Add automatic firewalling for replicas.

This adds automatic firewalling so that all the replicas have the right
ports open, and only the right ports open to the right replicas.

lib/facter/ipa_host.rb

@@ -0,0 +1,35 @@
+# FreeIPA templating module by James
+# Copyright (C) 2012-2013+ James Shubin
+# Written by James Shubin <james@shubin.ca>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+require 'facter'
+require 'resolv'
+
+# try and pick the _right_ ip that ipa should use by default...
+fqdn = Facter.value('fqdn')
+if not fqdn.nil?
+	ip = Resolv.getaddress "#{fqdn}"
+	if not ip.nil?
+		Facter.add('ipa_host_ip') do
+			#confine :operatingsystem => %w{CentOS, RedHat, Fedora}
+			setcode {
+				ip
+			}
+		end
+	end
+end
+
+# vim: ts=8

manifests/rulewrapper.pp

@@ -0,0 +1,47 @@
+# FreeIPA templating module by James
+# Copyright (C) 2012-2013+ James Shubin
+# Written by James Shubin <james@shubin.ca>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# NOTE: this wraps shorewall::rule so that we can add on additional fake 'tags'
+define ipa::rulewrapper(
+	$action = '',
+	$source = '',
+	$source_ips = [],
+	$dest = '',
+	$dest_ips = [],
+	$proto = '',
+	$port = [],
+	$sport = [],
+	$original = [],
+	$comment = '',
+	$ensure = present,
+	$match = ''	# additional tag parameter
+) {
+	shorewall::rule { "${name}":
+		action => "${action}",
+		source => "${source}",
+		source_ips => $source_ips,
+		dest => "${dest}",
+		dest_ips => $dest_ips,
+		proto => "${proto}",
+		port => $port,
+		sport => $sport,
+		comment => "${comment}",
+		ensure => $ensure,
+	}
+}
+
+# vim: ts=8

manifests/server.pp

@@ -125,6 +125,13 @@
 
 	notice(inline_template('valid_peers: <%= @valid_peers.inspect %>'))
 
+	# export the required firewalls...
+	if $shorewall {
+		ipa::server::replica::firewall { $valid_peers["${::fqdn}"]:
+			peer => "${::fqdn}",	# match the manage type pattern
+		}
+	}
+
 	$valid_hostname = "${hostname}"		# TODO: validate ?
 	$valid_domain = downcase($domain)	# TODO: validate ?
 	$valid_realm = $realm ? {

manifests/server/replica/firewall.pp

@@ -0,0 +1,77 @@
+# FreeIPA templating module by James
+# Copyright (C) 2012-2013+ James Shubin
+# Written by James Shubin <james@shubin.ca>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# NOTE: all replication agreements are bi-directional for now due to FreeIPA...
+# NOTE: in the future, it would be quite cool to allow uni-directional replicas
+# NOTE: this type has been engineered to fit easily with the topology datatype:
+#	$ring = {	# example flat topology as expressed in the std. format
+#		'fqdn1': ['fqdn2', 'fqdn3'],
+#		'fqdn2': ['fqdn3', 'fqdn1'],
+#		'fqdn3': ['fqdn1', 'fqdn2'],
+#	}
+#
+#	ipa::server::replica::firewall { $ring["${::fqdn}"]:	# all automatic
+#		peer => "${::fqdn}",
+#	}
+define ipa::server::replica::firewall(	# to
+	$peer = '',			# from (usually we run this on itself!)
+	$ip = ''	# you can specify which ip address to use (if multiple)
+) {
+
+	include ipa::server::replica::firewall::base
+
+	# NOTE: the peer vs. valid_peer names are by convention (but confusing)
+	$self = "${peer}"		# from (a)
+	if "${self}" != "${::fqdn}" {
+		fail('Are you sure you want to run this on a different host ?')
+	}
+	$valid_peer = "${name}"		# to (b)
+
+	$zone = $::ipa::server::zone				# firewall zone
+	$valid_ip = "${ip}" ? {
+		'' => "${::ipa_host_ip}" ? {			# smart fact...
+			'' => "${::ipaddress}",			# puppet picks!
+			default => "${::ipa_host_ip}",		# smart
+		},
+		default => "${ip}",				# user selected
+	}
+	if "${valid_ip}" == '' {
+		fail('No valid IP exists!')
+	}
+
+	# NOTE: an exported resource here says: "i would like to connect to you"
+	# this means the collector's (receiver) perspective source ip is *my* ip
+
+	# NOTE: we need to add the $fqdn so that exported resources
+	# don't conflict... I'm not sure they should anyways though
+	@@ipa::rulewrapper { "ipa-server-replica-ldaps-${name}-${::fqdn}":
+		action => 'LDAPS/ACCEPT',
+		source => "${zone}",	# override this on collect...
+		source_ips => ["${valid_ip}"],	# i am the source !
+		dest => '$FW',
+		proto => 'tcp',
+		#port => '',	# comma separated string or list
+		comment => 'Allow incoming tcp:636 from ${::fqdn}.',
+		tag => 'ipa-server-replica',
+		match => "${name}",	# used for collection
+		ensure => present,
+	}
+
+	# FIXME: add all the necessary ports for ipa-replication here...
+}
+
+# vim: ts=8

manifests/server/replica/firewall/base.pp

@@ -0,0 +1,42 @@
+# FreeIPA templating module by James
+# Copyright (C) 2012-2013+ James Shubin
+# Written by James Shubin <james@shubin.ca>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+class ipa::server::replica::firewall::base {
+	include ipa::server
+
+	$zone = $::ipa::server::zone				# firewall zone
+	$shorewall = $::ipa::server::shorewall			# enable fw...?
+
+	# open the firewall so that replicas can connect to what they will need
+	Ipa::Rulewrapper <<| tag == 'ipa-server-replica' and match == "${::fqdn}" |>> {
+	#Shorewall::Rule <<| tag == 'ipa-server-replica' and match == "${::fqdn}" |>> {
+		source => "${zone}",	# use our source zone
+		# TODO: this below before is basically untested for usefulness!
+		before => Exec['ipa-install'],		# open bi-directional fw first!
+		# TODO: the below require is basically untested for usefulness!
+		require => Exec['ipa-clean-peers'],	# let the peers clean up first!
+		ensure => $shorewall ? {
+			absent => absent,
+			'absent' => absent,
+			present => present,
+			'present' => present,
+			default => present,
+		},
+	}
+}
+
+# vim: ts=8