modules/stunnel4/manifests/init.pp

   1 class stunnel4 {
   2     define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
   3         file {
   4             "/etc/stunnel/puppet-${name}.conf":
   5                 content => template("stunnel4/stunnel.conf.erb"),
   6                 notify  => Exec['restart_stunnel'],
   7                 ;
   8         }
   9     }
  10
  11     # define an stunnel listener, listening for SSL connections on $accept,
  12     # connecting to plaintext service $connect using local source address $local
  13     #
  14     # unfortunately stunnel is really bad about verifying its peer,
  15     # all we can be certain of is that they are signed by our CA,
  16     # not who they are.  So do not use in places where the identity of
  17     # the caller is important.  Use dsa-portforwarder for that.
  18     define stunnel_server($accept, $connect, $local = "127.0.0.1") {
  19         stunnel_generic {
  20             "${name}":
  21                 client => false,
  22                 verify => 2,
  23                 cafile => "/etc/exim4/ssl/ca.crt",
  24                 crlfile => "/etc/exim4/ssl/crl.crt",
  25                 accept => "${accept}",
  26                 connect => "${connect}",
  27                 ;
  28         }
  29         @ferm::rule {
  30             "stunnel-${name}":
  31                 description => "stunnel ${name}",
  32                 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
  33         }
  34         @ferm::rule {
  35             "stunnel-${name}-v6":
  36                 domain          => 'ip6',
  37                 description => "stunnel ${name}",
  38                 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
  39             }
  40         }
  41     }
  42     define stunnel_client($accept, $connecthost, $connectport) {
  43         file {
  44             "/etc/stunnel/puppet-${name}-peer.pem":
  45                 # source  => "puppet:///modules/exim/certs/${connecthost}.crt",
  46                 content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
  47                                                 "/etc/puppet/modules/exim/files/certs/ca.crt"),
  48                 notify  => Exec['restart_stunnel'],
  49                 ;
  50         }
  51         stunnel_generic {
  52             "${name}":
  53                 client => true,
  54                 verify => 3,
  55                 cafile => "/etc/stunnel/puppet-${name}-peer.pem",
  56                 accept => "${accept}",
  57                 connect => "${connecthost}:${connectport}",
  58                 require => [ File["/etc/stunnel/puppet-${name}-peer.pem"] ],
  59                 ;
  60         }
  61     }
  62
  63
  64     package {
  65         "stunnel4": ensure => installed;
  66     }
  67
  68     file {
  69         "/etc/stunnel/stunnel.conf":
  70             ensure => absent,
  71             require => [ Package['stunnel4'] ],
  72             ;
  73     }
  74
  75     exec {
  76         "enable_stunnel4":
  77                 command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
  78                 unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
  79                 require => [ Package['stunnel4'] ],
  80                 ;
  81         "restart_stunnel":
  82                 command => "true && cd / && env -i /etc/init.d/stunnel4 restart",
  83                 require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ],
  84                 refreshonly => true,
  85                 ;
  86     }
  87 }
  88
  89 # vim:set et:
  90 # vim:set sts=4 ts=4:
  91 # vim:set shiftwidth=4: