[COOK-3691] - add LWRP for openvpn_conf

Signed-off-by: Sean OMeara <[email protected]>

Author: Bryce Lynn

README.md

@@ -47,6 +47,7 @@ These attributes are set by the cookbook by default.
 * `node["openvpn"]["signing_ca_key"]` - CA key for signing, default `/etc/openvpn/keys/ca.key`
 * `node["openvpn"]["routes"]` - Array of routes to add as `push` statements in the server.conf. Default is empty.
 * `node["openvpn"]["script_security"]` - Script Security setting to use in server config. Default is 1. The "up" script will not be included in the configuration if this is 0 or 1. Set it to 2 to use the "up" script.
+* `node["openvpn"]["configure_default_server"]` - Boolean.  Set this to false if you want to create all of your "conf" files with the LWRP.
 * `node["openvpn"]["push"]` - DEPRECATED: Use `routes` above. If you're still using this in your roles, the recipe will append to `routes` attribute.
 
 The following attributes are used to populate the `easy-rsa` vars file. Defaults are the same as the vars file that ships with OpenVPN.
@@ -132,6 +133,11 @@ To further customize the server configuration, there are two templates that can
 The first is the OpenVPN server configuration file. Modify to suit your needs for more advanced features of [OpenVPN](http://openvpn.net). The second is an `up` script run when OpenVPN starts. This is where you can add firewall rules, enable IP forwarding and other OS network settings required for OpenVPN. Attributes in the cookbook are provided as defaults, you can add more via the openvpn role if you need them.
 
 
+Using the LWRP
+--------------
+To create (possibly multiple) "conf" files on a server, use openvpn_conf "name".  See the conf.rb file in the resources directory to find the supported attributes, or add some of your own.  If you don't want to use the default "server.conf" from the default recipe, set `node["openvpn"]["configure_default_server"]` to false, then use the LWRP to configure as many as you like.
+
+
 SSL Certificates
 ----------------
 Some of the easy-rsa tools are copied to /etc/openvpn/easy-rsa to provide the minimum to generate the certificates using the default and users recipes. We provide a Rakefile to make it easier to generate client certificate sets if you're not using the data bags above. To generate new client certificates you will need `rake` installed (either as a gem or a package), then run:

attributes/default.rb

@@ -30,6 +30,8 @@
 default['openvpn']['signing_ca_cert'] = "#{node["openvpn"]["key_dir"]}/ca.crt"
 default['openvpn']['routes']          = []
 default['openvpn']['script_security'] = 1
+# set this to false if you want to just use the lwrp
+default['openvpn']['configure_default_server'] = true
 default['openvpn']['user']            = 'nobody'
 default['openvpn']['group']           = case node['platform_family']
                                         when 'rhel'

metadata.rb

@@ -92,6 +92,12 @@
           :default      => '1',
           :recipes      => ['openvpn::default']
 
+attribute 'openvpn/configure_default_server',
+          :display_name => 'Configure Default Server',
+          :description => 'Boolean to determine whether the default recipe will create a "conf" file for the default server. Set to false if you want to use only the LWRP to create the conf files.',
+          :default => 'true',
+          :recipes => ['openvpn::default']
+
 attribute 'openvpn/key/ca_expire',
           :display_name => 'OpenVPN Root CA Expiry',
           :description  => 'In how many days should the root CA key expire',

providers/conf.rb

@@ -0,0 +1,54 @@
+#
+# Cookbook Name:: openvpn
+# Provider:: conf
+#
+# Copyright 2013, Tacit Knowledge, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+use_inline_resources
+
+action :create do
+  vars = {
+    :log => new_resource.log, :port => new_resource.port,
+    :proto => new_resource.proto, :type => new_resource.type,
+    :local => new_resource.local, :routes => new_resource.routes,
+    :script_security => new_resource.script_security,
+    :key_dir => new_resource.key_dir, :key_size => new_resource.key_size,
+    :subnet => new_resource.subnet, :netmask => new_resource.netmask,
+    :user => new_resource.user, :group => new_resource.group,
+    :verb => new_resource.verb, :mute => new_resource.mute,
+    :dhcp_dns => new_resource.dhcp_dns, :tls_key => new_resource.tls_key,
+    :dhcp_domain => new_resource.dhcp_domain,
+    :duplicate_cn => new_resource.duplicate_cn,
+    :interface_num => new_resource.interface_num,
+    :client_subnet_route => new_resource.client_subnet_route,
+    :max_clients => new_resource.max_clients,
+    :status_log => new_resource.status_log,
+    :plugins => new_resource.plugins
+  }
+
+  template "/etc/openvpn/#{new_resource.name}.conf" do
+    source 'server.conf.erb'
+    owner 'root'
+    group 'root'
+    mode 0644
+    variables vars
+  end
+end
+
+action :delete do
+  file "/etc/openvpn/#{new_resource.name}.conf" do
+    action :delete
+  end
+end

recipes/default.rb

@@ -119,11 +119,21 @@
   not_if { ::File.exists?("#{key_dir}/server.crt") }
 end
 
-template '/etc/openvpn/server.conf' do
-  source 'server.conf.erb'
-  owner  'root'
-  group  'root'
-  mode   '0644'
+openvpn_conf 'server' do
+  port node['openvpn']['port']
+  proto node['openvpn']['proto']
+  type node['openvpn']['type']
+  local node['openvpn']['local']
+  routes node['openvpn']['routes']
+  script_security node['openvpn']['script_security']
+  key_dir node['openvpn']['key_dir']
+  key_size node['openvpn']['key']['size']
+  subnet node['openvpn']['subnet']
+  netmask node['openvpn']['netmask']
+  user node['openvpn']['user']
+  group node['openvpn']['group']
+  log node['openvpn']['log']
+  only_if { node['openvpn']['configure_default_server'] }
   notifies :restart, 'service[openvpn]'
 end
 

resources/conf.rb

@@ -0,0 +1,46 @@
+#
+# Cookbook Name:: openvpn
+# Resource:: conf
+#
+# Copyright 2013, Tacit Knowledge, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+actions :create, :delete
+default_action :create
+
+attribute :name, :kind_of => String, :name_attribute => true
+attribute :port, :kind_of => String
+attribute :proto, :kind_of => String
+attribute :type, :kind_of => String
+attribute :local, :kind_of => String
+attribute :routes, :kind_of => Array
+attribute :script_security, :kind_of => Integer
+attribute :key_dir, :kind_of => String
+attribute :key_size, :kind_of => Integer
+attribute :subnet, :kind_of => String
+attribute :netmask, :kind_of => String
+attribute :user, :kind_of => String
+attribute :group, :kind_of => String
+attribute :log, :kind_of => String
+attribute :verb, :kind_of => Integer, :default => 1
+attribute :mute, :kind_of => Integer, :default => 10
+attribute :dhcp_dns, :kind_of => String
+attribute :dhcp_domain, :kind_of => String
+attribute :tls_key, :kind_of => String
+attribute :duplicate_cn, :kind_of => [TrueClass, FalseClass], :default => false
+attribute :interface_num, :kind_of => Integer
+attribute :client_subnet_route, :kind_of => String
+attribute :max_clients, :kind_of => Integer
+attribute :status_log, :kind_of => String, :default => '/etc/openvpn/openvpn-status.log'
+attribute :plugins, :kind_of => Array, :default => []

templates/default/server.conf.erb

@@ -2,50 +2,73 @@
 #
 # Generated by Chef - local changes will be overwritten
 
-port <%= node['openvpn']['port'] %>
-proto <%= node['openvpn']['proto'] %>
-<% if node['openvpn']['type'] == 'server-bridge' -%>
-dev tap
+port <%= @port %>
+proto <%= @proto %>
+<% if @type == "server-bridge" -%>
+dev tap<%= @interface_num %>
 <% else -%>
-dev tun
+dev tun<%= @interface_num %>
+<% end -%>
+<% @plugins.each do |p| -%>
+plugin <%= p %>
 <% end -%>
 keepalive 10 120
+<% if @max_clients -%>
+max-clients <%= @max_clients %>
+<% end -%>
 comp-lzo
-local <%= node['openvpn']['local'] %>
-<% if node['openvpn']['routes'] -%>
-<% node['openvpn']['routes'].each do |route| -%>
+local <%= @local %>
+<% if @routes -%>
+<% @routes.each do |route| -%>
 <%= route %>
 <% end -%>
 <% end -%>
-<% if node['openvpn']['script_security'] > 1 -%>
+<% if @script_security > 1 -%>
 up /etc/openvpn/server.up.sh
 <% end -%>
 
+<% if @dhcp_dns -%>
+push "dhcp-option DNS <%= @dhcp_dns %>"
+<% end -%>
+<% if @dhcp_domain -%>
+push "dhcp-option DOMAIN <%= @dhcp_domain %>"
+<% end -%>
+<% if @duplicate_cn -%>
+duplicate-cn
+<% end -%>
+<% if @client_subnet_route -%>
+client-config-dir ccd
+route <%= @client_subnet_route %>
+<% end -%>
+
 # Keys and certificates.
-ca   <%= node['openvpn']['key_dir'] %>/ca.crt
-key  <%= node['openvpn']['key_dir'] %>/server.key # This file should be kept secret.
-cert <%= node['openvpn']['key_dir'] %>/server.crt
-dh   <%= node['openvpn']['key_dir'] %>/dh<%= node['openvpn']['key']['size'] %>.pem
+ca   <%= @key_dir %>/ca.crt
+key  <%= @key_dir %>/server.key # This file should be kept secret.
+cert <%= @key_dir %>/server.crt
+dh   <%= @key_dir %>/dh<%= @key_size %>.pem
+<% if @tls_key -%>
+tls-auth <%= @tls_key %> 0
+<% end -%>
 
 ifconfig-pool-persist /etc/openvpn/ipp.txt
 
-<% if node['openvpn']['type'] == 'server' -%>
-<%= node['openvpn']['type'] %> <%= node['openvpn']['subnet'] %> <%= node['openvpn']['netmask'] %>
+<% if @type == "server" -%>
+<%= @type %> <%= @subnet %> <%= @netmask %>
 <% end -%>
 
-user <%= node['openvpn']['user'] %>
-group <%= node['openvpn']['group'] %>
+user <%= @user %>
+group <%= @group %>
 
 # avoid accessing certain resources on restart
 persist-key
 persist-tun
 
 # current client connections
-status /etc/openvpn/openvpn-status.log
+status <%= @status_log %>
 
 # logging settings.
-log-append  <%= node['openvpn']['log'] %>
-verb 1  # don't spam the log with messages.
-mute 10 # suppress identical messages > 10 occurances.
+log-append  <%= @log %>
+verb <%= @verb %>  # don't spam the log with messages.
+mute <%= @mute %>  # suppress identical messages > 10 occurances.
 
-script-security <%= node['openvpn']['script_security'] %>
+script-security <%= @script_security %>