summaryrefslogtreecommitdiff
path: root/puppet/modules/stunnel/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/stunnel/manifests')
-rw-r--r--puppet/modules/stunnel/manifests/base.pp13
-rw-r--r--puppet/modules/stunnel/manifests/centos.pp35
-rw-r--r--puppet/modules/stunnel/manifests/debian.pp21
-rw-r--r--puppet/modules/stunnel/manifests/init.pp66
-rw-r--r--puppet/modules/stunnel/manifests/linux.pp6
-rw-r--r--puppet/modules/stunnel/manifests/service.pp79
-rw-r--r--puppet/modules/stunnel/manifests/service/nagios.pp12
7 files changed, 232 insertions, 0 deletions
diff --git a/puppet/modules/stunnel/manifests/base.pp b/puppet/modules/stunnel/manifests/base.pp
new file mode 100644
index 00000000..9fed2de7
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/base.pp
@@ -0,0 +1,13 @@
+class stunnel::base {
+
+ file { '/etc/stunnel':
+ ensure => directory;
+ }
+
+ service { 'stunnel':
+ ensure => running,
+ name => 'stunnel',
+ enable => true,
+ hasstatus => false;
+ }
+}
diff --git a/puppet/modules/stunnel/manifests/centos.pp b/puppet/modules/stunnel/manifests/centos.pp
new file mode 100644
index 00000000..3b0a6e2a
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/centos.pp
@@ -0,0 +1,35 @@
+class stunnel::centos inherits stunnel::linux {
+
+ file { '/etc/init.d/stunnel':
+ source => "puppet:///modules/stunnel/${::operatingsystem}/stunnel.init",
+ require => Package['stunnel'],
+ before => Service['stunnel'],
+ owner => root,
+ group => 0,
+ mode => '0755';
+ }
+
+ user::managed { 'stunnel':
+ homedir => '/var/run/stunnel',
+ shell => '/sbin/nologin',
+ uid => 105,
+ gid => 105;
+ }
+
+ Service['stunnel']{
+ hasstatus => true,
+ require => [ User['stunnel'], File['/etc/init.d/stunnel'] ]
+ }
+
+ file { '/etc/stunnel/stunnel.conf':
+ source => [ "puppet:///modules/site-stunnel/${::fqdn}/stunnel.conf",
+ "puppet:///modules/site-stunnel/${stunnel::cluster}/stunnel.conf",
+ 'puppet:///modules/site-stunnel/stunnel.conf',
+ "puppet:///modules/stunnel/${::operatingsystem}/stunnel.conf" ],
+ require => Package['stunnel'],
+ notify => Service['stunnel'],
+ owner => root,
+ group => 0,
+ mode => '0600';
+ }
+}
diff --git a/puppet/modules/stunnel/manifests/debian.pp b/puppet/modules/stunnel/manifests/debian.pp
new file mode 100644
index 00000000..bde1e219
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/debian.pp
@@ -0,0 +1,21 @@
+class stunnel::debian inherits stunnel::linux {
+
+ Package['stunnel'] {
+ name => 'stunnel4',
+ }
+
+ Service['stunnel'] {
+ name => 'stunnel4',
+ pattern => '/usr/bin/stunnel4',
+ }
+
+ file { '/etc/default/stunnel4':
+ content => template('stunnel/Debian/default'),
+ require => Package['stunnel4'],
+ notify => Service['stunnel4'],
+ owner => root,
+ group => 0,
+ mode => '0644';
+ }
+}
+
diff --git a/puppet/modules/stunnel/manifests/init.pp b/puppet/modules/stunnel/manifests/init.pp
new file mode 100644
index 00000000..c5ad70b1
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/init.pp
@@ -0,0 +1,66 @@
+#
+# stunnel puppet module
+#
+# Copyright 2009, Riseup Networks <micah@riseup.net>
+#
+#
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of the GNU
+# General Public License version 3 as published by
+# the Free Software Foundation.
+#
+# 1. include stunnel: this will automatically include stunnel::debian,
+# which automatically includes stunnel::linux, which automatically
+# includes stunnel::base
+# 2. stunnel::client allows you to configure different /etc/stunnel/*.conf files
+# to provide various stunnel configurations
+
+# TODO: warn on cert/key issues, fail on false accept?
+
+class stunnel (
+ $ensure_version = 'present',
+ $startboot = '1',
+ $default_extra = '',
+ $cluster = '' )
+{
+
+ case $::operatingsystem {
+ debian: { class { 'stunnel::debian': } }
+ centos: { class { 'stunnel::centos': } }
+ default: { class { 'stunnel::default': } }
+ }
+
+ $stunnel_staging = "${::puppet_vardir}/stunnel4"
+ $stunnel_compdir = "${stunnel_staging}/configs"
+
+ file {
+ [ $stunnel_staging, "${stunnel_staging}/bin" ]:
+ ensure => directory,
+ owner => 0,
+ group => 0,
+ mode => '0750';
+
+ "${stunnel_staging}/configs":
+ ensure => directory,
+ owner => 0,
+ group => 0,
+ mode => '0750',
+ recurse => true,
+ purge => true,
+ force => true,
+ source => undef;
+
+ "${stunnel_staging}/bin/refresh_stunnel.sh":
+ owner => 0,
+ group => 0,
+ mode => '0755',
+ content => template('stunnel/refresh_stunnel.sh.erb');
+ }
+
+ exec { 'refresh_stunnel':
+ refreshonly => true,
+ require => [ Service['stunnel'], Package['stunnel'], File[$stunnel_compdir] ],
+ subscribe => File[$stunnel_compdir],
+ command => "${stunnel_staging}/bin/refresh_stunnel.sh"
+ }
+}
diff --git a/puppet/modules/stunnel/manifests/linux.pp b/puppet/modules/stunnel/manifests/linux.pp
new file mode 100644
index 00000000..a4a926e4
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/linux.pp
@@ -0,0 +1,6 @@
+class stunnel::linux inherits stunnel::base {
+
+ package { 'stunnel':
+ ensure => $stunnel::ensure_version
+ }
+}
diff --git a/puppet/modules/stunnel/manifests/service.pp b/puppet/modules/stunnel/manifests/service.pp
new file mode 100644
index 00000000..8a98d8ff
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/service.pp
@@ -0,0 +1,79 @@
+define stunnel::service (
+ $ensure = present,
+ $accept = false,
+ $capath = false,
+ $cafile = false,
+ $cert = false,
+ $chroot = false,
+ $ciphers = false,
+ $client = false,
+ $compress = false,
+ $connect = false,
+ $crlpath = false,
+ $crlfile = false,
+ $debuglevel = false,
+ $delay = false,
+ $egd = false,
+ $engine = false,
+ $engineCtrl = false,
+ $enginenum = false,
+ $exec = false,
+ $execargs = false,
+ $failover = false,
+ $ident = false,
+ $key = false,
+ $local = false,
+ $oscp = false,
+ $ocspflag = false,
+ $options = false,
+ $output = false,
+ $pid = false,
+ $protocol = false,
+ $protocolauthentication = false,
+ $protocolhost = false,
+ $protocolpassword = false,
+ $protocolusername = false,
+ $pty = false,
+ $retry = false,
+ $rndbytes = false,
+ $rndfile = false,
+ $rndoverwrite = false,
+ $service = false,
+ $session = false,
+ $setuid = 'stunnel4',
+ $setgid = 'stunnel4',
+ $socket = [ 'l:TCP_NODELAY=1', 'r:TCP_NODELAY=1'],
+ $sslversion = 'SSLv3',
+ $stack = false,
+ $syslog = false,
+ $timeoutbusy = false,
+ $timeoutclose = false,
+ $timeoutconnect = false,
+ $timeoutidle = false,
+ $transparent = false,
+ $manage_nagios = false,
+ $verify = false
+) {
+
+ include stunnel
+
+ $real_client = $client ? { default => 'yes' }
+ $real_pid = $pid ? { false => "/${name}.pid", default => $pid }
+
+ $stunnel_compdir = "${::puppet_vardir}/stunnel4/configs"
+
+ file {
+ "${stunnel_compdir}/${name}.conf":
+ ensure => $ensure,
+ content => template('stunnel/service.conf.erb'),
+ require => Package['stunnel'],
+ notify => Exec['refresh_stunnel'],
+ owner => 'root',
+ group => 0,
+ mode => '0600';
+ }
+
+ if $manage_nagios {
+ stunnel::service::nagios { $name: }
+ }
+}
diff --git a/puppet/modules/stunnel/manifests/service/nagios.pp b/puppet/modules/stunnel/manifests/service/nagios.pp
new file mode 100644
index 00000000..578b417e
--- /dev/null
+++ b/puppet/modules/stunnel/manifests/service/nagios.pp
@@ -0,0 +1,12 @@
+# Put a Nagios service check in place for a specific tunnel.
+#
+# The resource name will be used to point to the corresponding stunnel
+# configuration file.
+#
+define stunnel::service::nagios () {
+
+ nagios::service { "stunnel_${name}":
+ check_command => "nagios-stat-proc!/usr/bin/stunnel4 /etc/stunnel/${name}.conf!6!5!proc";
+ }
+
+}