X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fstunnel4%2Fmanifests%2Finit.pp;h=83fbd820c90979839aca4eea89783bfc196ed7c0;hb=bd7bcdd464b687541457670cb221f415faa33a29;hp=58d0891a9c59e87f61598f8b9c11b07d4cbf1a3e;hpb=fec3645d1cdb5298ede4f32c591e8aade24cfd28;p=mirror%2Fdsa-puppet.git

diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp
index 58d0891a9..83fbd820c 100644
--- a/modules/stunnel4/manifests/init.pp
+++ b/modules/stunnel4/manifests/init.pp
@@ -1,13 +1,68 @@
 class stunnel4 {
+    define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
+        file {
+            "/etc/stunnel":
+                ensure  => directory,
+                owner   => root,
+                group   => root,
+                mode    => 755,
+                ;
+            "/etc/stunnel/puppet-${name}.conf":
+                content => template("stunnel4/stunnel.conf.erb"),
+                notify  => Exec['restart_stunnel'],
+                ;
+        }
+    }
+
     # define an stunnel listener, listening for SSL connections on $accept,
     # connecting to plaintext service $connect using local source address $local
+    #
+    # unfortunately stunnel is really bad about verifying its peer,
+    # all we can be certain of is that they are signed by our CA,
+    # not who they are.  So do not use in places where the identity of
+    # the caller is important.  Use dsa-portforwarder for that.
     define stunnel_server($accept, $connect, $local = "127.0.0.1") {
+        stunnel_generic {
+            "${name}":
+                client => false,
+                verify => 2,
+                cafile => "/etc/exim4/ssl/ca.crt",
+                crlfile => "/etc/exim4/ssl/crl.crt",
+                accept => "${accept}",
+                connect => "${connect}",
+                ;
+        }
+        @ferm::rule {
+            "stunnel-${name}":
+                description => "stunnel ${name}",
+                rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
+                ;
+            "stunnel-${name}-v6":
+                domain          => 'ip6',
+                description => "stunnel ${name}",
+                rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
+                ;
+        }
+    }
+    define stunnel_client($accept, $connecthost, $connectport) {
         file {
-            "/etc/stunnel/puppet-${name}.conf":
-                content => template("stunnel4/server.conf.erb"),
+            "/etc/stunnel/puppet-${name}-peer.pem":
+                # source  => "puppet:///modules/exim/certs/${connecthost}.crt",
+                content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
+                                                "/etc/puppet/modules/exim/files/certs/ca.crt"),
                 notify  => Exec['restart_stunnel'],
                 ;
         }
+        stunnel_generic {
+            "${name}":
+                client => true,
+                verify => 3,
+                cafile => "/etc/stunnel/puppet-${name}-peer.pem",
+                accept => "${accept}",
+                connect => "${connecthost}:${connectport}",
+                require => [ File["/etc/stunnel/puppet-${name}-peer.pem"] ],
+                ;
+        }
     }
 
 
@@ -18,6 +73,7 @@ class stunnel4 {
     file {
         "/etc/stunnel/stunnel.conf":
             ensure => absent,
+            require => [ Package['stunnel4'] ],
             ;
     }
 
@@ -28,8 +84,9 @@ class stunnel4 {
                 require => [ Package['stunnel4'] ],
                 ;
         "restart_stunnel":
-                command => "env -i /etc/init.d/stunnel4 restart",
+                command => "true && cd / && env -i /etc/init.d/stunnel4 restart",
                 require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ],
+                refreshonly => true,
                 ;
     }
 }