WIP socket activation.

dd128448 · nimrod · ce329c21 · dd128448 · dd128448 · dd128448
Commit dd128448 authored Nov 21, 2015 by nimrod
--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
 # defaults file for ansible-stunnel
+
+stunnel_ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1'
+stunnel_ufw_rule: limit
--- a/files/stunnel.conf
+++ b/files/stunnel.conf
+d /var/run/stunnel4 0755 stunnel4 stunnel4
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # tasks file for ansible-stunnel
+
+- name: apt install
+  with_items:
+  - stunnel4
+  - ssl-cert
+  apt:
+    name: '{{ item }}'
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: Allow stunnel access to TLS key
+  user:
+    name: stunnel4
+    groups: ssl-cert
+    state: present
+
+- name: Add tmpfiles snippet
+  copy:
+    src: stunnel.conf
+    dest: /etc/tmpfiles.d/stunnel.conf
+    owner: root
+    group: root
+    mode: '0644'
+  register: stunnel_tmpfiles
+
+- name: Create tmpfiles
+  when: stunnel_tmpfiles.changed
+  command: /bin/systemd-tmpfiles --create
+
+- name: Add SystemD socket, service
+  with_items:
+  - src: stunnel.service.j2
+    dest: '/etc/systemd/system/stunnel_{{ stunnel_secure_port }}.service'
+  - src: stunnel.socket.j2
+    dest: '/etc/systemd/system/stunnel_{{ stunnel_secure_port }}.socket'
+  - src: stunnel.conf.j2
+    dest: '/etc/stunnel/{{ stunnel_secure_port }}.conf'
+  template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable SystemD socket, service
+  service:
+    name: 'stunnel_{{ stunnel_secure_port }}.socket'
+    enabled: yes
+
+- name: Open port in firewall
+  ufw:
+    rule: '{{ stunnel_ufw_rule }}'
+    port: '{{ stunnel_secure_port }}'
+    proto: tcp
--- a/templates/stunnel.conf.j2
+++ b/templates/stunnel.conf.j2
+foreground = yes
+output = /dev/stdout
+syslog = no
+connect = {{ stunnel_unsecure_port }}
+CAfile = {{ stunnel_ca_cert }}
+cert = {{ stunnel_cert }}
+key = {{ stunnel_key }}
+ciphers = {{ stunnel_ciphers }}
+options = NO_SSLv2
+options = NO_SSLv3
--- a/templates/stunnel.service.j2
+++ b/templates/stunnel.service.j2
+[Unit]
+Description=TLS proxy socket
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/stunnel /etc/stunnel/{{ stunnel_secure_port }}.conf
+WorkingDirectory=/var/run/stunnel4
+User=stunnel4
+Group=stunnel4
+StandardInput=socket
+StandardOutput=syslog
+StandardError=syslog
--- a/templates/stunnel.socket.j2
+++ b/templates/stunnel.socket.j2
+[Unit]
+Description=TLS proxy socket
+
+[Socket]
+ListenStream={{ stunnel_secure_port }}
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
+WantedBy=network.target