Skip to content

Commit b550a6a

Browse files
bastelfreakbastelfreak
authored
Merge pull request #292 from Dan33l/add-easyrsa-3
use new fact easyrsa to configure easyrsa 2 or 3
2 parents b6b6e24 + e2fb1f8 commit b550a6a

File tree

12 files changed

+507
-117
lines changed

12 files changed

+507
-117
lines changed

.travis.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,42 @@ matrix:
2525
- rvm: 2.5.1
2626
bundler_args: --without system_tests development release
2727
env: PUPPET_VERSION="~> 5.0" CHECK=build DEPLOY_TO_FORGE=yes
28+
- rvm: 2.5.1
29+
bundler_args: --without development release
30+
dist: trusty
31+
env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1604-64{hypervisor=docker} CHECK=beaker
32+
services: docker
33+
sudo: required
34+
- rvm: 2.5.1
35+
bundler_args: --without development release
36+
dist: trusty
37+
env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1404-64{hypervisor=docker} CHECK=beaker
38+
services: docker
39+
sudo: required
40+
- rvm: 2.5.1
41+
bundler_args: --without development release
42+
dist: trusty
43+
env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker} CHECK=beaker
44+
services: docker
45+
sudo: required
46+
- rvm: 2.5.1
47+
bundler_args: --without development release
48+
dist: trusty
49+
env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker} CHECK=beaker
50+
services: docker
51+
sudo: required
52+
- rvm: 2.5.1
53+
bundler_args: --without development release
54+
dist: trusty
55+
env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian9-64{hypervisor=docker} CHECK=beaker
56+
services: docker
57+
sudo: required
58+
- rvm: 2.5.1
59+
bundler_args: --without development release
60+
dist: trusty
61+
env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian8-64{hypervisor=docker} CHECK=beaker
62+
services: docker
63+
sudo: required
2864
branches:
2965
only:
3066
- master

lib/facter/easyrsa.rb

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
Facter.add(:easyrsa) do
2+
confine kernel: 'Linux'
3+
setcode do
4+
binaryv2 = ''
5+
binaryv3 = ''
6+
operatingsystem = Facter.value(:operatingsystem)
7+
operatingsystemrelease = Facter.value(:operatingsystemrelease)
8+
9+
case operatingsystem
10+
when %r{RedHat|CentOS}
11+
binaryv2 = '/usr/share/easy-rsa/2.0/pkitool'
12+
binaryv3 = '/usr/share/easy-rsa/3/easyrsa'
13+
when %r{Ubuntu|Debian}
14+
case operatingsystemrelease
15+
when %r{8|9|16.04|18.04}
16+
binaryv2 = '/usr/share/easy-rsa/pkitool'
17+
binaryv3 = '/usr/share/easy-rsa/easyrsa'
18+
else
19+
binaryv2 = '/usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool'
20+
binaryv3 = '/usr/share/doc/openvpn/examples/easy-rsa/3.0/easyrsa'
21+
end
22+
when %r{Amazon}
23+
binaryv2 = '/usr/share/easy-rsa/2.0/pkitool'
24+
binaryv3 = '/usr/share/easy-rsa/3/easyrsa'
25+
when %r{FreeBSD}
26+
binaryv2 = '/usr/local/share/easy-rsa/pkitool'
27+
binaryv3 = '/usr/local/share/easy-rsa/easyrsa'
28+
end
29+
30+
if File.exist? binaryv3
31+
data = Facter::Core::Execution.execute("#{binaryv3} --help")
32+
version = '3.0' if data.gsub!(%r{Easy-RSA 3 usage}, '')
33+
elsif File.exist? binaryv2
34+
data = Facter::Core::Execution.execute("#{binaryv2} --help")
35+
version = '2.0' if data.gsub!(%r{pkitool 2.0}, '')
36+
elsif Facter::Util::Resolution.which('pkitool')
37+
data = Facter::Core::Execution.execute('pkitool --help')
38+
version = '2.0' if data.gsub!(%r{pkitool 2.0}, '')
39+
elsif Facter::Util::Resolution.which('easyrsa')
40+
data = Facter::Core::Execution.execute('easyrsa --help')
41+
version = '3.0' if data.gsub!(%r{Easy-RSA 3 usage}, '')
42+
end
43+
if !version.nil?
44+
else
45+
version = nil
46+
end
47+
version
48+
end
49+
end

manifests/ca.pp

Lines changed: 134 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -100,14 +100,14 @@
100100
Integer $ssl_key_size = 2048,
101101
Integer $ca_expire = 3650,
102102
Integer $key_expire = 3650,
103+
Integer $crl_days = 30,
103104
String $key_cn = '',
104105
String $key_name = '',
105106
String $key_ou = '',
106107
Boolean $tls_auth = false,
107108
) {
108109

109110
include openvpn
110-
111111
$group_to_set = $group ? {
112112
undef => $openvpn::params::group,
113113
default => $group
@@ -124,90 +124,163 @@
124124
mode => '0750'
125125
})
126126

127-
exec { "copy easy-rsa to openvpn config folder ${name}":
128-
command => "/bin/cp -r ${openvpn::params::easyrsa_source} ${etc_directory}/openvpn/${name}/easy-rsa",
129-
creates => "${etc_directory}/openvpn/${name}/easy-rsa",
130-
require => File["${etc_directory}/openvpn/${name}"],
131-
}
132-
133-
file { [
134-
"${etc_directory}/openvpn/${name}/easy-rsa/clean-all",
135-
"${etc_directory}/openvpn/${name}/easy-rsa/build-dh",
136-
"${etc_directory}/openvpn/${name}/easy-rsa/pkitool",
137-
]:
138-
ensure => file,
139-
mode => '0550',
140-
require => Exec["copy easy-rsa to openvpn config folder ${name}"],
127+
file { "${etc_directory}/openvpn/${name}/easy-rsa" :
128+
ensure => directory,
129+
recurse => true,
130+
links => 'follow',
131+
source_permissions => 'use',
132+
group => 0,
133+
source => "file:${openvpn::params::easyrsa_source}",
134+
require => File["${etc_directory}/openvpn/${name}"],
141135
}
142136

143137
file { "${etc_directory}/openvpn/${name}/easy-rsa/revoked":
144138
ensure => directory,
145139
mode => '0750',
146140
recurse => true,
147-
require => Exec["copy easy-rsa to openvpn config folder ${name}"],
141+
require => File["${etc_directory}/openvpn/${name}/easy-rsa"],
148142
}
149143

150-
file { "${etc_directory}/openvpn/${name}/easy-rsa/vars":
151-
ensure => file,
152-
mode => '0550',
153-
content => template('openvpn/vars.erb'),
154-
require => Exec["copy easy-rsa to openvpn config folder ${name}"],
155-
}
144+
case $openvpn::params::easyrsa_version {
145+
'2.0': {
146+
file { "${etc_directory}/openvpn/${name}/easy-rsa/vars":
147+
ensure => file,
148+
mode => '0550',
149+
content => template('openvpn/vars.erb'),
150+
require => File["${etc_directory}/openvpn/${name}/easy-rsa"],
151+
}
156152

157-
file { "${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf":
158-
require => Exec["copy easy-rsa to openvpn config folder ${name}"],
159-
}
153+
if $openvpn::params::link_openssl_cnf == true {
154+
File["${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf"] {
155+
ensure => link,
156+
target => "${etc_directory}/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf",
157+
before => Exec["initca ${name}"],
158+
}
159+
}
160+
161+
exec { "generate dh param ${name}":
162+
command => '. ./vars && ./clean-all && ./build-dh',
163+
timeout => 1800,
164+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
165+
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/dh${ssl_key_size}.pem",
166+
provider => 'shell',
167+
require => File["${etc_directory}/openvpn/${name}/easy-rsa/vars"],
168+
}
169+
170+
exec { "initca ${name}":
171+
command => '. ./vars && ./pkitool --initca',
172+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
173+
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/ca.key",
174+
provider => 'shell',
175+
require => Exec["generate dh param ${name}"],
176+
}
177+
178+
exec { "generate server cert ${name}":
179+
command => ". ./vars && ./pkitool --server ${common_name}",
180+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
181+
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/${common_name}.key",
182+
provider => 'shell',
183+
require => Exec["initca ${name}"],
184+
}
185+
186+
exec { "create crl.pem on ${name}":
187+
command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${etc_directory}/openvpn/${name}/crl.pem -config ${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
188+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
189+
creates => "${etc_directory}/openvpn/${name}/crl.pem",
190+
provider => 'shell',
191+
require => Exec["generate server cert ${name}"],
192+
}
160193

161-
if $openvpn::params::link_openssl_cnf == true {
162-
File["${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf"] {
163-
ensure => link,
164-
target => "${etc_directory}/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf",
165-
before => Exec["initca ${name}"],
166194
}
167-
}
195+
'3.0': {
196+
file { "${etc_directory}/openvpn/${name}/easy-rsa/vars":
197+
ensure => file,
198+
mode => '0550',
199+
content => epp('openvpn/vars-30.epp',
200+
{
201+
'etc_directory' => $etc_directory,
202+
'openvpn_server' => $name,
203+
'ssl_key_size' => $ssl_key_size,
204+
'ca_expire' => $ca_expire,
205+
'key_expire' => $key_expire,
206+
'crl_days' => $crl_days,
207+
'country' => $country,
208+
'province' => $province,
209+
'city' => $city,
210+
'organization' => $organization,
211+
'email' => $email,
212+
'key_cn' => $key_cn,
213+
'key_ou' => $key_ou,
214+
}
215+
),
216+
require => File["${etc_directory}/openvpn/${name}/easy-rsa"],
217+
}
168218

169-
exec { "generate dh param ${name}":
170-
command => '. ./vars && ./clean-all && ./build-dh',
171-
timeout => 1800,
172-
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
173-
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/dh${ssl_key_size}.pem",
174-
provider => 'shell',
175-
require => File["${etc_directory}/openvpn/${name}/easy-rsa/vars"],
176-
}
219+
if $openvpn::params::link_openssl_cnf == true {
220+
File["${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf"] {
221+
ensure => link,
222+
target => "${etc_directory}/openvpn/${name}/easy-rsa/openssl-1.0.cnf",
223+
before => Exec["initca ${name}"],
224+
}
225+
}
177226

178-
exec { "initca ${name}":
179-
command => '. ./vars && ./pkitool --initca',
180-
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
181-
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/ca.key",
182-
provider => 'shell',
183-
require => Exec["generate dh param ${name}"],
227+
exec { "initca ${name}":
228+
command => './easyrsa --batch init-pki && ./easyrsa --batch build-ca nopass',
229+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
230+
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/ca.crt",
231+
provider => 'shell',
232+
require => File["${etc_directory}/openvpn/${name}/easy-rsa/vars"],
233+
}
234+
235+
exec { "generate dh param ${name}":
236+
command => './easyrsa --batch gen-dh',
237+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
238+
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/dh.pem",
239+
provider => 'shell',
240+
require => Exec["generate server cert ${name}"],
241+
}
242+
243+
exec { "generate server cert ${name}":
244+
command => "./easyrsa build-server-full ${common_name} nopass",
245+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
246+
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/private/${common_name}.key",
247+
provider => 'shell',
248+
require => Exec["initca ${name}"],
249+
}
250+
251+
file { "${etc_directory}/openvpn/${name}/easy-rsa/keys/ca.crt":
252+
mode => '0640',
253+
require => Exec["initca ${name}"],
254+
}
255+
256+
exec { "create crl.pem on ${name}":
257+
command => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${etc_directory}/openvpn/${name}/crl.pem -config ${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
258+
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
259+
creates => "${etc_directory}/openvpn/${name}/crl.pem",
260+
group => $group_to_set,
261+
provider => 'shell',
262+
require => Exec["generate server cert ${name}"],
263+
}
264+
265+
}
266+
default: {
267+
fail("unexepected value for EasyRSA version, got '${openvpn::params::easyrsa_version}', expect 2.0 or 3.0.")
268+
}
184269
}
185270

186-
exec { "generate server cert ${name}":
187-
command => ". ./vars && ./pkitool --server ${common_name}",
188-
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
189-
creates => "${etc_directory}/openvpn/${name}/easy-rsa/keys/${common_name}.key",
190-
provider => 'shell',
191-
require => Exec["initca ${name}"],
271+
file { "${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf":
272+
require => File["${etc_directory}/openvpn/${name}/easy-rsa"],
192273
}
193274

194275
file { "${etc_directory}/openvpn/${name}/keys":
195276
ensure => link,
196277
target => "${etc_directory}/openvpn/${name}/easy-rsa/keys",
197-
require => Exec["copy easy-rsa to openvpn config folder ${name}"],
198-
}
199-
200-
exec { "create crl.pem on ${name}":
201-
command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${etc_directory}/openvpn/${name}/crl.pem -config ${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
202-
cwd => "${etc_directory}/openvpn/${name}/easy-rsa",
203-
creates => "${etc_directory}/openvpn/${name}/crl.pem",
204-
provider => 'shell',
205-
require => Exec["generate server cert ${name}"],
278+
mode => '0640',
279+
require => File["${etc_directory}/openvpn/${name}/easy-rsa"],
206280
}
207281

208282
file { "${etc_directory}/openvpn/${name}/crl.pem":
209283
mode => '0640',
210-
group => $group_to_set,
211284
require => Exec["create crl.pem on ${name}"],
212285
}
213286

@@ -226,5 +299,4 @@
226299
target => "${etc_directory}/openvpn/${name}/crl.pem",
227300
require => Exec["create crl.pem on ${name}"],
228301
}
229-
230302
}

0 commit comments

Comments
 (0)