From f56d5f6a739fea3741ac08eeea97bf38a28d6cdf Mon Sep 17 00:00:00 2001 From: Leonardo Mendes Date: Sat, 14 Oct 2023 21:12:50 -0300 Subject: [PATCH] Add puppet package zitrlp-strongswan This change adds the package zitrlp-strongswan. This module allows management of strongswan on Debian via swanctl / VICI. Test Plan: PASS: downloader PASS: build-pkgs --clean --all PASS: build-image PASS: Run full build, system install, bootstrap and unlock SX system PASS: Run command "puppet module list | grep strongswan" PASS: Create a puppet manifest file responsible for creating and configuring each one of the strongswan and swanctl config files. Copy the manifest to /usr/share/puppet/modules/platform/manifest directory. Run "sudo puppet apply -e "include ::platform::strongswan"" command. Observe that the files /etc/swanctl/swanctl.conf, /etc/strongswan.conf, /etc/strongswan.d/charon.conf and /etc/strongswan.d/charon-loggings.conf were updated according with the specifications of the implemented manifest. Story: 2010940 Task: 48987 Change-Id: I3fac6d5ec514a9a7ab237b0c83dda61d042d4fcf Signed-off-by: Leonardo Mendes --- .../debian/deb_folder/changelog | 5 + .../debian/deb_folder/control | 15 ++ .../debian/deb_folder/copyright | 29 ++++ ...1-Add-classes-to-update-config-files.patch | 146 ++++++++++++++++++ .../debian/deb_folder/patches/series | 1 + .../puppet-zitrlp-strongswan.install | 3 + .../puppet-zitrlp-strongswan.postinst | 13 ++ .../puppet-zitrlp-strongswan.postrm | 13 ++ .../deb_folder/puppet-zitrlp-strongswan.prerm | 13 ++ .../debian/deb_folder/rules | 7 + .../debian/meta_data.yaml | 10 ++ debian_iso_image.inc | 3 + debian_pkg_dirs | 1 + 13 files changed, 259 insertions(+) create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/changelog create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/control create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/copyright create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/0001-Add-classes-to-update-config-files.patch create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/series create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.install create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postinst create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postrm create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.prerm create mode 100755 config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/rules create mode 100644 config/puppet-modules/puppet-zitrlp-strongswan/debian/meta_data.yaml diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/changelog b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/changelog new file mode 100644 index 000000000..50568b9b5 --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/changelog @@ -0,0 +1,5 @@ +puppet-zitrlp-strongswan (0.1.0) UNRELEASED; urgency=medium + + * Initial release. + + -- Leonardo Mendes Sun, 15 Oct 2023 12:33:51 -0300 diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/control b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/control new file mode 100644 index 000000000..f9b6d0ac6 --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/control @@ -0,0 +1,15 @@ +Source: puppet-zitrlp-strongswan +Section: admin +Priority: optional +Maintainer: StarlingX Developers +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.4.1 +Homepage: https://www.starlingx.io + +Package: puppet-zitrlp-strongswan +Architecture: any +Depends: puppet (>= 5.2.22), + puppet-module-puppetlabs-stdlib, + ${misc:depends} +Description: Puppet module named puppet-zitrlp-strongswan + This module allows management of strongswan on Debian via swanctl / VICI, route-based or otherwise. diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/copyright b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/copyright new file mode 100644 index 000000000..9fff2fa5a --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/copyright @@ -0,0 +1,29 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ + +Upstream-Name: puppet-zitrlp-strongswan +Upstream-Contact: Jan-Martin Rämer (https://software.service.zit-rlp.de/jra) +Source: https://software.service.zit-rlp.de/puppet/strongswan +Files: * +Copyright: (C) 2023 Jan-Martin Rämer (https://software.service.zit-rlp.de/jra) +License: GPL-3.0 + +Upstream-Name: puppet-zitrlp-strongswan +Upstream-Contact: StarlingX Developers +Source: https://opendev.org/starlingx/integ/src/branch/master/config/puppet-modules/puppet-zitrlp-strongswan +Files: debian/* +Copyright: (c) 2023 Wind River Systems, Inc. +License: GPL-3.0 + +License: GPL-3.0 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/0001-Add-classes-to-update-config-files.patch b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/0001-Add-classes-to-update-config-files.patch new file mode 100644 index 000000000..851c81b43 --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/0001-Add-classes-to-update-config-files.patch @@ -0,0 +1,146 @@ +From c02bf3a61dafb0dee6362c0bb63e782abe3090f2 Mon Sep 17 00:00:00 2001 +From: Leonardo Mendes +Date: Tue, 17 Oct 2023 14:18:54 -0300 +Subject: [PATCH] Add classes to update config files + +--- + manifests/charon.pp | 12 ++++++++++++ + manifests/charon_logging.pp | 12 ++++++++++++ + manifests/init.pp | 37 ++----------------------------------- + manifests/swanctl.pp | 22 ++++++++++++++++++++++ + 4 files changed, 48 insertions(+), 35 deletions(-) + create mode 100644 manifests/charon.pp + create mode 100644 manifests/charon_logging.pp + create mode 100644 manifests/swanctl.pp + +diff --git a/manifests/charon.pp b/manifests/charon.pp +new file mode 100644 +index 0000000..d1f6dcc +--- /dev/null ++++ b/manifests/charon.pp +@@ -0,0 +1,12 @@ ++# @param charon_options configure other attributes in charon.conf. ++class strongswan::charon ( ++ Hash $charon_options = {}, ++) { ++ file { '/etc/strongswan.d/charon.conf': ++ owner => 'root', ++ mode => '0600', ++ content => strongswan::hash_to_strongswan_config({ ++ charon => $charon_options, ++ }), ++ } ++} +diff --git a/manifests/charon_logging.pp b/manifests/charon_logging.pp +new file mode 100644 +index 0000000..b454f2b +--- /dev/null ++++ b/manifests/charon_logging.pp +@@ -0,0 +1,12 @@ ++# @param charon_logging configure file charon-logging.conf. ++class strongswan::charon_logging ( ++ Hash $charon_logging = {}, ++) { ++ file { '/etc/strongswan.d/charon-logging.conf': ++ owner => 'root', ++ mode => '0600', ++ content => strongswan::hash_to_strongswan_config({ ++ charon => $charon_logging, ++ }), ++ } ++} +diff --git a/manifests/init.pp b/manifests/init.pp +index 08002a3..27904e4 100644 +--- a/manifests/init.pp ++++ b/manifests/init.pp +@@ -23,12 +23,6 @@ + # @param sw_collector sw-collector block in strongswan.conf. + # @param starter starter block in strongswan.conf. + # @param swanctl swanctl block in strongswan.conf. +-# @param authorities authorities block in swanctl.conf. +-# @param connections connections block in swanctl.conf. Besides keys allowed in swanctl, these ones are added: +-# * base_interface: base interface for xfrm device. +-# * if_id: interface ID for xfrm device used for in and out. In swanctl.conf, this value is used for id_id_in and if_id_out. +-# @param secrets secrets block in swanctl.conf. +-# @param pools pools block in swanctl.conf. + # @param route_based Whether route based VPN is configured. + # @param xfrm_default_base_interface XRFM base interface used if none is specified in connection. + # +@@ -58,25 +52,9 @@ class strongswan ( + Hash $connections = {}, + Hash $secrets = {}, + Hash $pools = {}, +- Boolean $route_based = false, + String $xfrm_default_base_interface = 'lo', ++ String $strongswan_include = 'strongswan.d/*.conf', + ) { +- ensure_packages(['strongswan-swanctl', 'charon-systemd']) +- service { ['ipsec,', 'strongswan-starter']: +- ensure => stopped, +- enable => false, +- } +- service { 'strongswan': +- ensure => running, +- enable => true, +- } +- if ($route_based) { +- $d = strongswan::extract_xfrm_devices_from_connections($connections, $xfrm_default_base_interface) +- $_connections = $d['connections'] +- ensure_resources('strongswan::xfrm', $d['xfrm']) +- } else { +- $_connections = $connections +- } + file { '/etc/strongswan.conf': + owner => 'root', + mode => '0600', +@@ -100,18 +78,7 @@ class strongswan ( + sw-collector => $sw_collector, + starter => $starter, + swanctl => $swanctl, ++ strongswan_include => $strongswan_include, + }), +- notify => Service['strongswan'], +- } +- file { '/etc/swanctl/swanctl.conf': +- owner => 'root', +- mode => '0600', +- content => strongswan::hash_to_strongswan_config({ +- authorities => $authorities, +- connections => $_connections, +- secrets => $secrets, +- pools => $pools, +- }), +- notify => Service['strongswan'], + } + } +diff --git a/manifests/swanctl.pp b/manifests/swanctl.pp +new file mode 100644 +index 0000000..f85e7e3 +--- /dev/null ++++ b/manifests/swanctl.pp +@@ -0,0 +1,22 @@ ++# @param authorities authorities block in swanctl.conf. ++# @param connections connections block in swanctl.conf. ++# @param secrets secrets block in swanctl.conf. ++# @param pools pools block in swanctl.conf. ++ ++class strongswan::swanctl ( ++ Hash $authorities = {}, ++ Hash $connections = {}, ++ Hash $secrets = {}, ++ Hash $pools = {}, ++) { ++ file { '/etc/swanctl/swanctl.conf': ++ owner => 'root', ++ mode => '0600', ++ content => strongswan::hash_to_strongswan_config({ ++ authorities => $authorities, ++ connections => $connections, ++ secrets => $secrets, ++ pools => $pools, ++ }), ++ } ++} +-- +2.25.1 + diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/series b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/series new file mode 100644 index 000000000..dca0d888c --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/patches/series @@ -0,0 +1 @@ +0001-Add-classes-to-update-config-files.patch diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.install b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.install new file mode 100644 index 000000000..c225a418d --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.install @@ -0,0 +1,3 @@ +metadata.json usr/share/puppet/modules.available/puppet-zitrlp-strongswan +lib usr/share/puppet/modules.available/puppet-zitrlp-strongswan +manifests usr/share/puppet/modules.available/puppet-zitrlp-strongswan diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postinst b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postinst new file mode 100644 index 000000000..e4e90af03 --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postinst @@ -0,0 +1,13 @@ +#!/bin/sh +# see: dh_installdeb(1) + +set -e + +if [ "${1}" = "configure" ] ; then + update-alternatives --install /usr/share/puppet/modules/strongswan puppet-module-zitrlp-strongswan \ + /usr/share/puppet/modules.available/puppet-zitrlp-strongswan 500 +fi + +#DEBHELPER# + +exit 0 diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postrm b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postrm new file mode 100644 index 000000000..8fc4cdb75 --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.postrm @@ -0,0 +1,13 @@ +#!/bin/sh +# see: dh_installdeb(1) + +set -e + +if [ "${1}" = "remove" ] || [ "${1}" = "disappear" ]; then + update-alternatives --remove puppet-module-zitrlp-strongswan \ + /usr/share/puppet/modules.available/puppet-zitrlp-strongswan +fi + +#DEBHELPER# + +exit 0 diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.prerm b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.prerm new file mode 100644 index 000000000..089296efb --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/puppet-zitrlp-strongswan.prerm @@ -0,0 +1,13 @@ +#!/bin/sh +# see: dh_installdeb(1) + +set -e + +if [ "${1}" = "remove" ] || [ "${1}" = "upgrade" || [ "${1}" = "deconfigure" ]; then + update-alternatives --remove puppet-module-zitrlp-strongswan \ + /usr/share/puppet/modules.available/puppet-zitrlp-strongswan +fi + +#DEBHELPER# + +exit 0 diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/rules b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/rules new file mode 100755 index 000000000..f00dbc24f --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/deb_folder/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f +# See debhelper(7) (uncomment to enable) +# output every command that modifies files on the build system. +#export DH_VERBOSE = 1 + +%: + dh $@ diff --git a/config/puppet-modules/puppet-zitrlp-strongswan/debian/meta_data.yaml b/config/puppet-modules/puppet-zitrlp-strongswan/debian/meta_data.yaml new file mode 100644 index 000000000..1af80262d --- /dev/null +++ b/config/puppet-modules/puppet-zitrlp-strongswan/debian/meta_data.yaml @@ -0,0 +1,10 @@ +--- +debname: puppet-zitrlp-strongswan +debver: 0.1.0 +dl_path: + name: zitrlp-strongswan-0.1.0.tar.gz + url: https://forge.puppet.com/v3/files/zitrlp-strongswan-0.1.0.tar.gz + sha256sum: bf145ac0f974cd2f0fa3a1f8da2d5cb86fcd2d9c116d737839c3ea5decd298d5 +revision: + dist: $STX_DIST + BASE_SRCREV: 9ddd3705b5dcb2b13741fb5698809c101267ef26 diff --git a/debian_iso_image.inc b/debian_iso_image.inc index e5af41d28..92474c597 100644 --- a/debian_iso_image.inc +++ b/debian_iso_image.inc @@ -350,6 +350,9 @@ puppet-module-puppetlabs-postgresql #puppetlabs-stdlib-5.0.0 puppet-module-puppetlabs-stdlib +#puppet-zitrlp-strongswan +puppet-zitrlp-strongswan + #python-docker python3-docker diff --git a/debian_pkg_dirs b/debian_pkg_dirs index 8b5cdf8ca..e4be48190 100644 --- a/debian_pkg_dirs +++ b/debian_pkg_dirs @@ -38,6 +38,7 @@ config/puppet-modules/puppet-network config/puppet-modules/puppet-puppi config/puppet-modules/puppet-rabbitmq-8.5.0 config/puppet-modules/puppet-staging +config/puppet-modules/puppet-zitrlp-strongswan docker/python-docker filesystem/drbd/drbd-tools filesystem/luks