From fec3645d1cdb5298ede4f32c591e8aade24cfd28 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 20 Mar 2011 22:44:34 +0100
Subject: [PATCH] Add a start of weasel's stunnel puppetry

---
 modules/stunnel4/manifests/init.pp         | 39 ++++++++++++++++++++++
 modules/stunnel4/templates/server.conf.erb | 32 ++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 modules/stunnel4/manifests/init.pp
 create mode 100644 modules/stunnel4/templates/server.conf.erb

diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp
new file mode 100644
index 000000000..58d0891a9
--- /dev/null
+++ b/modules/stunnel4/manifests/init.pp
@@ -0,0 +1,39 @@
+class stunnel4 {
+    # define an stunnel listener, listening for SSL connections on $accept,
+    # connecting to plaintext service $connect using local source address $local
+    define stunnel_server($accept, $connect, $local = "127.0.0.1") {
+        file {
+            "/etc/stunnel/puppet-${name}.conf":
+                content => template("stunnel4/server.conf.erb"),
+                notify  => Exec['restart_stunnel'],
+                ;
+        }
+    }
+
+
+    package {
+        "stunnel4": ensure => installed;
+    }
+
+    file {
+        "/etc/stunnel/stunnel.conf":
+            ensure => absent,
+            ;
+    }
+
+    exec {
+        "enable_stunnel4":
+                command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
+                unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
+                require => [ Package['stunnel4'] ],
+                ;
+        "restart_stunnel":
+                command => "env -i /etc/init.d/stunnel4 restart",
+                require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ],
+                ;
+    }
+}
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
diff --git a/modules/stunnel4/templates/server.conf.erb b/modules/stunnel4/templates/server.conf.erb
new file mode 100644
index 000000000..59334c085
--- /dev/null
+++ b/modules/stunnel4/templates/server.conf.erb
@@ -0,0 +1,32 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+cert = /etc/exim4/ssl/thishost.crt
+key = /etc/exim4/ssl/thishost.key
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+chroot = /var/run/stunnel4
+setuid = stunnel4
+setgid = stunnel4
+; PID is created inside chroot jail
+pid = /stunnel-<%= name %>.pid
+
+verify = 2
+CAfile = /etc/exim4/ssl/ca.crt
+CRLfile = /etc/exim4/ssl/ca.crl
+
+; Some debugging stuff useful for troubleshooting
+debug = notice
+; don't use a file, use syslog
+; output = /var/log/stunnel4/stunnel.log
+
+client = no
+
+[<%= name %>]
+accept = <%= accept %>
+connect = <%= connect %>
+local = <%= local %>
+
+; vim:ft=dosini
-- 
2.20.1