Page MenuHomeDevCentral
Files F24922050

D3988.id10426.diff
No OneTemporary
Actions

D3988.id10426.diff
View Options

diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -301,6 +301,15 @@
for _, vault_path in get_duid_credential_paths(node).items():
rules.append(_get_read_rule(vault_path))
+ rules.append(
+ _join_document_fragments(
+ [
+ _get_read_rule(vault_path)
+ for vault_path in __pillar__["vault_secrets_ubiquity"]
+ ]
+ )
+ )
+
policy = _join_document_fragments(rules)
if not policy:
diff --git a/pillar/core/network.sls b/pillar/core/network.sls
--- a/pillar/core/network.sls
+++ b/pillar/core/network.sls
@@ -6,8 +6,9 @@
# router-001 acts as a gateway for all nodes
# For GRE tunnels, gateway is probably the tunnel endpoint
# The other nodes can use the default_gateway IP.
- router: router-001
- default_gateway: 172.27.27.1
+ router: router-003
+ default_gateway: 172.27.27.12
+ canonical_public_ipv4: 51.68.252.230
# -------------------------------------------------------------
# Drake - GRE tunnels
@@ -53,3 +54,13 @@
addr: 172.27.27.254
node:
addr: 172.27.27.35
+
+# -------------------------------------------------------------
+# IPsec configuration - strongSwan
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+drake_IPsec_config:
+ router:
+ ike_proposals: "aes256-sha256-modp2048"
+ esp_proposals: "aes256-sha256"
+ child_mode: "transport"
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -305,3 +305,9 @@
# Main MariaDB cluster - Alkane PaaS, ViperServ
B:
- ops/secrets/dbserver/cluster-B/users/*
+
+vault_secrets_ubiquity:
+
+ # IPsec tunnels
+
+ - ops/secrets/network/ipsec/key
diff --git a/roles/core/strongswan/config.sls b/roles/core/strongswan/config.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/config.sls
@@ -0,0 +1,31 @@
+# -------------------------------------------------------------
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% from "map.jinja" import dirs with context %}
+
+# -------------------------------------------------------------
+# strongSwan (IPsec) configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% set psk = salt["credentials.get_password"]('network/ipsec/key') %}
+
+{{ dirs.etc }}/swanctl/swanctl.conf:
+ file.managed:
+ - source: salt://roles/core/strongswan/files/swanctl.conf
+ - user: root
+ - group: wheel
+ - mode: 600
+ - makedirs: True
+ - template: jinja
+ - context:
+ tunnels: {{ salt['node.resolve_gre_tunnels']() }}
+ conf: {{ pillar['drake_IPsec_config']['router'] }}
+ psk_secret: {{ psk }}
+
+strongswan_reload:
+ cmd.run:
+ - name: swanctl --load-all
+ - onchanges:
+ - file: {{ dirs.etc }}/swanctl/swanctl.conf
diff --git a/roles/core/strongswan/files/rc/strongswan.conf b/roles/core/strongswan/files/rc/strongswan.conf
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/files/rc/strongswan.conf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# strongswan — rc configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/strongswan/files/rc/strongswan.conf
+
+
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+strongswan_enable="YES"
+strongswan_config= {{ dirs.etc }}/swanctl/swanctl.conf
diff --git a/roles/core/strongswan/files/swanctl.conf b/roles/core/strongswan/files/swanctl.conf
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/files/swanctl.conf
@@ -0,0 +1,57 @@
+# -------------------------------------------------------------
+# strongSwan configuration for swanctl
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/strongswan/files/swanctl.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+connections {
+{% for tunnel in tunnels %}
+
+ IPsec_{{ tunnel.description }} {
+ version = 2
+ proposals = {{ conf.ike_proposals }}
+
+ local_addrs = {{ tunnel.icann_src }}
+ remote_addrs = {{ tunnel.icann_dst }}
+
+ local {
+ auth = psk
+ id = {{ tunnel.icann_src }}
+ }
+
+ remote {
+ auth = psk
+ id = {{ tunnel.icann_dst }}
+ }
+
+ children {
+ tunnel-{{ tunnel.description }} {
+ mode = {{ conf.child_mode }}
+ esp_proposals = {{ conf.esp_proposals }}
+ local_ts = {{ tunnel.icann_src }}/32
+ remote_ts = {{ tunnel.icann_dst }}/32
+ start_action = trap
+ }
+ }
+ }
+{% endfor %}
+}
+
+secrets {
+{% for tunnel in tunnels_dynamiques %}
+ ike-{{ tunnel.description }} {
+ id-1 = {{ tunnel.icann_src }}
+ id-2 = {{ tunnel.icann_dst }}
+ secret = {{ psk_secret }}
+ }
+{% endfor %}
+}
diff --git a/roles/core/strongswan/init.sls b/roles/core/strongswan/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/init.sls
@@ -0,0 +1,11 @@
+# -------------------------------------------------------------
+# strongSwan
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .software
+ - .config
+ - .service
diff --git a/roles/core/strongswan/service.sls b/roles/core/strongswan/service.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/service.sls
@@ -0,0 +1,24 @@
+# -------------------------------------------------------------
+# Salt — Provisions strongSwan
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import services with context %}
+
+# -------------------------------------------------------------
+# strongSwan service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if services.manager == "rc" %}
+
+/etc/rc.conf.d/strongswan:
+ file.managed:
+ - source: salt://roles/core/strongswan/files/rc/strongswan.conf
+
+strongswan_running:
+ service.running:
+ - name: strongswan
+
+{% endif %}
diff --git a/roles/core/strongswan/software.sls b/roles/core/strongswan/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/software.sls
@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# strongSwan software installation
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+strongswan:
+ pkg.installed

File Metadata

Mime Type
text/plain
Expires
Thu, Mar 19, 16:04 (10 h, 14 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3545291
Default Alt Text
D3988.id10426.diff (7 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator