construqt 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. checksums.yaml +7 -0
  2. data/lib/construqt/addresses.rb +204 -0
  3. data/lib/construqt/bgps.rb +164 -0
  4. data/lib/construqt/cables.rb +47 -0
  5. data/lib/construqt/firewalls.rb +247 -0
  6. data/lib/construqt/flavour/ciscian/ciscian.rb +687 -0
  7. data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +235 -0
  8. data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +114 -0
  9. data/lib/construqt/flavour/delegates.rb +448 -0
  10. data/lib/construqt/flavour/flavour.rb +97 -0
  11. data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +417 -0
  12. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +134 -0
  13. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +79 -0
  14. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_ipsec.rb +65 -0
  15. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +182 -0
  16. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +355 -0
  17. data/lib/construqt/flavour/plantuml/plantuml.rb +462 -0
  18. data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +381 -0
  19. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +117 -0
  20. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +97 -0
  21. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +300 -0
  22. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +144 -0
  23. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +60 -0
  24. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +537 -0
  25. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +115 -0
  26. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +52 -0
  27. data/lib/construqt/flavour/unknown/unknown.rb +175 -0
  28. data/lib/construqt/hostid.rb +42 -0
  29. data/lib/construqt/hosts.rb +98 -0
  30. data/lib/construqt/interfaces.rb +166 -0
  31. data/lib/construqt/ipsecs.rb +64 -0
  32. data/lib/construqt/networks.rb +81 -0
  33. data/lib/construqt/regions.rb +32 -0
  34. data/lib/construqt/resource.rb +42 -0
  35. data/lib/construqt/services.rb +53 -0
  36. data/lib/construqt/tags.rb +61 -0
  37. data/lib/construqt/templates.rb +37 -0
  38. data/lib/construqt/tests/test_addresses.rb +50 -0
  39. data/lib/construqt/tests/test_bgps.rb +24 -0
  40. data/lib/construqt/tests/test_hostid.rb +32 -0
  41. data/lib/construqt/tests/test_hosts.rb +23 -0
  42. data/lib/construqt/tests/test_utils.rb +76 -0
  43. data/lib/construqt/users.rb +19 -0
  44. data/lib/construqt/util.rb +163 -0
  45. data/lib/construqt/version.rb +3 -0
  46. data/lib/construqt/vlans.rb +51 -0
  47. data/lib/construqt.rb +92 -0
  48. metadata +105 -0
@@ -0,0 +1,300 @@
1
+ module Construqt
2
+ module Flavour
3
+ module Ubuntu
4
+
5
+ module Firewall
6
+ class ToFrom
7
+ include Util::Chainable
8
+ chainable_attr_value :begin, nil
9
+ chainable_attr_value :begin_to, nil
10
+ chainable_attr_value :begin_from, nil
11
+ chainable_attr_value :middle, nil
12
+ chainable_attr_value :middle_to, nil
13
+ chainable_attr_value :middle_from, nil
14
+ chainable_attr_value :end, nil
15
+ chainable_attr_value :end_to, nil
16
+ chainable_attr_value :end_from, nil
17
+ chainable_attr_value :factory, nil
18
+ chainable_attr_value :ifname, nil
19
+ chainable_attr_value :interface, nil
20
+ chainable_attr :output_only, true, false
21
+ chainable_attr :input_only, true, false
22
+ chainable_attr_value :output_ifname_direction, "-i"
23
+ chainable_attr_value :input_ifname_direction, "-o"
24
+
25
+ def only_in_out(rule)
26
+ output_only rule.output_only?
27
+ input_only rule.input_only?
28
+ self
29
+ end
30
+
31
+ def space_before(str)
32
+ if str.nil? or str.empty?
33
+ ""
34
+ else
35
+ " "+str.strip
36
+ end
37
+ end
38
+
39
+ def push_begin_to(str)
40
+ begin_to(get_begin_to + space_before(str))
41
+ end
42
+
43
+ def push_begin_from(str)
44
+ begin_from(get_begin_from + space_before(str))
45
+ end
46
+
47
+ def push_middle_to(str)
48
+ middle_to(get_middle_to + space_before(str))
49
+ end
50
+
51
+ def push_middle_from(str)
52
+ middle_from(get_middle_from + space_before(str))
53
+ end
54
+
55
+ def push_end_to(str)
56
+ end_to(get_end_to + space_before(str))
57
+ end
58
+
59
+ def push_end_from(str)
60
+ end_from(get_end_from + space_before(str))
61
+ end
62
+
63
+ def get_begin_to
64
+ return space_before(@begin_to) if @begin_to
65
+ return space_before(@begin)
66
+ end
67
+
68
+ def get_begin_from
69
+ return space_before(@begin_from) if @begin_from
70
+ return space_before(@begin)
71
+ end
72
+
73
+ def get_middle_to
74
+ return space_before(@middle_to) if @middle_to
75
+ return space_before(@middle)
76
+ end
77
+
78
+ def get_middle_from
79
+ return space_before(@middle_from) if @middle_from
80
+ return space_before(@middle)
81
+ end
82
+
83
+ def get_end_to
84
+ return space_before(@end_to) if @end_to
85
+ return space_before(@end)
86
+ end
87
+
88
+ def get_end_from
89
+ return space_before(@end_from) if @end_from
90
+ return space_before(@end)
91
+ end
92
+
93
+ def bind_interface(ifname, iface, rule)
94
+ self.interface(iface)
95
+ self.ifname(ifname)
96
+ if rule.from_is_inbound?
97
+ output_ifname_direction("-i")
98
+ input_ifname_direction("-o")
99
+ else
100
+ output_ifname_direction("-o")
101
+ input_ifname_direction("-i")
102
+ end
103
+ end
104
+
105
+ def output_ifname
106
+ return space_before("#{@output_ifname_direction} #{@ifname}") if @ifname
107
+ return ""
108
+ end
109
+
110
+ def input_ifname
111
+ return space_before("#{@input_ifname_direction} #{@ifname}") if @ifname
112
+ return ""
113
+ end
114
+
115
+ def has_to?
116
+ @begin || @begin_to || @middle || @middle_to || @end || @end_to
117
+ end
118
+
119
+ def has_from?
120
+ @begin || @begin_from || @middle || @middle_from || @end || @end_from
121
+ end
122
+
123
+ def factory!
124
+ get_factory.create
125
+ end
126
+ end
127
+
128
+ def self.write_table(iptables, rule, to_from)
129
+ family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
130
+ if rule.from_interface?
131
+ #binding.pry
132
+ from_list = IPAddress::IPv4::summarize(
133
+ *(iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s).map do |adr|
134
+ adr.to_string
135
+ end)
136
+ else
137
+ from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
138
+ end
139
+
140
+ to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
141
+ #puts ">>>>>#{from_list.inspect}"
142
+ #puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
143
+ action_i = action_o = rule.get_action
144
+ if to_list.empty? && from_list.empty?
145
+ #puts "write_table=>o:#{to_from.output_only?}:#{to_from.output_ifname} i:#{to_from.input_only?}:#{to_from.input_ifname}"
146
+ if to_from.output_only?
147
+ to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from}#{to_from.get_middle_to} -j #{rule.get_action}#{to_from.get_end_to}")
148
+ end
149
+
150
+ if to_from.input_only?
151
+ to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_from.get_middle_from} -j #{rule.get_action}#{to_from.get_end_from}")
152
+ end
153
+ end
154
+
155
+ if to_list.length > 1
156
+ action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
157
+ action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
158
+ to_list.each do |ip|
159
+ if to_from.output_only?
160
+ to_from.factory!.table(action_o).row("#{to_from.output_ifname} -d #{ip.to_string} -j #{rule.get_action}")
161
+ end
162
+
163
+ if to_from.input_only?
164
+ to_from.factory!.table(action_i).row("#{to_from.input_ifname} -s #{ip.to_string} -j #{rule.get_action}")
165
+ end
166
+ end
167
+
168
+ elsif to_list.length == 1
169
+ from_dst = " -d #{to_list.first.to_string}"
170
+ to_src = " -s #{to_list.first.to_string}"
171
+ else
172
+ from_dst = to_src =""
173
+ end
174
+
175
+ from_list.each do |ip|
176
+ if to_from.output_only?
177
+ to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from} -s #{ip.to_string}#{from_dst}#{to_from.get_middle_from} -j #{action_o}#{to_from.get_end_to}")
178
+ end
179
+
180
+ if to_from.input_only?
181
+ to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_src} -d #{ip.to_string}#{to_from.get_middle_to} -j #{action_i}#{to_from.get_end_from}")
182
+ end
183
+ end
184
+ end
185
+
186
+ def self.write_raw(raw, ifname, iface, writer)
187
+ # puts ">>>RAW #{iface.name} #{raw.firewall.name}"
188
+ raw.rules.each do |rule|
189
+ throw "ACTION must set #{ifname}" unless rule.get_action
190
+ if rule.prerouting?
191
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
192
+ #puts "PREROUTING #{to_from.inspect}"
193
+ write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
194
+ write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
195
+ end
196
+
197
+ if rule.output?
198
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
199
+ write_table("iptables", rule, to_from.factory(writer.ipv4.output))
200
+ write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
201
+ end
202
+ end
203
+ end
204
+
205
+ def self.write_nat(nat, ifname, iface, writer)
206
+ nat.rules.each do |rule|
207
+ throw "ACTION must set #{ifname}" unless rule.get_action
208
+ throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
209
+ if rule.to_source? && rule.postrouting?
210
+ src = iface.address.ips.select{|ip| ip.ipv4?}.first
211
+ throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
212
+ to_from = ToFrom.new.only_in_out(rule).end_to("--to-source #{src}")
213
+ .ifname(ifname).factory(writer.ipv4.postrouting)
214
+ write_table("iptables", rule, to_from)
215
+ end
216
+ end
217
+ end
218
+
219
+ def self.protocol_loop(rule)
220
+ protocol_loop = []
221
+ if !rule.tcp? && !rule.udp?
222
+ protocol_loop << ''
223
+ else
224
+ protocol_loop << '-p tcp' if rule.tcp?
225
+ protocol_loop << '-p udp' if rule.udp?
226
+ end
227
+
228
+ protocol_loop
229
+ end
230
+
231
+ def self.write_forward(forward, ifname, iface, writer)
232
+ forward.rules.each do |rule|
233
+ throw "ACTION must set #{ifname}" unless rule.get_action
234
+ #puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
235
+ if rule.get_log
236
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
237
+ .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
238
+ .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
239
+ write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
240
+ write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
241
+ end
242
+
243
+ protocol_loop(rule).each do |protocol|
244
+ #binding.pry
245
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
246
+ to_from.push_begin_to(protocol)
247
+ to_from.push_begin_from(protocol)
248
+ if rule.get_ports && !rule.get_ports.empty?
249
+ to_from.push_middle_from("-dports #{rule.get_ports.join(",")}")
250
+ to_from.push_middle_to("-dports #{rule.get_ports.join(",")}")
251
+ end
252
+
253
+ if rule.connection?
254
+ to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
255
+ to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
256
+ end
257
+
258
+ write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
259
+ write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
260
+ end
261
+ end
262
+ end
263
+
264
+ def self.write_host(host, ifname, iface, writer)
265
+ host.rules.each do |rule|
266
+ in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
267
+ out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
268
+ if rule.get_log
269
+ #binding.pry
270
+ l_in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
271
+ .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
272
+ l_out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
273
+ .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
274
+ write_table("iptables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv4.input))
275
+ write_table("iptables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv4.output))
276
+ write_table("ip6tables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv6.input))
277
+ write_table("ip6tables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv6.output))
278
+ end
279
+
280
+ write_table("iptables", rule, in_to_from.factory(writer.ipv4.input))
281
+ write_table("iptables", rule, out_to_from.factory(writer.ipv4.output))
282
+ write_table("ip6tables", rule, in_to_from.factory(writer.ipv6.input))
283
+ write_table("ip6tables", rule, out_to_from.factory(writer.ipv6.output))
284
+ end
285
+ end
286
+
287
+ def self.create(host, ifname, iface)
288
+ throw 'interface must set' unless ifname
289
+ writer = iface.host.result.etc_network_iptables
290
+ iface.firewalls && iface.firewalls.each do |firewall|
291
+ firewall.get_raw && Firewall.write_raw(firewall.get_raw, ifname, iface, writer.raw)
292
+ firewall.get_nat && Firewall.write_nat(firewall.get_nat, ifname, iface, writer.nat)
293
+ firewall.get_forward && Firewall.write_forward(firewall.get_forward, ifname, iface, writer.filter)
294
+ firewall.get_host && Firewall.write_host(firewall.get_host, ifname, iface, writer.filter)
295
+ end
296
+ end
297
+ end
298
+ end
299
+ end
300
+ end
@@ -0,0 +1,144 @@
1
+
2
+ module Construqt
3
+ module Flavour
4
+ module Ubuntu
5
+ class Ipsec < OpenStruct
6
+ def initialize(cfg)
7
+ super(cfg)
8
+ end
9
+
10
+ def self.header(host)
11
+ addrs = {}
12
+ host.interfaces.values.each do |iface|
13
+ iface = iface.delegate
14
+ next unless iface.cfg
15
+ next unless iface.cfg.kind_of? Construqt::Ipsec
16
+ if iface.remote.first_ipv4
17
+ addrs[iface.remote.first_ipv4.to_s] = "isakmp #{self.remote.first_ipv4.to_s} [500];"
18
+ end
19
+ if iface.remote.first_ipv6
20
+ addrs[iface.remote.first_ipv6.to_s] = "isakmp #{self.remote.first_ipv6.to_s} [500];"
21
+ end
22
+ end
23
+ return if addrs.empty?
24
+ self.host.result.add(self, <<HEADER, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
25
+ # do not edit generated filed #{path}
26
+ path pre_shared_key "/etc/racoon/psk.txt";
27
+ path certificate "/etc/racoon/certs";
28
+ log info;
29
+ listen {
30
+ #{Util.indent(addrs.keys.sort.map{|k| addrs[k] }.join("\n"), " ")}
31
+ strict_address;
32
+ }
33
+ HEADER
34
+ end
35
+
36
+ # def build_gre_config()
37
+ # iname = Util.clean_if("gt", self.other.host.name)
38
+ # writer = self.host.result.delegate.etc_network_interfaces.get(self.interface)
39
+ # writer.lines.add(<<UP)
40
+ #up ip -6 tunnel add #{iname} mode ip6gre local #{self.my.first_ipv6} remote #{self.other.my.first_ipv6}
41
+ #up ip -6 addr add #{self.my.first_ipv6.to_string} dev #{iname}
42
+ #up ip -6 link set dev #{iname} up
43
+ #UP
44
+ # writer.lines.add(<<DOWN)
45
+ #down ip -6 tunnel del #{iname}
46
+ #DOWN
47
+ # end
48
+
49
+ def build_racoon_config(remote_ip)
50
+ #binding.pry
51
+ self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
52
+ # #{self.cfg.name}
53
+ remote #{remote_ip} {
54
+ exchange_mode main;
55
+ lifetime time 24 hour;
56
+
57
+ proposal_check strict;
58
+ dpd_delay 30;
59
+ ike_frag on; # use IKE fragmentation
60
+ proposal {
61
+ encryption_algorithm aes256;
62
+ hash_algorithm sha1;
63
+ authentication_method pre_shared_key;
64
+ dh_group modp1536;
65
+ }
66
+ }
67
+ RACOON
68
+ end
69
+
70
+ def from_to_sainfo(my_ip, other_ip)
71
+ if my_ip.network.to_s == other_ip.network.to_s
72
+ my_ip_str = my_ip.to_s
73
+ other_ip_str = other_ip.to_s
74
+ else
75
+ my_ip_str = my_ip.to_string
76
+ other_ip_str = other_ip.to_string
77
+ end
78
+
79
+ self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
80
+ sainfo address #{my_ip_str} any address #{other_ip_str} any {
81
+ pfs_group 5;
82
+ encryption_algorithm aes256;
83
+ authentication_algorithm hmac_sha1;
84
+ compression_algorithm deflate;
85
+ lifetime time 1 hour;
86
+ }
87
+ RACOON
88
+ end
89
+
90
+ def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
91
+ host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
92
+ if my.network.to_s == other.network.to_s
93
+ spdadd = "spdadd #{my.to_s} #{other.to_s} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
94
+ else
95
+ spdadd = "spdadd #{my.to_string} #{other.to_string} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
96
+ end
97
+
98
+ host.result.add(self, spdadd, Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
99
+ end
100
+
101
+ def build_policy(remote_my, remote_other, my, other)
102
+ #binding.pry
103
+ my.ips.each do |my_ip|
104
+ other.ips.each do |other_ip|
105
+ next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
106
+ from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
107
+ from_to_sainfo(my_ip, other_ip)
108
+ end
109
+ end
110
+
111
+ other.ips.each do |other_ip|
112
+ my.ips.each do |my_ip|
113
+ next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
114
+ from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
115
+ from_to_sainfo(other_ip, my_ip)
116
+ end
117
+ end
118
+ end
119
+
120
+ def build_config(unused, unused2)
121
+ # build_gre_config()
122
+ #binding.pry
123
+ if self.other.remote.first_ipv6
124
+ build_racoon_config(self.other.remote.first_ipv6.to_s)
125
+ host.result.add(self, <<IPV6, Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
126
+ # #{self.cfg.name}
127
+ #{self.other.remote.first_ipv6.to_s} #{Util.password(self.cfg.password)}
128
+ IPV6
129
+ build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
130
+ elsif self.other.remote.first_ipv4
131
+ build_racoon_config(self.other.remote.first_ipv4.to_s)
132
+ host.result.add(self, <<IPV4, Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
133
+ # #{self.cfg.name}
134
+ #{self.other.remote.first_ipv4.to_s} #{Util.password(self.cfg.password)}
135
+ IPV4
136
+ build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
137
+ else
138
+ throw "ipsec need a remote address"
139
+ end
140
+ end
141
+ end
142
+ end
143
+ end
144
+ end
@@ -0,0 +1,60 @@
1
+
2
+ module Construqt
3
+ module Flavour
4
+ module Ubuntu
5
+ class Opvn < OpenStruct
6
+ def initialize(cfg)
7
+ super(cfg)
8
+ end
9
+
10
+ def build_config(host, opvn)
11
+ iface = opvn.delegate
12
+ local = iface.ipv6 ? host.id.first_ipv6.first_ipv6 : host.id.first_ipv4.first_ipv4
13
+ return unless local
14
+ push_routes = ""
15
+ if iface.push_routes
16
+ push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
17
+ end
18
+
19
+ host.result.add(self, iface.cacert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
20
+ host.result.add(self, iface.hostcert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
21
+ host.result.add(self, iface.hostkey, Construqt::Resources::Rights::ROOT_0600, "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
22
+ host.result.add(self, iface.dh1024, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
23
+ host.result.add(self, <<OPVN, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "#{iface.name}.conf")
24
+ daemon
25
+ local #{local}
26
+ proto udp#{local.ipv6? ? '6' : ''}
27
+ port 1194
28
+ mode server
29
+ tls-server
30
+ dev #{iface.name}
31
+ ca /etc/openvpn/ssl/#{iface.name}-cacert.pem
32
+ cert /etc/openvpn/ssl/#{iface.name}-hostcert.pem
33
+ key /etc/openvpn/ssl/#{iface.name}-hostkey.pem
34
+ dh /etc/openvpn/ssl/#{iface.name}-dh1024
35
+ server #{iface.network.first_ipv4.to_s} #{iface.network.first_ipv4.netmask}
36
+ server-ipv6 #{iface.network.first_ipv6.to_string}
37
+ client-to-client
38
+ keepalive 10 30
39
+ cipher AES-128-CBC # AES
40
+ cipher BF-CBC # Blowfish (default)
41
+ comp-lzo
42
+ max-clients 100
43
+ user nobody
44
+ group nogroup
45
+ persist-key
46
+ persist-tun
47
+ status /etc/openvpn/status
48
+ log-append /var/log/openvpn-#{iface.name}.log
49
+ mute 20
50
+ #{push_routes}
51
+ mssfix #{iface.mtu||1348}
52
+ plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
53
+ client-cert-not-required
54
+ script-security 2
55
+ OPVN
56
+ end
57
+ end
58
+ end
59
+ end
60
+ end