diff options
Diffstat (limited to 'puppet/modules/stunnel/manifests')
-rw-r--r-- | puppet/modules/stunnel/manifests/base.pp | 13 | ||||
-rw-r--r-- | puppet/modules/stunnel/manifests/centos.pp | 35 | ||||
-rw-r--r-- | puppet/modules/stunnel/manifests/debian.pp | 21 | ||||
-rw-r--r-- | puppet/modules/stunnel/manifests/init.pp | 66 | ||||
-rw-r--r-- | puppet/modules/stunnel/manifests/linux.pp | 6 | ||||
-rw-r--r-- | puppet/modules/stunnel/manifests/service.pp | 79 | ||||
-rw-r--r-- | puppet/modules/stunnel/manifests/service/nagios.pp | 12 |
7 files changed, 232 insertions, 0 deletions
diff --git a/puppet/modules/stunnel/manifests/base.pp b/puppet/modules/stunnel/manifests/base.pp new file mode 100644 index 00000000..9fed2de7 --- /dev/null +++ b/puppet/modules/stunnel/manifests/base.pp @@ -0,0 +1,13 @@ +class stunnel::base { + + file { '/etc/stunnel': + ensure => directory; + } + + service { 'stunnel': + ensure => running, + name => 'stunnel', + enable => true, + hasstatus => false; + } +} diff --git a/puppet/modules/stunnel/manifests/centos.pp b/puppet/modules/stunnel/manifests/centos.pp new file mode 100644 index 00000000..3b0a6e2a --- /dev/null +++ b/puppet/modules/stunnel/manifests/centos.pp @@ -0,0 +1,35 @@ +class stunnel::centos inherits stunnel::linux { + + file { '/etc/init.d/stunnel': + source => "puppet:///modules/stunnel/${::operatingsystem}/stunnel.init", + require => Package['stunnel'], + before => Service['stunnel'], + owner => root, + group => 0, + mode => '0755'; + } + + user::managed { 'stunnel': + homedir => '/var/run/stunnel', + shell => '/sbin/nologin', + uid => 105, + gid => 105; + } + + Service['stunnel']{ + hasstatus => true, + require => [ User['stunnel'], File['/etc/init.d/stunnel'] ] + } + + file { '/etc/stunnel/stunnel.conf': + source => [ "puppet:///modules/site-stunnel/${::fqdn}/stunnel.conf", + "puppet:///modules/site-stunnel/${stunnel::cluster}/stunnel.conf", + 'puppet:///modules/site-stunnel/stunnel.conf', + "puppet:///modules/stunnel/${::operatingsystem}/stunnel.conf" ], + require => Package['stunnel'], + notify => Service['stunnel'], + owner => root, + group => 0, + mode => '0600'; + } +} diff --git a/puppet/modules/stunnel/manifests/debian.pp b/puppet/modules/stunnel/manifests/debian.pp new file mode 100644 index 00000000..bde1e219 --- /dev/null +++ b/puppet/modules/stunnel/manifests/debian.pp @@ -0,0 +1,21 @@ +class stunnel::debian inherits stunnel::linux { + + Package['stunnel'] { + name => 'stunnel4', + } + + Service['stunnel'] { + name => 'stunnel4', + pattern => '/usr/bin/stunnel4', + } + + file { '/etc/default/stunnel4': + content => template('stunnel/Debian/default'), + require => Package['stunnel4'], + notify => Service['stunnel4'], + owner => root, + group => 0, + mode => '0644'; + } +} + diff --git a/puppet/modules/stunnel/manifests/init.pp b/puppet/modules/stunnel/manifests/init.pp new file mode 100644 index 00000000..c5ad70b1 --- /dev/null +++ b/puppet/modules/stunnel/manifests/init.pp @@ -0,0 +1,66 @@ +# +# stunnel puppet module +# +# Copyright 2009, Riseup Networks <micah@riseup.net> +# +# +# This program is free software; you can redistribute +# it and/or modify it under the terms of the GNU +# General Public License version 3 as published by +# the Free Software Foundation. +# +# 1. include stunnel: this will automatically include stunnel::debian, +# which automatically includes stunnel::linux, which automatically +# includes stunnel::base +# 2. stunnel::client allows you to configure different /etc/stunnel/*.conf files +# to provide various stunnel configurations + +# TODO: warn on cert/key issues, fail on false accept? + +class stunnel ( + $ensure_version = 'present', + $startboot = '1', + $default_extra = '', + $cluster = '' ) +{ + + case $::operatingsystem { + debian: { class { 'stunnel::debian': } } + centos: { class { 'stunnel::centos': } } + default: { class { 'stunnel::default': } } + } + + $stunnel_staging = "${::puppet_vardir}/stunnel4" + $stunnel_compdir = "${stunnel_staging}/configs" + + file { + [ $stunnel_staging, "${stunnel_staging}/bin" ]: + ensure => directory, + owner => 0, + group => 0, + mode => '0750'; + + "${stunnel_staging}/configs": + ensure => directory, + owner => 0, + group => 0, + mode => '0750', + recurse => true, + purge => true, + force => true, + source => undef; + + "${stunnel_staging}/bin/refresh_stunnel.sh": + owner => 0, + group => 0, + mode => '0755', + content => template('stunnel/refresh_stunnel.sh.erb'); + } + + exec { 'refresh_stunnel': + refreshonly => true, + require => [ Service['stunnel'], Package['stunnel'], File[$stunnel_compdir] ], + subscribe => File[$stunnel_compdir], + command => "${stunnel_staging}/bin/refresh_stunnel.sh" + } +} diff --git a/puppet/modules/stunnel/manifests/linux.pp b/puppet/modules/stunnel/manifests/linux.pp new file mode 100644 index 00000000..a4a926e4 --- /dev/null +++ b/puppet/modules/stunnel/manifests/linux.pp @@ -0,0 +1,6 @@ +class stunnel::linux inherits stunnel::base { + + package { 'stunnel': + ensure => $stunnel::ensure_version + } +} diff --git a/puppet/modules/stunnel/manifests/service.pp b/puppet/modules/stunnel/manifests/service.pp new file mode 100644 index 00000000..8a98d8ff --- /dev/null +++ b/puppet/modules/stunnel/manifests/service.pp @@ -0,0 +1,79 @@ +define stunnel::service ( + $ensure = present, + $accept = false, + $capath = false, + $cafile = false, + $cert = false, + $chroot = false, + $ciphers = false, + $client = false, + $compress = false, + $connect = false, + $crlpath = false, + $crlfile = false, + $debuglevel = false, + $delay = false, + $egd = false, + $engine = false, + $engineCtrl = false, + $enginenum = false, + $exec = false, + $execargs = false, + $failover = false, + $ident = false, + $key = false, + $local = false, + $oscp = false, + $ocspflag = false, + $options = false, + $output = false, + $pid = false, + $protocol = false, + $protocolauthentication = false, + $protocolhost = false, + $protocolpassword = false, + $protocolusername = false, + $pty = false, + $retry = false, + $rndbytes = false, + $rndfile = false, + $rndoverwrite = false, + $service = false, + $session = false, + $setuid = 'stunnel4', + $setgid = 'stunnel4', + $socket = [ 'l:TCP_NODELAY=1', 'r:TCP_NODELAY=1'], + $sslversion = 'SSLv3', + $stack = false, + $syslog = false, + $timeoutbusy = false, + $timeoutclose = false, + $timeoutconnect = false, + $timeoutidle = false, + $transparent = false, + $manage_nagios = false, + $verify = false +) { + + include stunnel + + $real_client = $client ? { default => 'yes' } + $real_pid = $pid ? { false => "/${name}.pid", default => $pid } + + $stunnel_compdir = "${::puppet_vardir}/stunnel4/configs" + + file { + "${stunnel_compdir}/${name}.conf": + ensure => $ensure, + content => template('stunnel/service.conf.erb'), + require => Package['stunnel'], + notify => Exec['refresh_stunnel'], + owner => 'root', + group => 0, + mode => '0600'; + } + + if $manage_nagios { + stunnel::service::nagios { $name: } + } +} diff --git a/puppet/modules/stunnel/manifests/service/nagios.pp b/puppet/modules/stunnel/manifests/service/nagios.pp new file mode 100644 index 00000000..578b417e --- /dev/null +++ b/puppet/modules/stunnel/manifests/service/nagios.pp @@ -0,0 +1,12 @@ +# Put a Nagios service check in place for a specific tunnel. +# +# The resource name will be used to point to the corresponding stunnel +# configuration file. +# +define stunnel::service::nagios () { + + nagios::service { "stunnel_${name}": + check_command => "nagios-stat-proc!/usr/bin/stunnel4 /etc/stunnel/${name}.conf!6!5!proc"; + } + +} |