In the case of the module you're using (
https://github.com/luxflux/puppet-openvpn it appears) and you seem to
have already understood this, the client resource has a hard dependency
on files that should only exist on the server (due to client cert
generation process).
All is really not lost, though. Because the openvpn::client script
generates two files for the openvpn configuration, you can easily enough do:
case $::role {
'access': {
notify {"Applying access packages" :}
include access_packages
freebsd::rc_conf { 'test' :
value => 'yes',
ensure => 'present'
}
openvpn::server {'winterthur' :
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => 'r...@example.org',
server => '10.200.200.0 255.255.255.0'}
openvpn::client { 'client1':
server => "winterthur"
} -> @@file {
'/etc/openvpn/winterthur/download-configs/client1.ovpn' }
openvpn::client_specific_config { 'client1':
server => "winterthur"
} -> @@file {
'/etc/openvpn/winterthur/client-configs/client1' }
}
'client': {
notify {"Applying client config" :}
File <<| name ==
'/etc/openvpn/winterthur/download-configs/client1.ovpn' |>>
File <<| name ==
'/etc/openvpn/winterthur/client-configs/client1' |>>
}
}
This will instantiate the files on your client (assuming the server has
applied its manifest successfully) and it can then be the target of an
actual openvpn client configuration. Note that you'll have to do the
latter yourself, as the module you're using doesn't seem to actually
handle OpenVPN client package installation.
The more traditionally puppet way to handle this would be to have the CA
or delegate CA on the puppet server itself, and have it write out such
keys to some place like /etc/puppet/keydist/$fqdn for hosts to pull down
using normal puppet:/// fileserver syntax.
I've not tested my above code, and haven't reviewed the module from
luxflux enough to guarantee that it will work for you. It'd definitely
require some investigation, as you're extending the module a bit beyond
its original intent.
Jeff
On 12/09/2013 05:32 PM, Derek Cole wrote:
Hello,
I am not exactly sure how to phrase this, but consider the following:
case $::role {
'access': {
notify {"Applying access packages" :}
include access_packages
freebsd::rc_conf { 'test' :
value => 'yes',
ensure => 'present'
}
openvpn::server {'winterthur' :
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => 'r...@example.org',
server => '10.200.200.0 255.255.255.0'}
}
'client': {
notify {"Applying client config" :}
openvpn::client { 'client1':
server => "winterthur"
}
}
}
What I am trying to do in 'client' case is reference the server that
was defined in the 'access' case. Is this possible? The openvpn module
here; https://github.com/luxflux/puppet-openvpn
contains some examples and such that lead me to believe there should
be a reference, but it seems like that only is applicable if they have
the same scope. How would I go about storing off the 'winterthur'
openvpn::server for use by the clients later? Puppet's class variable
access and scoping in general are a little confusing to me at this
point. I tried the obvious assigning a $variable but that didn't work
either. Also, looking at the openvpn code, it seems like
openvpn::server is "define"d instead of using the class keyword. does
this make a difference?
Thanks
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52A90812.5080606%40bericotechnologies.com.
For more options, visit https://groups.google.com/groups/opt_out.
