Re: openvpn recipe: comments, suggestions, help

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 28 October 2007, Adrian Phillips wrote:
> Good day,
>
> First off, I'm a complete puppet newbie, this openvpn recipe is pretty
> much the first puppet work I've done so be gentle :-)

Great! I have a openvpn module on my todo for way too long already :)

> Secondly, the openvpn setup for Debian (and systems based on Debian)
> allows each openvpn network (tunnel) to be specified using a separate
> config file for each: /etc/openvpn/<vpn>.conf
>
> Each tunnel can be then stopped/started/restarted using :
>   /etc/init.d/openvpn stop|start|restart <vpn>
>
> This allows one tunnel to be altered and restarted without affecting
> others, otherwise a restart would all tunnels to be restarted which
> can cause the keys of all clients to become out of sync for a minute,
> possibly longer.
>
> Unfortunately, I've found this complicates the puppet setup, although
> this may have more to do with my inexperience with puppet than
> anything else. I include my recipe below with additional
> comments/questions. I would be grateful for any corrections and
> suggestions for improvments.

Debian also has an AUTOSTART variable in /etc/default/openvpn which denotes 
all tunnels to be started on boot. I would try to 

a) create a purged directory with flag files to enumerate the tunnels that 
should be started. e.g. /var/lib/puppet/modules/openvpn/{host1,host2}

b) replace the assignment to AUTOSTART in /etc/default/openvpn by a little 
function like this: AUTOSTART="$(cd /var/lib/puppet/modules/openvpn/; ls)"

c) use a service to manage the base rc.d links for openvpn (i.e. starting on 
boot, stopping on shutdown) and use custom execs to start/stop/restart a 
tunnel when its config file changes.

> Note, I haven't completely followed the StyleGuide but will probably
> tidy up if/when I receive comments. In addition if people consider
> this of reasonable value to others I could add it as a recipe to the
> wiki.
>
> Anyway here it is, my comments/questions are prepended with ** :-
>
>     # /etc/puppet/manifests/classes/openvpn.pp
>
> ** Is it possible to have only one file { }, so the shared elements
> ** only need to be specified once, e.g. owner, group, perhaps using
> ** case within file { } ?
>
>     define openvpn_file ($source = "", $content = "", $tunnel, $path, $mode
> = 0640) { if $source {
>         file { "$name":
>           source => "puppet:///files/$source",
>           path     => $path,
>           ensure   => present,
>           mode     => $mode,
>           owner    => root,
>           group    => root,
>           before   => SERVICE["openvpn_$tunnel"],
>           require  => PACKAGE["openvpn"],
>           notify   => SERVICE["openvpn_$tunnel"],
>         }
>       }
>       if $content {
>         file { "$name":
>           content  => $content,
>           path     => $path,
>           ensure   => present,
>           mode     => $mode,
>           owner    => root,
>           group    => root,
>           before   => SERVICE["openvpn_$tunnel"],
>           require  => PACKAGE["openvpn"],
>           notify   => SERVICE["openvpn_$tunnel"],
>         }
>       }
>     }                               # openvpn_file

No this (source vs. content) is one of the few cases where you have to 
duplicate all info. For other cases, there exists a   $var ? { 'val1' 
=> 'result1', 'val2' => 'result2' } syntax.


Most of the other points should be resolved too by restructuring the service. 

> Thank you for any assistance with this.
>
> Sincerely,
>
> Adrian Phillips

Regards, David


- -- 
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHJLSg/Pp1N6Uzh0URApMuAJ4zUkKUSL9NmXRaPbMdKxl0Rfe/3gCgjdI8
3CoqSON7g5xa1GIRRNGmO9s=
=81vp
-----END PGP SIGNATURE-----