2 define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
10 "/etc/stunnel/puppet-${name}.conf":
11 content => template("stunnel4/stunnel.conf.erb"),
12 notify => Exec["restart_stunnel_${name}"],
14 "/etc/init.d/stunnel4":
15 source => "puppet:///modules/stunnel4/etc-init.d-stunnel4",
22 $certfile = "/etc/ssl/debian/certs/thishost.crt"
23 $keyfile = "/etc/ssl/debian/keys/thishost.key"
26 $certfile = "/etc/exim4/ssl/thishost.crt"
27 $keyfile = "/etc/exim4/ssl/thishost.key"
32 "restart_stunnel_${name}":
33 command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
34 require => [ File['/etc/stunnel/stunnel.conf'],
35 File['/etc/init.d/stunnel4'],
36 Exec['enable_stunnel4'],
37 Exec['kill_file_override'],
40 subscribe => [ File[$certfile],
48 # define an stunnel listener, listening for SSL connections on $accept,
49 # connecting to plaintext service $connect using local source address $local
51 # unfortunately stunnel is really bad about verifying its peer,
52 # all we can be certain of is that they are signed by our CA,
53 # not who they are. So do not use in places where the identity of
54 # the caller is important. Use dsa-portforwarder for that.
55 define stunnel_server($accept, $connect, $local = "127.0.0.1") {
60 cafile => "/etc/exim4/ssl/ca.crt",
61 crlfile => "/etc/exim4/ssl/crl.crt",
62 accept => "${accept}",
63 connect => "${connect}",
68 description => "stunnel ${name}",
69 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
73 description => "stunnel ${name}",
74 rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
78 define stunnel_client($accept, $connecthost, $connectport) {
80 "/etc/stunnel/puppet-${name}-peer.pem":
81 # source => "puppet:///modules/exim/certs/${connecthost}.crt",
82 content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
83 "/etc/puppet/modules/exim/files/certs/ca.crt"),
84 notify => Exec["restart_stunnel_${name}"],
91 cafile => "/etc/stunnel/puppet-${name}-peer.pem",
92 accept => "${accept}",
93 connect => "${connecthost}:${connectport}",
100 "stunnel4": ensure => installed;
104 "/etc/stunnel/stunnel.conf":
106 require => [ Package['stunnel4'] ],
112 command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
113 unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
114 require => [ Package['stunnel4'] ],
116 "kill_file_override":
117 command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4",
118 onlyif => "grep -q '^FILES=' /etc/default/stunnel4",
119 require => [ Package['stunnel4'] ],
125 # vim:set sts=4 ts=4:
126 # vim:set shiftwidth=4: