(install.pp) extend install features

Author: dtapiacl

README.md

@@ -10,6 +10,10 @@
 
 Puppet module to manage OpenVPN servers and clients.
 
+This module supports both:
+* **OpenVPN (community edition)** — the default package and service.
+* **OpenVPN Access Server (`openvpn-as`)** — installable by overriding parameters.
+
 ## Features
 
 * Client-specific rules and access policies
@@ -40,6 +44,26 @@ The supported Puppet versions are listed in the [metadata.json](metadata.json)
 
 Please see [REFERENCE.md](https://github.com/voxpupuli/puppet-openvpn/blob/master/REFERENCE.md) for more details.
 
+## Additional Parameters
+
+The following parameters were added to support OpenVPN Access Server
+and to make package/service management configurable:
+
+- `package_name` (String, default: `openvpn`)
+  Package name to install. Override with `openvpn-as` to install Access Server.
+
+- `package_ensure` (String, default: `present`)
+  Desired package state (e.g. `present`, `latest`, `absent`).
+
+- `service_name` (String, default: `openvpn`)
+  Name of the service resource to manage. Override with `openvpnas` for Access Server.
+
+- `service_enable` (Boolean, default: `true`)
+  Whether to enable the service at boot.
+
+- `service_ensure` (Enum: `running`|`stopped`, default: `running`)
+  Desired running state of the service.
+
 ## Example with hiera
 
 ```yaml
@@ -76,6 +100,16 @@ openvpn::revokes:
 
 Don't forget the sysctl directive ```net.ipv4.ip_forward```!
 
+## Example with OpenVPN Access Server (openvpn-as)
+
+```yaml
+---
+classes:
+  - openvpn
+
+openvpn::package_name: 'openvpn-as'
+openvpn::service_name: 'openvpnas'
+```
 ## Encryption Choices
 
 This module provides certain default parameters for the openvpn encryption settings.

REFERENCE.md

@@ -8,8 +8,9 @@
 
 * [`openvpn`](#openvpn): This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
 * [`openvpn::config`](#openvpn--config): This class sets up the openvpn enviornment as well as the default config file
-* [`openvpn::install`](#openvpn--install): This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
-* [`openvpn::service`](#openvpn--service): This class maintains the openvpn service.
+* [`openvpn::install`](#openvpn--install): This module installs and manages OpenVPN (community edition) or OpenVPN Access Server,
+* [`openvpn::service`](#openvpn--service): This class maintains the OpenVPN service (community edition) or
+the OpenVPN Access Server service if overridden.
 
 ### Defined types
 
@@ -60,6 +61,11 @@ The following parameters are available in the `openvpn` class:
 * [`servers`](#-openvpn--servers)
 * [`server_directory`](#-openvpn--server_directory)
 * [`server_service_name`](#-openvpn--server_service_name)
+* [`package_name`](#-openvpn--package_name)
+* [`package_ensure`](#-openvpn--package_ensure)
+* [`service_name`](#-openvpn--service_name)
+* [`service_enable`](#-openvpn--service_enable)
+* [`service_ensure`](#-openvpn--service_ensure)
 
 ##### <a name="-openvpn--autostart_all"></a>`autostart_all`
 
@@ -203,17 +209,117 @@ Data type: `String[1]`
 
 Name of the openvpn server service. This is usually `openvpn`, but RHEL/CentOS 8 uses `openvpn-server`.
 
+##### <a name="-openvpn--package_name"></a>`package_name`
+
+Data type: `String[1]`
+
+
+
+Default value: `'openvpn'`
+
+##### <a name="-openvpn--package_ensure"></a>`package_ensure`
+
+Data type: `String[1]`
+
+
+
+Default value: `'present'`
+
+##### <a name="-openvpn--service_name"></a>`service_name`
+
+Data type: `String[1]`
+
+
+
+Default value: `'openvpn'`
+
+##### <a name="-openvpn--service_enable"></a>`service_enable`
+
+Data type: `Boolean`
+
+
+
+Default value: `true`
+
+##### <a name="-openvpn--service_ensure"></a>`service_ensure`
+
+Data type: `Enum['running','stopped']`
+
+
+
+Default value: `'running'`
+
 ### <a name="openvpn--config"></a>`openvpn::config`
 
 This class sets up the openvpn enviornment as well as the default config file
 
 ### <a name="openvpn--install"></a>`openvpn::install`
 
-This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
+configures VPN endpoints, generates client certificates, and generates client config files.
+
+The name of the package to install.
+
+The desired state of the package.
+
+#### Parameters
+
+The following parameters are available in the `openvpn::install` class:
+
+* [`package_name`](#-openvpn--install--package_name)
+* [`package_ensure`](#-openvpn--install--package_ensure)
+
+##### <a name="-openvpn--install--package_name"></a>`package_name`
+
+Data type: `String[1]`
+
+
+
+Default value: `'openvpn'`
+
+##### <a name="-openvpn--install--package_ensure"></a>`package_ensure`
+
+Data type: `String[1]`
+
+
+
+Default value: `'present'`
 
 ### <a name="openvpn--service"></a>`openvpn::service`
 
-This class maintains the openvpn service.
+This class maintains the OpenVPN service (community edition) or
+the OpenVPN Access Server service if overridden.
+
+#### Parameters
+
+The following parameters are available in the `openvpn::service` class:
+
+* [`service_name`](#-openvpn--service--service_name)
+* [`service_enable`](#-openvpn--service--service_enable)
+* [`service_ensure`](#-openvpn--service--service_ensure)
+
+##### <a name="-openvpn--service--service_name"></a>`service_name`
+
+Data type: `String[1]`
+
+
+
+Default value: `'openvpn'`
+
+##### <a name="-openvpn--service--service_enable"></a>`service_enable`
+
+Data type: `Boolean`
+
+
+
+Default value: `true`
+
+##### <a name="-openvpn--service--service_ensure"></a>`service_ensure`
+
+Data type: `Enum['running','stopped']`
+
+
+
+Default value: `'running'`
 
 ## Defined types
 
@@ -882,19 +988,13 @@ This define creates a revocation on a certificate for a specified server.
 ##### 
 
 ```puppet
-openvpn::client {
-  'my_user':
-    server      => 'contractors'
-}
+openvpn::client { 'my_user': server => 'contractors' }
 ```
 
 ##### 
 
 ```puppet
-openvpn::revoke {
-  'my_user':
-    server      => 'contractors'
- }
+openvpn::revoke { 'my_user': server => 'contractors' }
 ```
 
 #### Parameters

manifests/init.pp

@@ -51,62 +51,61 @@
   Hash                                 $revokes                         = {},
   Hash                                 $server_defaults                 = {},
   Hash                                 $servers                         = {},
+
+  String[1]                            $package_name   = 'openvpn',
+  String[1]                            $package_ensure = 'present',
+  String[1]                            $service_name   = 'openvpn',
+  Boolean                              $service_enable = true,
+  Enum['running','stopped']            $service_ensure = 'running',
 ) {
   $easyrsa_version = $facts['easyrsa'] ? {
     undef   => $default_easyrsa_ver,
     default => $facts['easyrsa'],
   }
 
-  include openvpn::install
-  include openvpn::config
+  # Install with params
+  class { 'openvpn::install':
+    package_name   => $package_name,
+    package_ensure => $package_ensure,
+  }
+
+  class { 'openvpn::config': }
+
+  # Service with params
+  class { 'openvpn::service':
+    service_name   => $service_name,
+    service_enable => $service_enable,
+    service_ensure => $service_ensure,
+  }
 
+  # Ordering
   Class['openvpn::install']
   -> Class['openvpn::config']
-  -> Class['openvpn']
+  ~> Class['openvpn::service']
 
-  if $facts['service_provider'] != 'systemd' {
-    class { 'openvpn::service':
-      subscribe => [Class['openvpn::config'], Class['openvpn::install']],
-    }
-
-    if empty($servers) {
-      Class['openvpn::service'] -> Class['openvpn']
-    }
-  }
+  # Existing loops unchanged
 
   $clients.each |$name, $params| {
-    openvpn::client {
-      default:
-        * => $client_defaults;
-      $name:
-        * => $params;
+    openvpn::client { $name:
+      * => $client_defaults + $params,
     }
   }
 
   $client_specific_configs.each |$name, $params| {
-    openvpn::client_specific_config {
-      default:
-        * => $client_specific_config_defaults;
-      $name:
-        * => $params;
+    openvpn::client_specific_config { $name:
+      * => $client_specific_config_defaults + $params,
     }
   }
 
   $revokes.each |$name, $params| {
-    openvpn::revoke {
-      default:
-        * => $revoke_defaults;
-      $name:
-        * => $params;
+    openvpn::revoke { $name:
+      * => $revoke_defaults + $params,
     }
   }
 
   $servers.each |$name, $params| {
-    openvpn::server {
-      default:
-        * => $server_defaults;
-      $name:
-        * => $params;
+    openvpn::server { $name:
+      * => $server_defaults + $params,
     }
   }
 }

manifests/install.pp

@@ -1,10 +1,20 @@
+# @summary This module installs and manages OpenVPN (community edition) or OpenVPN Access Server, 
+# configures VPN endpoints, generates client certificates, and generates client config files.
 #
-# @summary This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
+# @param package_name
+# The name of the package to install.
 #
-class openvpn::install {
+# @param package_ensure
+# The desired state of the package.
+#
+class openvpn::install (
+  String[1] $package_name   = 'openvpn',
+  String[1] $package_ensure = 'present',
+) {
   include openvpn
 
-  stdlib::ensure_packages(['openvpn'])
+  stdlib::ensure_packages([$package_name], { 'ensure' => $package_ensure })
+
   if $openvpn::additional_packages {
     stdlib::ensure_packages($openvpn::additional_packages)
   }
@@ -19,6 +29,6 @@
   file {
     ["${openvpn::etc_directory}/openvpn", "${openvpn::etc_directory}/openvpn/keys", '/var/log/openvpn',]:
       ensure  => directory,
-      require => Package['openvpn'];
+      require => Package[$package_name];
   }
 }

manifests/revoke.pp

@@ -1,17 +1,10 @@
-#
 # @summary This define creates a revocation on a certificate for a specified server.
 #
 # @param server Name of the corresponding openvpn endpoint
 # @example
-#   openvpn::client {
-#     'my_user':
-#       server      => 'contractors'
-#   }
+#   openvpn::client { 'my_user': server => 'contractors' }
 # @example
-#   openvpn::revoke {
-#     'my_user':
-#       server      => 'contractors'
-#    }
+#   openvpn::revoke { 'my_user': server => 'contractors' }
 #
 define openvpn::revoke (
   String $server,
@@ -25,26 +18,21 @@
   $server_directory = $openvpn::server_directory
 
   $revocation_command = $openvpn::easyrsa_version ? {
-    '3.0' => "./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'",
-    default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0."),
+    '3.0'   => "./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'",
+    default => fail("unexpected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0."),
   }
 
   $renew_command = $openvpn::easyrsa_version ? {
     '3.0'   => './easyrsa --batch gen-crl',
-    default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0."),
-  }
-
-  file { "${server_directory}/${server}/easy-rsa/revoked/${name}":
-    ensure  => file,
-    require => Exec["revoke certificate for ${name} in context of ${server}"],
+    default => fail("unexpected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0."),
   }
 
   exec { "revoke certificate for ${name} in context of ${server}":
     command  => $revocation_command,
     cwd      => "${server_directory}/${server}/easy-rsa",
     provider => 'shell',
     notify   => Exec["renew crl.pem on ${server} because of revocation of ${name}"],
-    creates  => "${server_directory}/${server}/easy-rsa/revoked/${name}",
+    creates  => "${server_directory}/${server}/easy-rsa/revoked/${name}", # restored for idempotency
   }
 
   exec { "renew crl.pem on ${server} because of revocation of ${name}":