modules/stunnel4/manifests/init.pp

   1 class stunnel4 {
   2     define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
   3         file {
   4             "/etc/stunnel":
   5                 ensure  => directory,
   6                 owner   => root,
   7                 group   => root,
   8                 mode    => 755,
   9                 ;
  10             "/etc/stunnel/puppet-${name}.conf":
  11                 content => template("stunnel4/stunnel.conf.erb"),
  12                 notify  => Exec['restart_stunnel'],
  13                 ;
  14             "/etc/init.d/stunnel4":
  15                 source => "puppet:///modules/stunnel4/etc-init.d-stunnel4",
  16                 mode    => 555,
  17             ;
  18         }
  19     }
  20
  21     # define an stunnel listener, listening for SSL connections on $accept,
  22     # connecting to plaintext service $connect using local source address $local
  23     #
  24     # unfortunately stunnel is really bad about verifying its peer,
  25     # all we can be certain of is that they are signed by our CA,
  26     # not who they are.  So do not use in places where the identity of
  27     # the caller is important.  Use dsa-portforwarder for that.
  28     define stunnel_server($accept, $connect, $local = "127.0.0.1") {
  29         stunnel_generic {
  30             "${name}":
  31                 client => false,
  32                 verify => 2,
  33                 cafile => "/etc/exim4/ssl/ca.crt",
  34                 crlfile => "/etc/exim4/ssl/crl.crt",
  35                 accept => "${accept}",
  36                 connect => "${connect}",
  37                 ;
  38         }
  39         @ferm::rule {
  40             "stunnel-${name}":
  41                 description => "stunnel ${name}",
  42                 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
  43                 ;
  44             "stunnel-${name}-v6":
  45                 domain          => 'ip6',
  46                 description => "stunnel ${name}",
  47                 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
  48                 ;
  49         }
  50     }
  51     define stunnel_client($accept, $connecthost, $connectport) {
  52         file {
  53             "/etc/stunnel/puppet-${name}-peer.pem":
  54                 # source  => "puppet:///modules/exim/certs/${connecthost}.crt",
  55                 content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
  56                                                 "/etc/puppet/modules/exim/files/certs/ca.crt"),
  57                 notify  => Exec['restart_stunnel'],
  58                 ;
  59         }
  60         stunnel_generic {
  61             "${name}":
  62                 client => true,
  63                 verify => 3,
  64                 cafile => "/etc/stunnel/puppet-${name}-peer.pem",
  65                 accept => "${accept}",
  66                 connect => "${connecthost}:${connectport}",
  67                 ;
  68         }
  69     }
  70
  71
  72     package {
  73         "stunnel4": ensure => installed;
  74     }
  75
  76     file {
  77         "/etc/stunnel/stunnel.conf":
  78             ensure => absent,
  79             require => [ Package['stunnel4'] ],
  80             ;
  81     }
  82
  83     exec {
  84         "enable_stunnel4":
  85                 command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
  86                 unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
  87                 require => [ Package['stunnel4'] ],
  88                 ;
  89         "restart_stunnel":
  90                 command => "true && cd / && env -i /etc/init.d/stunnel4 restart",
  91                 require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ],
  92                 refreshonly => true,
  93                 ;
  94     }
  95 }
  96
  97 # vim:set et:
  98 # vim:set sts=4 ts=4:
  99 # vim:set shiftwidth=4: