voxpupuli
diff --git a/‎REFERENCE.md‎
Lines changed: 120 additions & 20 deletions b/‎REFERENCE.md‎
Lines changed: 120 additions & 20 deletions
diff --git a/‎manifests/server.pp‎
Lines changed: 40 additions & 4 deletions b/‎manifests/server.pp‎
Lines changed: 40 additions & 4 deletions
@@ -339,6 +339,14 @@ Determins if a tls key is generated
 
 Default value: `false`
 
+##### `tls_static_key`
+
+Data type: `Boolean`
+
+Determins if a tls key is generated
+
+Default value: `false`
+
 ##### `crl_days`
 
 Data type: `Integer`
@@ -375,7 +383,7 @@ Name of the corresponding openvpn endpoint
 
 ##### `compression`
 
-Data type: `Enum['comp-lzo', '']`
+Data type: `String`
 
 Which compression algorithim to use
 
@@ -517,6 +525,14 @@ Activates tls-auth to Add an additional layer of HMAC authentication on top of t
 
 Default value: `false`
 
+##### `tls_crypt`
+
+Data type: `Boolean`
+
+Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
+
+Default value: `false`
+
 ##### `x509_name`
 
 Data type: `Optional[String]`
@@ -662,45 +678,53 @@ The following parameters are available in the `openvpn::client_specific_config`
 
 ##### `server`
 
-Data type: `String`
+Data type: `String[1]`
 
 Name of the corresponding openvpn endpoint
 
 ##### `iroute`
 
-Data type: `Array[String]`
+Data type: `Array[String[1]]`
 
 Array of iroute combinations.
 
 Default value: []
 
 ##### `iroute_ipv6`
 
-Data type: `Array[String]`
+Data type: `Array[String[1]]`
 
 Array of IPv6 iroute combinations.
 
 Default value: []
 
 ##### `route`
 
-Data type: `Array[String]`
+Data type: `Array[String[1]]`
 
 Array of route combinations pushed to client.
 
 Default value: []
 
 ##### `ifconfig`
 
-Data type: `Variant[Boolean, String]`
+Data type: `Optional[String[1]]`
 
 IP configuration to push to the client.
 
-Default value: `false`
+Default value: `undef`
+
+##### `ifconfig_ipv6`
+
+Data type: `Optional[String[1]]`
+
+IPv6 configuration to push to the client.
+
+Default value: `undef`
 
 ##### `dhcp_options`
 
-Data type: `Array[String]`
+Data type: `Array[String[1]]`
 
 DHCP options to push to the client.
 
@@ -716,12 +740,20 @@ Default value: `false`
 
 ##### `ensure`
 
-Data type: `Enum[present, absent]`
+Data type: `Enum['present', 'absent']`
 
 Sets the client specific configuration file status (present or absent)
 
 Default value: present
 
+##### `manage_client_configs`
+
+Data type: `Boolean`
+
+Manage dependencies on Openvpn::Client ressources
+
+Default value: `true`
+
 ### openvpn::deploy::client
 
 Collect the exported configs for an Host and ensure a running Openvpn Service
@@ -982,6 +1014,30 @@ Logfile for this openvpn server
 
 Default value: `false`
 
+##### `manage_logfile_directory`
+
+Data type: `Boolean`
+
+Manage the directory that the logfile is located in
+
+Default value: `false`
+
+##### `logdirectory_user`
+
+Data type: `String[1]`
+
+The owner user of the logfile directory
+
+Default value: 'nobody'
+
+##### `logdirectory_group`
+
+Data type: `String[1]`
+
+The owner group of the logfile directory
+
+Default value: 'nobody'
+
 ##### `port`
 
 Data type: `String`
@@ -1000,7 +1056,7 @@ Default value: `undef`
 
 ##### `proto`
 
-Data type: `Enum['tcp', 'udp']`
+Data type: `Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']`
 
 What IP protocol is being used.
 
@@ -1160,19 +1216,35 @@ Default value: 7505
 
 ##### `up`
 
-Data type: `String`
+Data type: `Optional[String[1]]`
 
-Script which we want to run when openvpn server starts
+Script which we want to run when openvpn server starts. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
 
-Default value: ''
+Default value: `undef`
 
 ##### `down`
 
-Data type: `String`
+Data type: `Optional[String[1]]`
 
-Script which we want to run when openvpn server stops
+Script which we want to run when openvpn server stops. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
 
-Default value: ''
+Default value: `undef`
+
+##### `client_connect`
+
+Data type: `Optional[String[1]]`
+
+Script which we want to run when a client connects. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
+
+Default value: `undef`
+
+##### `client_disconnect`
+
+Data type: `Optional[String[1]]`
+
+Script which we want to run when a client disconnects. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
+
+Default value: `undef`
 
 ##### `username_as_common_name`
 
@@ -1296,19 +1368,19 @@ Default value: ''
 
 ##### `ldap_tls_client_cert_file`
 
-Data type: `String`
+Data type: `Optional[Stdlib::Absolutepath]`
 
 LDAP TLS authentication: path to the tls client certificate
 
-Default value: ''
+Default value: `undef`
 
 ##### `ldap_tls_client_key_file`
 
-Data type: `String`
+Data type: `Optional[Stdlib::Absolutepath]`
 
 LDAP TLS authentication: path to the tls client key
 
-Default value: ''
+Default value: `undef`
 
 ##### `verb`
 
@@ -1398,6 +1470,14 @@ Activates tls-auth to Add an additional layer of HMAC authentication on top of t
 
 Default value: `false`
 
+##### `tls_crypt`
+
+Data type: `Boolean`
+
+Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
+
+Default value: `false`
+
 ##### `tls_server`
 
 Data type: `Boolean`
@@ -1582,6 +1662,26 @@ A pre-shared static key.
 
 Default value: `undef`
 
+##### `scripts`
+
+Data type: `Hash[String, Hash]`
+
+Hash of scripts to copy with this instance.
+For example, to put a script in `/etc/openvpn/test-site/scripts/add-tap-to-bridge.sh` and use it as an `up` script
+``` puppet
+openvpn::server { 'test-site':
+  ....
+  up => 'add-tap-to-bridge.sh',
+  scripts => {
+    "add-tap-to-bridge.sh" => {
+      source => 'puppet:///path/to/add-tap-to-bridge.sh',
+    },
+  },
+}
+```
+
+Default value: {}
+
 ##### `custom_options`
 
 Data type: `Hash`
 
@@ -41,8 +41,10 @@
 # @param management Enable management interface
 # @param management_ip  IP address where the management interface will listen
 # @param management_port Port where the management interface will listen
-# @param up Script which we want to run when openvpn server starts
-# @param down  Script which we want to run when openvpn server stops
+# @param up Script which we want to run when openvpn server starts. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
+# @param down  Script which we want to run when openvpn server stops. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
+# @param client_connect  Script which we want to run when a client connects. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
+# @param client_disconnect  Script which we want to run when a client disconnects. If the path to the scirpt does not contain a slash, it will be assumed to be in `openvpn/${name}/scripts` directory.
 # @param username_as_common_name If true then set username-as-common-name
 # @param client_cert_not_required If true then set client-cert-not-required
 # @param ldap_enabled If ldap is enabled, do stuff
@@ -95,6 +97,20 @@
 # @param remote_cert_tls Enable or disable use of remote-cert-tls for the session. Generally used with client configuration
 # @param nobind Whether or not to bind to a specific port number.#
 # @param secret A pre-shared static key.
+# @param scripts Hash of scripts to copy with this instance.
+#  For example, to put a script in `/etc/openvpn/test-site/scripts/add-tap-to-bridge.sh` and use it as an `up` script
+#  ``` puppet
+#  openvpn::server { 'test-site':
+#    ....
+#    up => 'add-tap-to-bridge.sh',
+#    scripts => {
+#      "add-tap-to-bridge.sh" => {
+#        source => 'puppet:///path/to/add-tap-to-bridge.sh',
+#      },
+#    },
+#  }
+#  ```
+#
 # @param custom_options Hash of additional options to append to the configuration file.
 #
 # @example install
@@ -106,6 +122,7 @@
 #       email        => '[email protected]',
 #       server       => '10.200.200.0 255.255.255.0',
 #   }
+#
 # @example a server in client mode
 #   file {
 #     '/etc/openvpn/zurich/keys/ca.crt':
@@ -164,8 +181,10 @@
   Boolean $management                                               = false,
   String $management_ip                                             = 'localhost',
   Variant[Stdlib::Port::Unprivileged,Enum['unix']] $management_port = 7505,
-  String $up                                                        = '',
-  String $down                                                      = '',
+  Optional[String[1]] $up                                           = undef,
+  Optional[String[1]] $down                                         = undef,
+  Optional[String[1]] $client_connect                               = undef,
+  Optional[String[1]] $client_disconnect                            = undef,
   Boolean $username_as_common_name                                  = false,
   Boolean $client_cert_not_required                                 = false,
   Boolean $ldap_enabled                                             = false,
@@ -218,6 +237,7 @@
   Boolean $remote_cert_tls                                          = false,
   Boolean $nobind                                                   = false,
   Optional[String] $secret                                          = undef,
+  Hash[String, Hash] $scripts                                       = {},
   Hash $custom_options                                              = {},
 ) {
 
@@ -294,6 +314,12 @@
     mode   => '0750',
     notify => $lnotify,
   }
+  file {
+    [ "${etc_directory}/openvpn/${name}/scripts", ]:
+      ensure  => directory,
+      mode    => '0750',
+      recurse => true,
+  }
   if $shared_ca {
     ensure_resource(file, "${etc_directory}/openvpn/${ca_name}", {
       ensure => directory,
@@ -411,6 +437,10 @@
 
   # template use $_easyrsa_version
   $_easyrsa_version = $openvpn::easyrsa_version
+
+  # Template might need script directory
+  $_script_dir = "${etc_directory}/openvpn/${name}/scripts"
+
   file { "${etc_directory}/openvpn/${name}.conf":
     owner   => root,
     group   => 0,
@@ -432,6 +462,12 @@
     notify  => $lnotify,
   }
 
+  $scripts.each |String $scriptname, Hash $properties| {
+    file { "${_script_dir}/${scriptname}":
+      * => $properties,
+    }
+  }
+
   if $ldap_enabled == true {
     file {
       "${etc_directory}/openvpn/${name}/auth/ldap.conf":