class stunnel4 {
- define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
- file {
- "/etc/stunnel":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/stunnel/puppet-${name}.conf":
- content => template("stunnel4/stunnel.conf.erb"),
- notify => Exec["restart_stunnel_${name}"],
- ;
- "/etc/init.d/stunnel4":
- source => "puppet:///modules/stunnel4/etc-init.d-stunnel4",
- mode => 555,
- ;
- }
- case $client {
- true: {
- $certfile = "/etc/ssl/debian/certs/thishost.crt"
- $keyfile = "/etc/ssl/debian/keys/thishost.key"
- }
- default: {
- $certfile = "/etc/exim4/ssl/thishost.crt"
- $keyfile = "/etc/exim4/ssl/thishost.key"
- }
- }
-
- exec {
- "restart_stunnel_${name}":
- command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
- require => [ File['/etc/stunnel/stunnel.conf'],
- File['/etc/init.d/stunnel4'],
- Exec['enable_stunnel4'],
- Exec['kill_file_override'],
- Package['stunnel4']
- ],
- subscribe => [ File[$certfile],
- File[$keyfile]
- ],
- refreshonly => true,
- ;
- }
- }
-
- # define an stunnel listener, listening for SSL connections on $accept,
- # connecting to plaintext service $connect using local source address $local
- #
- # unfortunately stunnel is really bad about verifying its peer,
- # all we can be certain of is that they are signed by our CA,
- # not who they are. So do not use in places where the identity of
- # the caller is important. Use dsa-portforwarder for that.
- define stunnel_server($accept, $connect, $local = "127.0.0.1") {
- stunnel_generic {
- "${name}":
- client => false,
- verify => 2,
- cafile => "/etc/exim4/ssl/ca.crt",
- crlfile => "/etc/exim4/ssl/crl.crt",
- accept => "${accept}",
- connect => "${connect}",
- ;
- }
- @ferm::rule {
- "stunnel-${name}":
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
- ;
- "stunnel-${name}-v6":
- domain => 'ip6',
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
- ;
- }
- }
- define stunnel_client($accept, $connecthost, $connectport) {
- file {
- "/etc/stunnel/puppet-${name}-peer.pem":
- # source => "puppet:///modules/exim/certs/${connecthost}.crt",
- content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
- "/etc/puppet/modules/exim/files/certs/ca.crt"),
- notify => Exec["restart_stunnel_${name}"],
- ;
- }
- stunnel_generic {
- "${name}":
- client => true,
- verify => 3,
- cafile => "/etc/stunnel/puppet-${name}-peer.pem",
- accept => "${accept}",
- connect => "${connecthost}:${connectport}",
- ;
- }
- }
-
-
- package {
- "stunnel4": ensure => installed;
- }
-
- file {
- "/etc/stunnel/stunnel.conf":
- ensure => absent,
- require => [ Package['stunnel4'] ],
- ;
- }
-
- exec {
- "enable_stunnel4":
- command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
- unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
- require => [ Package['stunnel4'] ],
- ;
- "kill_file_override":
- command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4",
- onlyif => "grep -q '^FILES=' /etc/default/stunnel4",
- require => [ Package['stunnel4'] ],
- ;
- }
+ package { 'stunnel4':
+ ensure => installed
+ }
+
+ file { '/etc/stunnel':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/init.d/stunnel4':
+ source => 'puppet:///modules/stunnel4/etc-init.d-stunnel4',
+ mode => '0555',
+ }
+ file { '/etc/stunnel/stunnel.conf':
+ ensure => absent,
+ require => Package['stunnel4'],
+ }
+
+ exec { 'enable_stunnel4':
+ command => 'sed -i -e \'s/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet\' /etc/default/stunnel4',
+ unless => 'grep -q \'^ENABLED=1\' /etc/default/stunnel4',
+ require => Package['stunnel4'],
+ }
+ exec { 'kill_file_override':
+ command => 'sed -i -e \'s/^FILES=/#&/\' /etc/default/stunnel4',
+ onlyif => 'grep -q \'^FILES=\' /etc/default/stunnel4',
+ require => Package['stunnel4'],
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
projects / dsa-puppet.git / blobdiff