updates naming for built in config services, broke out current example script to examples dir, broke out config service manager to separate file

2020-01-17 13:47:55 -08:00 · 2020-01-17 13:47:55 -08:00 · dbc77d81f6
commit dbc77d81f6
parent 433327c0ae
7 changed files with 180 additions and 91 deletions
--- a/daemon/core/configservices/sercurityservices/init.py
+++ b/daemon/core/configservices/sercurityservices/init.py
--- a/daemon/core/configservices/sercurityservices/services.py
+++ b/daemon/core/configservices/sercurityservices/services.py
@ -0,0 +1,19 @@
+from core.configservice.base import ConfigService, ConfigServiceMode
+
+GROUP_NAME = "Security"
+
+
+class VpnClient(ConfigService):
+    name = "VPNClient"
+    group = GROUP_NAME
+    directories = []
+    executables = ["openvpn", "ip", "killall"]
+    dependencies = []
+    startup = ["sh vpnclient.sh"]
+    validate = ["pidof openvpn"]
+    shutdown = ["killall openvpn"]
+    validation_mode = ConfigServiceMode.BLOCKING
+    default_configs = []
+
+    def create_files(self):
+        self.render("vpnclient.sh")
--- a/daemon/core/configservices/sercurityservices/templates/vpnclient.sh
+++ b/daemon/core/configservices/sercurityservices/templates/vpnclient.sh
@ -0,0 +1,61 @@
+# -------- CUSTOMIZATION REQUIRED --------
+#
+# The VPNClient service builds a VPN tunnel to the specified VPN server using
+# OpenVPN software and a virtual TUN/TAP device.
+
+# directory containing the certificate and key described below
+keydir=/etc/core/keys
+
+# the name used for a "$keyname.crt" certificate and "$keyname.key" private key.
+keyname=client1
+
+# the public IP address of the VPN server this client should connect with
+vpnserver="10.0.2.10"
+
+# optional next hop for adding a static route to reach the VPN server
+nexthop="10.0.1.1"
+
+# --------- END CUSTOMIZATION --------
+
+# validate addresses
+if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
+    echo "WARNING: ip validation disabled because package sipcalc not installed
+         " > $PWD/vpnclient.log
+else
+    if [ "$(sipcalc "$vpnserver" "$nexthop" | grep ERR)" != "" ]; then
+        echo "ERROR: invalide address $vpnserver or $nexthop " > $PWD/vpnclient.log
+    fi
+fi
+
+# validate key and certification files
+if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.crt ] \
+   || [ ! -e $keydir\/ca.crt ] || [ ! -e $keydir\/dh1024.pem ]; then
+     echo "ERROR: missing certification or key files under $keydir $keyname.key or $keyname.crt or ca.crt or dh1024.pem" >> $PWD/vpnclient.log
+fi
+
+# if necessary, add a static route for reaching the VPN server IP via the IF
+vpnservernet=${vpnserver%.*}.0/24
+if [ "$nexthop" != "" ]; then
+    ip route add $vpnservernet via $nexthop
+fi
+
+# create openvpn client.conf
+(
+cat << EOF
+client
+dev tun
+proto udp
+remote $vpnserver 1194
+nobind
+ca $keydir/ca.crt
+cert $keydir/$keyname.crt
+key $keydir/$keyname.key
+dh $keydir/dh1024.pem
+cipher AES-256-CBC
+log $PWD/openvpn-client.log
+verb 4
+daemon
+EOF
+) > client.conf
+
+openvpn --config client.conf