Page MenuHomeDevCentral
Files F24663767

D3988.id10353.diff
No OneTemporary
Actions

D3988.id10353.diff
View Options

diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -301,6 +301,15 @@
for _, vault_path in get_duid_credential_paths(node).items():
rules.append(_get_read_rule(vault_path))
+ rules.append(
+ _join_document_fragments(
+ [
+ _get_read_rule(vault_path)
+ for vault_path in __pillar__["vault_secrets_ubiquity"]
+ ]
+ )
+ )
+
policy = _join_document_fragments(rules)
if not policy:
diff --git a/pillar/core/network.sls b/pillar/core/network.sls
--- a/pillar/core/network.sls
+++ b/pillar/core/network.sls
@@ -53,3 +53,46 @@
addr: 172.27.27.254
node:
addr: 172.27.27.35
+
+
+# IPsec configuration for strongswan
+
+drake_IPsec_tunnels:
+ router-002:
+ local_ip: 172.27.27.11
+ remote_ip: 172.27.27.12
+ local_ts: 172.27.27.11/28
+ remote_ts: 172.27.27.12/28
+
+ router-003:
+ local_ip: 172.27.27.12
+ remote_ip: 172.27.27.11
+ local_ts: 172.27.27.12/28
+ remote_ts: 172.27.27.11/28
+
+#drake_IPsec_tunnels:
+# router-002:
+# tunnels:
+# to_router003:
+# remote_ip: "172.27.27.12"
+# local_ts: "172.27.27.11/32"
+# remote_ts: "172.27.27.12/32"
+# to_windriver:
+# remote_ip: "172.27.27.35"
+# local_ts: "172.27.27.11/32"
+# remote_ts: "172.27.27.35/32"
+# to_ysul:
+# remote_ip: "172.27.27.X"
+# local_ts: "172.27.27.11/32"
+# remote_ts: "172.27.27.X/32"
+# local_ip: "172.27.27.11"
+
+
+
+
+# IPsec configuration IKE + ESP
+
+drake_IPsec_config:
+ router:
+ ike_proposals: "aes256-sha256-modp2048"
+ esp_proposals: "aes256-sha256"
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -305,3 +305,9 @@
# Main MariaDB cluster - Alkane PaaS, ViperServ
B:
- ops/secrets/dbserver/cluster-B/users/*
+
+vault_secrets_ubiquity:
+
+ # IPsec tunnels
+
+ - ops/secrets/network/ipsec/key
diff --git a/roles/core/strongswan/config.sls b/roles/core/strongswan/config.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/config.sls
@@ -0,0 +1,35 @@
+# -------------------------------------------------------------
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% from "map.jinja" import dirs with context %}
+
+# -------------------------------------------------------------
+# Strongswan(IPsec) configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/swanctl/swanctl.conf:
+ file.managed:
+ - source: salt://roles/core/network/files/swanctl.conf
+ - user: root
+ - group: wheel
+ - mode: 600
+ - template: jinja
+ - context:
+ tunnel_name: "IPsec"
+ ike_proposals: {{ pillar.drake_IPsec_config('ike_proposals') }}
+ local_ip: {{ pillar.drake_IPsec_tunnels['router-002']['local_ip'] }}
+ remote_ip: {{ pillar.drake_IPsec_tunnels['router-003']['local_ip'] }}
+ child_name: "gre"
+ child_mode: "transport"
+ esp_proposals: {{ pillar.drake_IPsec_config('esp_proposals') }}
+ local_ts: {{ pillar.drake_IPsec_tunnels['router-002']['local_ts'] }}
+ remote_ts: {{ pillar.drake_IPsec_tunnels['router-003']['remote_ts'] }}
+ psk_secret: {{ salt["credentials.get_password"]( 'network/ipsec/key') }}
+
+strongswan_reload:
+ cmd.run:
+ - name: swanctl --load-all
+ - onchanges:
+ - file: {{ dirs.etc }}/swanctl/swanctl.conf
diff --git a/roles/core/strongswan/files/rc/strongswan.conf b/roles/core/strongswan/files/rc/strongswan.conf
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/files/rc/strongswan.conf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# strongswan — rc configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/strongswan/files/rc/strongswan.conf
+
+
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+strongswan_enable="YES"
+strongswan_config= {{ dirs.etc }}/swanctl/swanctl.conf
diff --git a/roles/core/strongswan/files/swanctl.conf b/roles/core/strongswan/files/swanctl.conf
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/files/swanctl.conf
@@ -0,0 +1,38 @@
+
+connections {
+ {{ tunnel_name }} {
+ version = 2
+ proposals = {{ ike_proposals }}
+
+ local_addrs = {{ local_ip }}
+ remote_addrs = {{ remote_ip }}
+
+ local {
+ auth = psk
+ id = {{ local_ip }}
+ }
+
+ remote {
+ auth = psk
+ id = {{ remote_ip }}
+ }
+
+ children {
+ {{ child_name }} {
+ mode = {{ child_mode }}
+ esp_proposals = {{ esp_proposals }}
+ local_ts = {{ local_ts }}
+ remote_ts = {{ remote_ts }}
+ start_action = start
+ }
+ }
+ }
+}
+
+secrets {
+ ike-psk {
+ id-1 = {{ local_ip }}
+ id-2 = {{ remote_ip }}
+ secret = "{{ psk_secret }}"
+ }
+}
diff --git a/roles/core/strongswan/init.sls b/roles/core/strongswan/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/init.sls
@@ -0,0 +1,4 @@
+include:
+ - .config
+ - .service
+ - .strongswan
diff --git a/roles/core/strongswan/service.sls b/roles/core/strongswan/service.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/service.sls
@@ -0,0 +1,24 @@
+# -------------------------------------------------------------
+# Salt — Provision strongswan
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import services with context %}
+
+# -------------------------------------------------------------
+# strongswan service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if services.manager == "rc" %}
+
+/etc/rc.conf.d/strongswan:
+ file.managed:
+ - source: salt://roles/core/strongswan/files/rc/strongswan.conf
+
+strongswan_running:
+ service.running:
+ - name: strongswan
+
+{% endif %}

File Metadata

Mime Type
text/plain
Expires
Wed, Mar 4, 23:59 (13 m, 16 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3495927
Default Alt Text
D3988.id10353.diff (6 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator