instance.pp 4.25 KB
Newer Older
groente's avatar
groente committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# This class manages a Tails VPN installation using tinc in `switch`
# mode.
#
# It needs by default only two parameters:
#
# * vpn_address: the VPN internal ip address, used to configure the VPN
#   interface. Must be in the CIDR format, e.g 192.168.0.2/24.
#
# * vpn_subnet: the VPN internal subnet, which is used to
#   configure the routing. Must be in the form of subnet/netmask, e.g
#   192.168.0.0/255.255.255.0.
#
# Note that this manifest does not check that you pass consistent
# values for $vpn_address CIDR and $vpn_subnet netmask. Obviously you
# should. Take care to do so!
#
# It's also possible to define the ipaddress tinc will listen on with
# the ipaddress parameter. Usefull if you have several interfaces.

define tails::vpn::instance (
  Stdlib::IP::Address::V4::CIDR $vpn_address,
  Pattern[/\A([0-9]{1,3}\.){3}[0-9]{1,3}\/([0-9]{1,3}\.){3}[0-9]{1,3}\z/] $vpn_subnet,
23
  Array[String] $connect_to                             = [],
groente's avatar
groente committed
24
  Stdlib::IP::Address::V4 $ip_address                   = $::ipaddress,
25
  Array[Array[Stdlib::IP::Address::V4, 2, 2]] $routes   = [],
groente's avatar
groente committed
26
27
  Enum['present', 'absent'] $ensure                     = present,
  Optional[String] $proxy                               = undef,
28
  Variant[Boolean, Array[String]] $collect_routes       = true,
groente's avatar
groente committed
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
){

  $vpn_spaddress = split($vpn_address, '/')
  $vpn_ip = $vpn_spaddress[0]

  $vpn_spsubnet = split($vpn_subnet, '/')
  $vpn_net = $vpn_spsubnet[0]
  $vpn_netmask = $vpn_spsubnet[1]

  assert_type(Pattern[/.+@.+/], $name)
  $sp_name = split($name, '@')
  $hostname = $sp_name[0]
  $vpn_name = $sp_name[1]
  $interface = $vpn_name

  assert_type(String[1], $hostname)
  assert_type(String[1], $vpn_name)

  $directory_ensure = $ensure ? {
    absent  => absent,
    default => directory,
  }

  include tails::vpn

  file {
    "/etc/tinc/${vpn_name}":
      ensure  => $directory_ensure,
      recurse => true,
      owner   => 'root',
      group   => 'root',
      mode    => '0700',
      require => Package['tinc'];
    "/etc/tinc/${vpn_name}/hosts":
      ensure  => $directory_ensure,
64
      purge   => true,
groente's avatar
groente committed
65
66
67
68
69
70
71
72
73
      recurse => true,
      owner   => 'root',
      group   => 'root',
      mode    => '0700';
    "/etc/tinc/${vpn_name}/tinc.conf":
      ensure  => $ensure,
      owner   => 'root',
      group   => 'root',
      mode    => '0600',
74
      content => epp('tails/vpn/tinc.conf.epp', {
Zen Fu's avatar
Zen Fu committed
75
76
77
78
        hostname   => $hostname,
        connect_to => $connect_to,
        proxy      => $proxy,
      });
groente's avatar
groente committed
79
80
81
82
83
84
85
    "/etc/tinc/${vpn_name}/rsa_key.priv":
      ensure => $ensure,
      owner  => 'root',
      group  => 'root',
      mode   => '0600',
  }

86
  # Build the tinc-up/down files
87

88
89
90
91
92
93
94
95
96
97
98
99
100
  concat {
    "/etc/tinc/${vpn_name}/tinc-up":
      ensure  => $ensure,
      owner   => 'root',
      group   => 'root',
      mode    => '0700',
      require => File["/etc/tinc/${vpn_name}"];
    "/etc/tinc/${vpn_name}/tinc-down":
      ensure  => $ensure,
      owner   => 'root',
      group   => 'root',
      mode    => '0700',
      require => File["/etc/tinc/${vpn_name}"];
101
102
  }

103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
  concat::fragment {
    "${vpn_name}_tinc-up":
      target  => "/etc/tinc/${vpn_name}/tinc-up",
      content => epp('tails/vpn/tinc-up.epp', {
        interface   => $interface,
        vpn_ip      => $vpn_ip,
        vpn_net     => $vpn_net,
        vpn_netmask => $vpn_netmask,
        routes      => $routes,
      }),
      order   => 0;
    "${vpn_name}_tinc-down":
      target  => "/etc/tinc/${vpn_name}/tinc-down",
      content => epp('tails/vpn/tinc-down.epp', {
        interface => $interface
      }),
      order   => 0;
120
121
  }

122
123
124
125
126
127
128
129
130
131
132
133
  case $collect_routes {
    true: {
      Concat::Fragment <<| target == "/etc/tinc/${vpn_name}/tinc-up" and tag != $trusted['certname'] |>>
      Concat::Fragment <<| target == "/etc/tinc/${vpn_name}/tinc-down" and tag != $trusted['certname'] |>>
    }
    Array: {
      $collect_routes.each | String $source | {
        Concat::Fragment <<| target == "/etc/tinc/${vpn_name}/tinc-up" and tag == $source |>>
        Concat::Fragment <<| target == "/etc/tinc/${vpn_name}/tinc-down" and tag == $source |>>
      }
    }
    default: {}
134
135
136
137
  }

  # Start this instance on Tinc service start

groente's avatar
groente committed
138
139
140
141
142
143
144
  concat::fragment { "nets_boot_${vpn_name}":
    target  => '/etc/tinc/nets.boot',
    content => "${vpn_name}\n",
    notify  => Service['tinc'],
  }

}