From dd1284481fa04c09797b473d229842e0aa5e2ad2 Mon Sep 17 00:00:00 2001 From: Adar Nimrod Date: Sat, 21 Nov 2015 18:55:16 +0200 Subject: [PATCH] WIP socket activation. --- defaults/main.yml | 3 ++ files/stunnel.conf | 1 + tasks/main.yml | 55 ++++++++++++++++++++++++++++++++++++ templates/stunnel.conf.j2 | 10 +++++++ templates/stunnel.service.j2 | 12 ++++++++ templates/stunnel.socket.j2 | 10 +++++++ 6 files changed, 91 insertions(+) create mode 100644 files/stunnel.conf create mode 100644 templates/stunnel.conf.j2 create mode 100644 templates/stunnel.service.j2 create mode 100644 templates/stunnel.socket.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 6c65c22..8b9de2f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,5 @@ --- # defaults file for ansible-stunnel + +stunnel_ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1' +stunnel_ufw_rule: limit diff --git a/files/stunnel.conf b/files/stunnel.conf new file mode 100644 index 0000000..9e8b125 --- /dev/null +++ b/files/stunnel.conf @@ -0,0 +1 @@ +d /var/run/stunnel4 0755 stunnel4 stunnel4 diff --git a/tasks/main.yml b/tasks/main.yml index dcc9e2a..3f657a0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,57 @@ --- # tasks file for ansible-stunnel + +- name: apt install + with_items: + - stunnel4 + - ssl-cert + apt: + name: '{{ item }}' + state: present + update_cache: yes + cache_valid_time: 3600 + +- name: Allow stunnel access to TLS key + user: + name: stunnel4 + groups: ssl-cert + state: present + +- name: Add tmpfiles snippet + copy: + src: stunnel.conf + dest: /etc/tmpfiles.d/stunnel.conf + owner: root + group: root + mode: '0644' + register: stunnel_tmpfiles + +- name: Create tmpfiles + when: stunnel_tmpfiles.changed + command: /bin/systemd-tmpfiles --create + +- name: Add SystemD socket, service + with_items: + - src: stunnel.service.j2 + dest: '/etc/systemd/system/stunnel_{{ stunnel_secure_port }}.service' + - src: stunnel.socket.j2 + dest: '/etc/systemd/system/stunnel_{{ stunnel_secure_port }}.socket' + - src: stunnel.conf.j2 + dest: '/etc/stunnel/{{ stunnel_secure_port }}.conf' + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: root + mode: '0644' + +- name: Enable SystemD socket, service + service: + name: 'stunnel_{{ stunnel_secure_port }}.socket' + enabled: yes + +- name: Open port in firewall + ufw: + rule: '{{ stunnel_ufw_rule }}' + port: '{{ stunnel_secure_port }}' + proto: tcp diff --git a/templates/stunnel.conf.j2 b/templates/stunnel.conf.j2 new file mode 100644 index 0000000..a77f660 --- /dev/null +++ b/templates/stunnel.conf.j2 @@ -0,0 +1,10 @@ +foreground = yes +output = /dev/stdout +syslog = no +connect = {{ stunnel_unsecure_port }} +CAfile = {{ stunnel_ca_cert }} +cert = {{ stunnel_cert }} +key = {{ stunnel_key }} +ciphers = {{ stunnel_ciphers }} +options = NO_SSLv2 +options = NO_SSLv3 diff --git a/templates/stunnel.service.j2 b/templates/stunnel.service.j2 new file mode 100644 index 0000000..d757c05 --- /dev/null +++ b/templates/stunnel.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=TLS proxy socket + +[Service] +Type=simple +ExecStart=/usr/bin/stunnel /etc/stunnel/{{ stunnel_secure_port }}.conf +WorkingDirectory=/var/run/stunnel4 +User=stunnel4 +Group=stunnel4 +StandardInput=socket +StandardOutput=syslog +StandardError=syslog diff --git a/templates/stunnel.socket.j2 b/templates/stunnel.socket.j2 new file mode 100644 index 0000000..745eddd --- /dev/null +++ b/templates/stunnel.socket.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=TLS proxy socket + +[Socket] +ListenStream={{ stunnel_secure_port }} +Accept=yes + +[Install] +WantedBy=sockets.target +WantedBy=network.target -- GitLab