Added stunnel installation.

65084a5d · nimrod · fe8619e3 · 65084a5d · 65084a5d · 65084a5d
Commit 65084a5d authored 9 years ago by nimrod
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -33,3 +33,8 @@
  service:
    name: systemd-timesyncd
    state: restarted
+- name: Restart stunnel
+  service:
+    name: '{{ stunnel_server[ansible_os_family] }}'
+    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -56,5 +56,8 @@
 - include: lock_root.yml
  when: lock_root|default(True) and not common_role_finished is defined
+- include: stunnel.yml
+  when: stunnel|default(True) and not common_role_finished is defined
 - set_fact:
    common_role_finished: True
--- a/tasks/stunnel.yml
+++ b/tasks/stunnel.yml
+---
+- assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
+- name: apt install stunnel
+  when: ansible_pkg_mgr == 'apt'
+  apt:
+    name: stunnel4
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+- name: pkg install stunnel
+  when: ansible_pkg_mgr == 'openbsd_pkg'
+  openbsd_pkg:
+    name: '{{ openbsd_stunnel_version[ansible_os_family] }}'
+    state: present
+- name: Configure stunnel
+  with_dict:
+    syslog: yes
+    key: '{{ tls_key_path }}'
+    cert: '{{ tls_cert_path }}'
+    CAfile: '{{ ca_store[ansible_os_family] }}'
+    ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1'
+    options: NO_SSLv2
+    options: NO_SSLv3
+  lineinfile:
+    dest: /etc/stunnel/stunnel.conf
+    line: '{{ item.key }} = {{ item.value }}'
+    regexp: '^{{ item.key }} ='
+    state: present
+  notify:
+  - Restart stunnel
+- name: Allow stunnel to access the TLS key
+  user:
+    name: '{{ stunnel_user[ansible_os_family] }}'
+    groups: ssl-cert
+    append: yes
+    state: present
+  notify:
+  - Restart stunnel
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -31,7 +31,16 @@ openbsd_collectd_version:
    '5.7': 'collectd-5.4.1p1'
    '5.8': 'collectd-5.5.0p1'
+openbsd_stunnel_version:
+    '5.5': 'stunnel-4.56'
+    '5.6': 'stunnel-5.00p0'
+    '5.7': 'stunnel-5.06'
+    '5.8': 'stunnel-5.19'
 openbsd_pkg_mirror: http://www.mirrorservice.org/pub
+ca_store:
+    OpenBSD: /etc/ssl/cert.pem
+    Debian: /etc/ssl/certs/ca-certificates.crt
 update_ca_certificates:
    OpenBSD: /usr/local/sbin/update-ca-certificates
    Debian: /usr/sbin/update-ca-certificates
@@ -56,3 +65,9 @@ ntpd_service:
 aliases_file:
    OpenBSD: /etc/mail/aliases
    Debian: /etc/aliases
+stunnel_service:
+    OpenBSD: stunnel
+    Debian: stunnel4
+stunnel_user:
+    OpenBSD: _stunnel
+    Debian: stunnel4