modules/stunnel4/manifests/init.pp

   1 class stunnel4 {
   2     define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
   3         file {
   4             "/etc/stunnel":
   5                 ensure  => directory,
   6                 owner   => root,
   7                 group   => root,
   8                 mode    => 755,
   9                 ;
  10             "/etc/stunnel/puppet-${name}.conf":
  11                 content => template("stunnel4/stunnel.conf.erb"),
  12                 notify  => Exec["restart_stunnel_${name}"],
  13                 ;
  14             "/etc/init.d/stunnel4":
  15                 source => "puppet:///modules/stunnel4/etc-init.d-stunnel4",
  16                 mode    => 555,
  17             ;
  18         }
  19
  20         case $client {
  21                 true: {
  22                     $certfile = "/etc/ssl/debian/certs/thishost.crt"
  23                     $keyfile = "/etc/ssl/debian/keys/thishost.key"
  24                     }
  25                 default: {
  26                     $certfile = "/etc/exim4/ssl/thishost.crt"
  27                     $keyfile = "/etc/exim4/ssl/thishost.key"
  28                     }
  29         }
  30
  31         exec {
  32             "restart_stunnel_${name}":
  33                     command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
  34                     require => [ File['/etc/stunnel/stunnel.conf'],
  35                                  File['/etc/init.d/stunnel4'],
  36                                  Exec['enable_stunnel4'],
  37                                  Exec['kill_file_override'],
  38                                  Package['stunnel4']
  39                                ],
  40                     subscribe => [ File[$certfile],
  41                                    File[$keyfile]
  42                                  ],
  43                     refreshonly => true,
  44                     ;
  45         }
  46     }
  47
  48     # define an stunnel listener, listening for SSL connections on $accept,
  49     # connecting to plaintext service $connect using local source address $local
  50     #
  51     # unfortunately stunnel is really bad about verifying its peer,
  52     # all we can be certain of is that they are signed by our CA,
  53     # not who they are.  So do not use in places where the identity of
  54     # the caller is important.  Use dsa-portforwarder for that.
  55     define stunnel_server($accept, $connect, $local = "127.0.0.1") {
  56         stunnel_generic {
  57             "${name}":
  58                 client => false,
  59                 verify => 2,
  60                 cafile => "/etc/exim4/ssl/ca.crt",
  61                 crlfile => "/etc/exim4/ssl/crl.crt",
  62                 accept => "${accept}",
  63                 connect => "${connect}",
  64                 ;
  65         }
  66         @ferm::rule {
  67             "stunnel-${name}":
  68                 description => "stunnel ${name}",
  69                 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
  70                 ;
  71             "stunnel-${name}-v6":
  72                 domain          => 'ip6',
  73                 description => "stunnel ${name}",
  74                 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
  75                 ;
  76         }
  77     }
  78     define stunnel_client($accept, $connecthost, $connectport) {
  79         file {
  80             "/etc/stunnel/puppet-${name}-peer.pem":
  81                 # source  => "puppet:///modules/exim/certs/${connecthost}.crt",
  82                 content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
  83                                                 "/etc/puppet/modules/exim/files/certs/ca.crt"),
  84                 notify  => Exec["restart_stunnel_${name}"],
  85                 ;
  86         }
  87         stunnel_generic {
  88             "${name}":
  89                 client => true,
  90                 verify => 3,
  91                 cafile => "/etc/stunnel/puppet-${name}-peer.pem",
  92                 accept => "${accept}",
  93                 connect => "${connecthost}:${connectport}",
  94                 ;
  95         }
  96     }
  97
  98
  99     package {
 100         "stunnel4": ensure => installed;
 101     }
 102
 103     file {
 104         "/etc/stunnel/stunnel.conf":
 105             ensure => absent,
 106             require => [ Package['stunnel4'] ],
 107             ;
 108     }
 109
 110     exec {
 111         "enable_stunnel4":
 112                 command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
 113                 unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
 114                 require => [ Package['stunnel4'] ],
 115                 ;
 116         "kill_file_override":
 117                 command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4",
 118                 onlyif => "grep -q '^FILES=' /etc/default/stunnel4",
 119                 require => [ Package['stunnel4'] ],
 120                 ;
 121     }
 122 }
 123
 124 # vim:set et:
 125 # vim:set sts=4 ts=4:
 126 # vim:set shiftwidth=4: