Skip to content

refactor and publish ipsec puppet module

Our ipsec puppet module is pretty good, all things considered. It went through many iterations, and actually works pretty well.

It has grown quite complicated, however: the ipsec::peer and ipsec::network constructs are somewhat confusing, and use concat where they could just drop files in /etc/ipsec.secrets.d and /etc/ipsec.conf.d instead. They also do not support configuring only one side of the connexion, which is why ipsec::client was written, separately.

So the first task is to rebuild ipsec::peer and ipsec::network based on ipsec::client, possibly getting rid of one of the defines/class.

Then publish this on the Puppet forge.

Alternatively, consider using an existing module, if there's a really enticing option.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information