mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Added NetworkManager strongSwan plugin integration
This commit is contained in:
parent
fcb770aa7c
commit
af608f6c75
@ -3,6 +3,8 @@
|
|||||||
|
|
||||||
import asyncore
|
import asyncore
|
||||||
import click
|
import click
|
||||||
|
import configparser
|
||||||
|
import hashlib
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import pwd
|
import pwd
|
||||||
@ -403,6 +405,75 @@ def certidude_setup_strongswan_client(url, config, secrets, email_address, commo
|
|||||||
click.echo()
|
click.echo()
|
||||||
|
|
||||||
|
|
||||||
|
@click.command("networkmanager", help="Set up strongSwan client via NetworkManager")
|
||||||
|
@click.argument("url")
|
||||||
|
@click.argument("remote")
|
||||||
|
@click.option("--common-name", "-cn", default=HOSTNAME, help="Common name, %s by default" % HOSTNAME)
|
||||||
|
@click.option("--org-unit", "-ou", help="Organizational unit")
|
||||||
|
@click.option("--email-address", "-m", default=EMAIL, help="E-mail associated with the request, '%s' by default" % EMAIL)
|
||||||
|
@click.option("--directory", "-d", default="/etc/ipsec.d", help="Directory for keys, /etc/ipsec.d by default")
|
||||||
|
@click.option("--key-path", "-key", default="private/%s.pem" % HOSTNAME, help="Key path, private/%s.pem by default" % HOSTNAME)
|
||||||
|
@click.option("--request-path", "-csr", default="reqs/%s.pem" % HOSTNAME, help="Request path, reqs/%s.pem by default" % HOSTNAME)
|
||||||
|
@click.option("--certificate-path", "-crt", default="certs/%s.pem" % HOSTNAME, help="Certificate path, certs/%s.pem by default" % HOSTNAME)
|
||||||
|
@click.option("--authority-path", "-ca", default="cacerts/ca.pem", help="Certificate authority certificate path, cacerts/ca.pem by default")
|
||||||
|
@expand_paths()
|
||||||
|
def certidude_setup_strongswan_networkmanager(url, email_address, common_name, org_unit, directory, key_path, request_path, certificate_path, authority_path, remote):
|
||||||
|
|
||||||
|
retval = certidude_request_certificate(
|
||||||
|
url,
|
||||||
|
key_path,
|
||||||
|
request_path,
|
||||||
|
certificate_path,
|
||||||
|
authority_path,
|
||||||
|
common_name,
|
||||||
|
org_unit,
|
||||||
|
email_address,
|
||||||
|
wait=True)
|
||||||
|
|
||||||
|
if retval:
|
||||||
|
return retval
|
||||||
|
|
||||||
|
csummer = hashlib.sha1()
|
||||||
|
csummer.update(remote.encode("ascii"))
|
||||||
|
csum = csummer.hexdigest()
|
||||||
|
uuid = csum[:8] + "-" + csum[8:12] + "-" + csum[12:16] + "-" + csum[16:20] + "-" + csum[20:32]
|
||||||
|
|
||||||
|
config = configparser.ConfigParser()
|
||||||
|
config.add_section("connection")
|
||||||
|
config.add_section("vpn")
|
||||||
|
config.add_section("ipv4")
|
||||||
|
|
||||||
|
config.set("connection", "id", remote)
|
||||||
|
config.set("connection", "uuid", uuid)
|
||||||
|
config.set("connection", "type", "vpn")
|
||||||
|
config.set("connection", "autoconnect", "true")
|
||||||
|
|
||||||
|
config.set("vpn", "service-type", "org.freedesktop.NetworkManager.strongswan")
|
||||||
|
config.set("vpn", "userkey", key_path)
|
||||||
|
config.set("vpn", "usercert", certificate_path)
|
||||||
|
config.set("vpn", "encap", "no")
|
||||||
|
config.set("vpn", "address", remote)
|
||||||
|
config.set("vpn", "virtual", "yes")
|
||||||
|
config.set("vpn", "method", "key")
|
||||||
|
config.set("vpn", "certificate", authority_path)
|
||||||
|
config.set("vpn", "ipcomp", "no")
|
||||||
|
|
||||||
|
config.set("ipv4", "method", "auto")
|
||||||
|
|
||||||
|
# Prevent creation of files with liberal permissions
|
||||||
|
os.umask(0o277)
|
||||||
|
|
||||||
|
# Write keyfile
|
||||||
|
with open(os.path.join("/etc/NetworkManager/system-connections", remote), "w") as configfile:
|
||||||
|
config.write(configfile)
|
||||||
|
|
||||||
|
# TODO: Avoid race condition here
|
||||||
|
sleep(3)
|
||||||
|
|
||||||
|
# Tell NetworkManager to bring up the VPN connection
|
||||||
|
subprocess.call(("nmcli", "c", "up", "uuid", uuid))
|
||||||
|
|
||||||
|
|
||||||
@click.command("production", help="Set up nginx and uwsgi")
|
@click.command("production", help="Set up nginx and uwsgi")
|
||||||
@click.option("--username", default="certidude", help="Service user account, created if necessary, 'certidude' by default")
|
@click.option("--username", default="certidude", help="Service user account, created if necessary, 'certidude' by default")
|
||||||
@click.option("--hostname", default=HOSTNAME, help="nginx hostname, '%s' by default" % HOSTNAME)
|
@click.option("--hostname", default=HOSTNAME, help="nginx hostname, '%s' by default" % HOSTNAME)
|
||||||
@ -832,6 +903,7 @@ def entry_point(): pass
|
|||||||
|
|
||||||
certidude_setup_strongswan.add_command(certidude_setup_strongswan_server)
|
certidude_setup_strongswan.add_command(certidude_setup_strongswan_server)
|
||||||
certidude_setup_strongswan.add_command(certidude_setup_strongswan_client)
|
certidude_setup_strongswan.add_command(certidude_setup_strongswan_client)
|
||||||
|
certidude_setup_strongswan.add_command(certidude_setup_strongswan_networkmanager)
|
||||||
certidude_setup_openvpn.add_command(certidude_setup_openvpn_server)
|
certidude_setup_openvpn.add_command(certidude_setup_openvpn_server)
|
||||||
certidude_setup_openvpn.add_command(certidude_setup_openvpn_client)
|
certidude_setup_openvpn.add_command(certidude_setup_openvpn_client)
|
||||||
certidude_setup.add_command(certidude_setup_authority)
|
certidude_setup.add_command(certidude_setup_authority)
|
||||||
|
Loading…
Reference in New Issue
Block a user