcheck: '1',
+            enabled: '1'
+          )
+        end
+
+        it do
+          is_expected.to contain_file('/usr/local/openvpn_as/etc/web-ssl/server.crt').with(
+            ensure: 'link'
+          )
+        end
+
+        it do
+          is_expected.to contain_file('/usr/local/openvpn_as/etc/web-ssl/server.key').with(
+            ensure: 'link'
+          )
+        end
+
+        it do
+          is_expected.to contain_file('/usr/local/openvpn_as/etc/web-ssl/ca.crt').with(
+            ensure: 'link'
+          )
+        end
+
+        it do
+          is_expected.to contain_service('openvpnas').with(
+            ensure: 'running',
+            enable: true,
+            require: 'Package[openvpn-as]'
+          )
+        end
+      end
+    end
+  end
+end