2 define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
4 "/etc/stunnel/puppet-${name}.conf":
5 content => template("stunnel4/stunnel.conf.erb"),
6 notify => Exec['restart_stunnel'],
11 # define an stunnel listener, listening for SSL connections on $accept,
12 # connecting to plaintext service $connect using local source address $local
14 # unfortunately stunnel is really bad about verifying its peer,
15 # all we can be certain of is that they are signed by our CA,
16 # not who they are. So do not use in places where the identity of
17 # the caller is important. Use dsa-portforwarder for that.
18 define stunnel_server($accept, $connect, $local = "127.0.0.1") {
23 cafile => "/etc/exim4/ssl/ca.crt",
24 crlfile => "/etc/exim4/ssl/crl.crt",
25 accept => "${accept}",
26 connect => "${connect}",
31 description => "stunnel ${name}",
32 rule => "&TCP_UDP_SERVICE(${accept})",
37 define stunnel_client($accept, $connecthost, $connectport) {
39 "/etc/stunnel/puppet-${name}-peer.pem":
40 # source => "puppet:///modules/exim/certs/${connecthost}.crt",
41 content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
42 "/etc/puppet/modules/exim/files/certs/ca.crt"),
43 notify => Exec['restart_stunnel'],
50 cafile => "/etc/stunnel/puppet-${name}-peer.pem",
51 accept => "${accept}",
52 connect => "${connecthost}:${connectport}",
53 require => [ File["/etc/stunnel/puppet-${name}-peer.pem"] ],
60 "stunnel4": ensure => installed;
64 "/etc/stunnel/stunnel.conf":
71 command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
72 unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
73 require => [ Package['stunnel4'] ],
76 command => "true && cd / && env -i /etc/init.d/stunnel4 restart",
77 require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ],
85 # vim:set shiftwidth=4: