Allow to share the CA between servers

voxpupuli · Nov 23, 2014 · 580d5c0 · 580d5c0
1 parent 7c1cd80
commit 580d5c0
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 37 deletions.
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -112,6 +112,12 @@
     group   => $group_to_set,
   }
 
+  # directory shared with openvpn::server
+  ensure_resource(file, "/etc/openvpn/${name}", {
+    ensure  => directory,
+    mode    => '0750',
+  })
+
   exec { "copy easy-rsa to openvpn config folder ${name}":
     command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa",
     creates => "/etc/openvpn/${name}/easy-rsa",

diff --git a/manifests/client.pp b/manifests/client.pp
@@ -101,6 +101,9 @@
 # [*down*]
 #   String,  Script which we want to run when openvpn client is disconneting
 #
+# [*shared_ca*]
+#   String,  The name of an openssl::ca resource to use.
+#
 # === Examples
 #
 #   openvpn::client {
@@ -157,6 +160,7 @@
   $setenv_safe = {},
   $up = '',
   $down = '',
+  $shared_ca = undef,
 ) {
 
   if $pam {
@@ -166,11 +170,15 @@
   Openvpn::Server[$server] ->
   Openvpn::Client[$name]
 
+  $ca_name = pick($shared_ca, $server)
+  Openvpn::Ca[$ca_name] ->
+  Openvpn::Client[$name]
+
   exec {
-    "generate certificate for ${name} in context of ${server}":
+    "generate certificate for ${name} in context of ${ca_name}":
       command  => ". ./vars && ./pkitool ${name}",
-      cwd      => "/etc/openvpn/${server}/easy-rsa",
-      creates  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
+      cwd      => "/etc/openvpn/${ca_name}/easy-rsa",
+      creates  => "/etc/openvpn/${ca_name}/easy-rsa/keys/${name}.crt",
       provider => 'shell';
   }
 
@@ -182,20 +190,20 @@
 
   file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt":
     ensure  => link,
-    target  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
-    require => Exec["generate certificate for ${name} in context of ${server}"],
+    target  => "/etc/openvpn/${ca_name}/easy-rsa/keys/${name}.crt",
+    require => Exec["generate certificate for ${name} in context of ${ca_name}"],
   }
 
   file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key":
     ensure  => link,
-    target  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key",
-    require => Exec["generate certificate for ${name} in context of ${server}"],
+    target  => "/etc/openvpn/${ca_name}/easy-rsa/keys/${name}.key",
+    require => Exec["generate certificate for ${name} in context of ${ca_name}"],
   }
 
   file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt":
     ensure  => link,
-    target  => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt",
-    require => Exec["generate certificate for ${name} in context of ${server}"],
+    target  => "/etc/openvpn/${ca_name}/easy-rsa/keys/ca.crt",
+    require => Exec["generate certificate for ${name} in context of ${ca_name}"],
   }
 
   file { "/etc/openvpn/${server}/download-configs/${name}/${name}.conf":

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -273,6 +273,11 @@
 #   Boolean. Do not start clocking timeouts until a remote peer connects.
 #   Default: false
 #
+# [*shared_ca*]
+#   String.  Name of a openssl::ca resource to use
+#     config with
+#   Default: undef
+#
 # === Examples
 #
 #   openvpn::client {
@@ -372,6 +377,7 @@
   $persist_tun = false,
   $server_poll_timeout = undef,
   $ping_timer_rem = false,
+  $shared_ca = undef
 ) {
 
   include openvpn
@@ -393,18 +399,43 @@
     group   => $group_to_set,
   }
 
-  file { "/etc/openvpn/${name}":
+  # directory shared with openvpn::ca
+  ensure_resource(file, "/etc/openvpn/${name}", {
     ensure  => directory,
     mode    => '0750',
-  }
+  })
 
   if $remote == undef {
-    # VPN Server Mode
-    if $country == undef { fail("country has to be specified in server mode") }
-    if $province == undef { fail("province has to be specified in server mode") }
-    if $city == undef { fail("city has to be specified in server mode") }
-    if $organization == undef { fail("organization has to be specified in server mode") }
-    if $email == undef { fail("email has to be specified in server mode") }
+    if $shared_ca == undef {
+      # VPN Server Mode
+      if $country == undef { fail("country has to be specified in server mode") }
+      if $province == undef { fail("province has to be specified in server mode") }
+      if $city == undef { fail("city has to be specified in server mode") }
+      if $organization == undef { fail("organization has to be specified in server mode") }
+      if $email == undef { fail("email has to be specified in server mode") }
+
+      $ca_name = $name
+      $ca_common_name = $common_name
+      ::openvpn::ca { $name:
+        country      => $country,
+        province     => $province,
+        city         => $city,
+        organization => $organization,
+        email        => $email,
+        common_name  => $common_name,
+        group        => $group,
+        ssl_key_size => $ssl_key_size,
+        ca_expire    => $ca_expire,
+        key_expire   => $key_expire,
+        key_cn       => $key_cn,
+        key_name     => $key_name,
+        key_ou       => $key_ou,
+      }
+    } else {
+      $ca_name = $shared_ca
+      $ca_common_name = getparam(Openvpn::Ca[$ca_name], 'common_name')
+      Openvpn::Ca[$shared_ca] -> Openvpn::Server[$name]
+    }
 
     file {
       [ "/etc/openvpn/${name}/auth",
@@ -415,21 +446,6 @@
         recurse => true,
     }
 
-    ::openvpn::ca { $name:
-      country      => $country,
-      province     => $province,
-      city         => $city,
-      organization => $organization,
-      email        => $email,
-      common_name  => $common_name,
-      group        => $group,
-      ssl_key_size => $ssl_key_size,
-      ca_expire    => $ca_expire,
-      key_expire   => $key_expire,
-      key_cn       => $key_cn,
-      key_name     => $key_name,
-      key_ou       => $key_ou,
-    }
   } else {
     # VPN Client Mode
 

diff --git a/templates/server.erb b/templates/server.erb
@@ -11,14 +11,14 @@ remote <%= rem %>
 server-poll-timeout <%= @server_poll_timeout %>
 <% end -%>
 <% end -%>
-ca /etc/openvpn/<%= @name %>/keys/ca.crt
-cert /etc/openvpn/<%= @name %>/keys/<%= @common_name %>.crt
-key /etc/openvpn/<%= @name %>/keys/<%= @common_name %>.key
+ca /etc/openvpn/<%= @ca_name %>/keys/ca.crt
+cert /etc/openvpn/<%= @ca_name %>/keys/<%= @ca_common_name %>.crt
+key /etc/openvpn/<%= @ca_name %>/keys/<%= @ca_common_name %>.key
 <% unless @remote -%>
-dh /etc/openvpn/<%= @name %>/keys/dh<%= @ssl_key_size %>.pem
+dh /etc/openvpn/<%= @ca_name %>/keys/dh<%= @ssl_key_size %>.pem
 <% end -%>
 <% unless @remote -%>
-crl-verify /etc/openvpn/<%= @name %>/crl.pem
+crl-verify /etc/openvpn/<%= @ca_name %>/crl.pem
 <% end -%>
 <% if @proto == 'tcp' -%>
 proto <%= @proto %>-server