From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 20 Mar 2011 23:15:03 +0000 (+0100)
Subject: And stunnel client support
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=f0a682647864402c133fe0825b1438d8a1aa3cf8;p=mirror%2Fdsa-puppet.git

And stunnel client support
---

diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp
index 58d0891a9..a4c9d5048 100644
--- a/modules/stunnel4/manifests/init.pp
+++ b/modules/stunnel4/manifests/init.pp
@@ -1,13 +1,58 @@
 class stunnel4 {
+    define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
+        file {
+            "/etc/stunnel/puppet-${name}.conf":
+                content => template("stunnel4/stunnel.conf.erb"),
+                notify  => Exec['restart_stunnel'],
+                ;
+        }
+    }
+
     # define an stunnel listener, listening for SSL connections on $accept,
     # connecting to plaintext service $connect using local source address $local
+    #
+    # unfortunately stunnel is really bad about verifying its peer,
+    # all we can be certain of is that they are signed by our CA,
+    # not who they are.  So do not use in places where the identity of
+    # the caller is important.  Use dsa-portforwarder for that.
     define stunnel_server($accept, $connect, $local = "127.0.0.1") {
+        stunnel_generic {
+            "${name}":
+                client => false,
+                verify => 2,
+                cafile => "/etc/exim4/ssl/ca.crt",
+                crlfile => "/etc/exim4/ssl/crl.crt",
+                accept => "${accept}",
+                connect => "${connect}",
+                ;
+        }
+        @ferm::rule {
+            "stunnel-${name}":
+                description => "stunnel ${name}",
+                rule => "&TCP_UDP_SERVICE(${accept})",
+                domain => "(ip ip6)",
+                ;
+        }
+    }
+    define stunnel_client($accept, $connecthost, $connectport) {
         file {
-            "/etc/stunnel/puppet-${name}.conf":
-                content => template("stunnel4/server.conf.erb"),
+            "/etc/stunnel/puppet-${name}-peer.pem":
+                # source  => "puppet:///modules/exim/certs/${connecthost}.crt",
+                content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
+                                                "/etc/puppet/modules/exim/files/certs/ca.crt"),
                 notify  => Exec['restart_stunnel'],
                 ;
         }
+        stunnel_generic {
+            "${name}":
+                client => true,
+                verify => 3,
+                cafile => "/etc/stunnel/puppet-${name}-peer.pem",
+                accept => "${accept}",
+                connect => "${connecthost}:${connectport}",
+                require => [ File["/etc/stunnel/puppet-${name}-peer.pem"] ],
+                ;
+        }
     }
 
 
@@ -30,6 +75,7 @@ class stunnel4 {
         "restart_stunnel":
                 command => "env -i /etc/init.d/stunnel4 restart",
                 require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ],
+                refreshonly => true,
                 ;
     }
 }
diff --git a/modules/stunnel4/templates/server.conf.erb b/modules/stunnel4/templates/server.conf.erb
deleted file mode 100644
index 59334c085..000000000
--- a/modules/stunnel4/templates/server.conf.erb
+++ /dev/null
@@ -1,32 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-cert = /etc/exim4/ssl/thishost.crt
-key = /etc/exim4/ssl/thishost.key
-
-; Some security enhancements for UNIX systems - comment them out on Win32
-chroot = /var/run/stunnel4
-setuid = stunnel4
-setgid = stunnel4
-; PID is created inside chroot jail
-pid = /stunnel-<%= name %>.pid
-
-verify = 2
-CAfile = /etc/exim4/ssl/ca.crt
-CRLfile = /etc/exim4/ssl/ca.crl
-
-; Some debugging stuff useful for troubleshooting
-debug = notice
-; don't use a file, use syslog
-; output = /var/log/stunnel4/stunnel.log
-
-client = no
-
-[<%= name %>]
-accept = <%= accept %>
-connect = <%= connect %>
-local = <%= local %>
-
-; vim:ft=dosini
diff --git a/modules/stunnel4/templates/stunnel.conf.erb b/modules/stunnel4/templates/stunnel.conf.erb
new file mode 100644
index 000000000..b4d544883
--- /dev/null
+++ b/modules/stunnel4/templates/stunnel.conf.erb
@@ -0,0 +1,41 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<%- if client -%>
+cert = /etc/ssl/debian/certs/thishost.crt
+key = /etc/ssl/debian/keys/thishost.key
+<%- else -%>
+cert = /etc/exim4/ssl/thishost.crt
+key = /etc/exim4/ssl/thishost.key
+<%- end -%>
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+chroot = /var/run/stunnel4
+setuid = stunnel4
+setgid = stunnel4
+; PID is created inside chroot jail
+pid = /stunnel-<%= name %>.pid
+
+verify = <%= verify %>
+CAfile = <%= cafile %>
+<%- if crlfile -%>
+CRLfile = /etc/exim4/ssl/ca.crl
+<%- end -%>
+
+; Some debugging stuff useful for troubleshooting
+debug = notice
+; don't use a file, use syslog
+; output = /var/log/stunnel4/stunnel.log
+
+client = <%= client ? "yes" : "no" %>
+
+[<%= name %>-server]
+accept = <%= accept =~ /:/ ? accept : ":::#{accept}" %>
+connect = <%= connect %>
+<%- if local -%>
+local = <%= local %>
+<%- end -%>
+
+; vim:ft=dosini