forked from chef-boneyard/cookbooks
/
metadata.json
116 lines (101 loc) · 9.11 KB
/
metadata.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
{
"name": "openvpn",
"description": "Installs and configures openvpn and includes rake tasks for managing certs",
"long_description": "DESCRIPTION\n====\n\nInstalls OpenVPN and sets up a fairly basic configuration. Since OpenVPN is very complex, we provide a baseline, but your site will need probably need to customize.\n\nREQUIREMENTS\n====\n\nOpenSSL bindings for Ruby\n\nOpenSSL 0.9.7 or later\n\nTested on Ubuntu, but should work anywhere that has a package for OpenVPN.\n\nNot Supported\n----\n\nThis cookbook is designed to set up a basic installation of OpenVPN that will work for many common use cases. The following configurations are not supported by default with this cookbook:\n\n* setting up routers and other network devices\n* ethernet-bridging (tap interfaces)\n* dual-factor authentication\n* many other advanced OpenVPN configurations\n\nFor further modification of the cookbook see __USAGE__ below.\n\nFor more information about OpenVPN, see the [official site](http://openvpn.net/).\n\nATTRIBUTES\n====\n\nThese attributes are set by the cookbook by default.\n\n* `node[\"openvpn\"][\"local\"]` - IP to listen on, defaults to node[:ipaddress]\n* `node[\"openvpn\"][\"proto\"]` - Valid values are 'udp' or 'tcp', defaults to 'udp'.\n* `node[\"openvpn\"][\"type\"]` - Valid values are 'server' or 'server-bridge'. Default is 'server' and it will create a routed IP tunnel, and use the 'tun' device. 'server-bridge' will create an ethernet bridge and requires a tap0 device bridged with the ethernet interface, and is beyond the scope of this cookbook.\n* `node[\"openvpn\"][\"subnet\"]` - Used for server mode to configure a VPN subnet to draw client addresses. Default is 10.8.0.0, which is what the sample OpenVPN config package uses.\n* `node[\"openvpn\"][\"netmask\"]` - Netmask for the subnet, default is 255.255.0.0.\n* `node[\"openvpn\"][\"gateway\"]` - FQDN for the VPN gateway server. Default is `node[\"fqdn\"]`.\n* `node[\"openvpn\"][\"log\"]` - Server log file. Default /var/log/openvpn.log\n* `node[\"openvpn\"][\"key_dir\"]` - Location to store keys, certificates and related files. Default `/etc/openvpn/keys`.\n* `node[\"openvpn\"][\"signing_ca_cert\"]` - CA certificate for signing, default `/etc/openvpn/keys/ca.crt`\n* `node[\"openvpn\"][\"signing_ca_key\"]` - CA key for signing, default `/etc/openvpn/keys/ca.key`\n* `node[\"openvpn\"][\"push\"]` - Array of routes to add as `push` statements in the server.conf. Default is empty.\n\nThe following attributes are used to populate the `easy-rsa` vars file. Defaults are the same as the vars file that ships with OpenVPN.\n\n* `node[\"openvpn\"][\"key\"][\"ca_expire\"]` - In how many days should the root CA key expire - `CA_EXPIRE`.\n* `node[\"openvpn\"][\"key\"][\"expire\"]` - In how many days should certificates expire - `KEY_EXPIRE`.\n* `node[\"openvpn\"][\"key\"][\"size\"]` - Default key size, set to 2048 if paranoid but will slow down TLS negotiation performance - `KEY_SIZE`.\n\nThe following are for the default values for fields place in the certificate from the vars file. Do not leave these blank.\n\n* `node[\"openvpn\"][\"key\"][\"country\"]` - `KEY_COUNTRY`\n* `node[\"openvpn\"][\"key\"][\"province\"]` - `KEY_PROVINCE`\n* `node[\"openvpn\"][\"key\"][\"city\"]` - `KEY_CITY`\n* `node[\"openvpn\"][\"key\"][\"org\"]` - `KEY_ORG`\n* `node[\"openvpn\"][\"key\"][\"email\"]` - `KEY_EMAIL`\n\nRECIPES\n====\n\ndefault\n----\n\nSets up an OpenVPN server.\n\nusers\n----\n\nUtilizes a data bag called `users` to generate OpenVPN keys for each user.\n\nUSAGE\n====\n\n\nCreate a role for the OpenVPN server. See above for attributes that can be entered here.\n\n % cat roles/openvpn.rb\n name \"openvpn\"\n description \"The server that runs OpenVPN\"\n run_list(\"recipe[openvpn]\")\n override_attributes(\n \"openvpn\" => {\n \"gateway\" => \"vpn.example.com\",\n \"subnet\" => \"10.8.0.0\",\n \"netmask\" => \"255.255.0.0\",\n \"key\" => {\n \"country\" => \"US\",\n \"province\" => \"CA\",\n \"city\" => \"SanFrancisco\",\n \"org\" => \"Fort-Funston\",\n \"email\" => \"me@example.com\"\n }\n }\n )\n\nTo push routes to clients, add `node['openvpn']['push']` as an array attribute, e.g. if the internal network is 192.168.100.0/24:\n\n override_attributes(\n \"openvpn\" => {\n \"push\" => [\n \"push 'route 192.168.100.0 255.255.255.0'\"\n ]\n }\n )\n\nTo automatically create new certificates and configurations for users, create data bags for each user. The only content required is the `id`, but this can be used in conjunction with other cookbooks by Opscode such as `users` or `samba`. See __SSL Certificates__ below for more about generating client certificate sets.\n\n % cat data_bags/users/jtimberman.json\n {\n \"id\": \"jtimberman\"\n }\n\nThis cookbook also provides an 'up' script that runs when OpenVPN is started. This script is for setting up firewall rules and kernel networking parameters as needed for your environment. Modify to suit your needs, upload the cookbook and re-run chef on the openvpn server. For example, you'll probably want to enable IP forwarding (sample Linux setting is commented out).\n\nCustomizing Server Configuration\n----\n\nTo further customize the server configuration, there are two templates that can be modified in this cookbook.\n\n* templates/default/server.conf.erb\n* templates/default/server.up.sh.erb\n\nThe first is the OpenVPN server configuration file. Modify to suit your needs for more advanced features of [OpenVPN](http://openvpn.net). The second is an `up` script run when OpenVPN starts. This is where you can add firewall rules, enable IP forwarding and other OS network settings required for OpenVPN. Attributes in the cookbook are provided as defaults, you can add more via the openvpn role if you need them.\n\nSSL Certificates\n----\n\nSome of the easy-rsa tools are copied to /etc/openvpn/easy-rsa to provide the minimum to generate the certificates using the default and users recipes. We provide a Rakefile to make it easier to generate client certificate sets if you're not using the data bags above. To generate new client certificates you will need `rake` installed (either as a gem or a package), then run:\n\n cd /etc/openvpn/easy-rsa\n source ./vars\n rake client name=\"CLIENT_NAME\" gateway=\"vpn.example.com\"\n\nReplace `CLIENT_NAME` and `vpn.example.com` with your desired values. The rake task will generate a tar.gz file with the configuration and certificates for the client.\n\nLICENSE and AUTHOR\n====\n\nAuthor:: Joshua Timberman (<joshua@opscode.com>)\n\nCopyright:: 2009-2010, Opscode, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n",
"maintainer": "Opscode, Inc.",
"maintainer_email": "cookbooks@opscode.com",
"license": "Apache 2.0",
"platforms": {
"redhat": [
],
"centos": [
],
"fedora": [
],
"ubuntu": [
],
"debian": [
]
},
"dependencies": {
},
"recommendations": {
},
"suggestions": {
},
"conflicting": {
},
"providing": {
},
"replacing": {
},
"attributes": {
"openvpn/local": {
"display_name": "OpenVPN Local",
"description": "Local interface (ip) to listen on",
"default": "ipaddress",
"choice": [
],
"calculated": false,
"type": "string",
"required": "optional",
"recipes": [
]
},
"openvpn/proto": {
"display_name": "OpenVPN Protocol",
"description": "UDP or TCP",
"default": "udp",
"choice": [
],
"calculated": false,
"type": "string",
"required": "optional",
"recipes": [
]
},
"openvpn/type": {
"display_name": "OpenVPN Type",
"description": "Server or server-bridge",
"default": "server",
"choice": [
],
"calculated": false,
"type": "string",
"required": "optional",
"recipes": [
]
},
"openvpn/subnet": {
"display_name": "OpenVPN Subnet",
"description": "Subnet to hand out to clients",
"default": "10.8.0.0",
"choice": [
],
"calculated": false,
"type": "string",
"required": "optional",
"recipes": [
]
},
"openvpn/netmask": {
"display_name": "OpenVPN Netmask",
"description": "Netmask for clients",
"default": "255.255.0.0",
"choice": [
],
"calculated": false,
"type": "string",
"required": "optional",
"recipes": [
]
}
},
"groupings": {
},
"recipes": {
"openvpn": "Installs and configures openvpn",
"openvpn::users": "Sets up openvpn cert/configs for users data bag items"
},
"version": "0.99.0"
}