From 49f0c54a05f6b542367f8ef4538316ba2eaac6cd Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Fri, 20 Jun 2014 01:58:39 -0700
Subject: new generic system for stunnel: just `include site_stunnel` and
 stunnel + needed shorewall will be automatically set up. requires new
 leap_cli

---
 puppet/modules/site_stunnel/manifests/servers.pp | 53 ++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 puppet/modules/site_stunnel/manifests/servers.pp

(limited to 'puppet/modules/site_stunnel/manifests/servers.pp')

diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
new file mode 100644
index 00000000..4419923f
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -0,0 +1,53 @@
+#
+# usage:
+#   create_resource(site_stunnel::servers, hiera('stunnel')['servers'])
+#
+# example hiera yaml:
+#
+#   stunnel:
+#     servers:
+#       couch_server:
+#         accept_port: 15984
+#         connect_port: 5984
+#
+
+define site_stunnel::servers (
+  $accept_port,
+  $connect_port,
+  $verify     = '2',
+  $pid        = $name,
+  $rndfile    = '/var/lib/stunnel4/.rnd',
+  $debuglevel = '4' ) {
+
+  include site_config::x509::cert
+  include site_config::x509::key
+  include site_config::x509::ca
+  include x509::variables
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+  stunnel::service { $name:
+    accept     => $accept_port,
+    connect    => "127.0.0.1:${connect_port}",
+    client     => false,
+    cafile     => $ca_path,
+    key        => $key_path,
+    cert       => $cert_path,
+    verify     => $verify,
+    pid        => "/var/run/stunnel4/${pid}.pid",
+    rndfile    => '/var/lib/stunnel4/.rnd',
+    debuglevel => $debuglevel,
+    require    => [
+      Class['Site_config::X509::Key'],
+      Class['Site_config::X509::Cert'],
+      Class['Site_config::X509::Ca'] ];
+  }
+
+  # allow incoming connections on $accept_port
+  site_shorewall::stunnel::server { $name:
+    port  => $accept_port
+  }
+
+  include site_check_mk::agent::stunnel
+}
-- 
cgit v1.2.3


From bc42e9bd3a86bb858ef853cf333242c81874209b Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Fri, 20 Jun 2014 14:34:53 -0700
Subject: stunnel: make site_mx and site_webapp use new site_stunnel

---
 puppet/modules/site_stunnel/manifests/servers.pp | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'puppet/modules/site_stunnel/manifests/servers.pp')

diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
index 4419923f..b1da5c59 100644
--- a/puppet/modules/site_stunnel/manifests/servers.pp
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -1,7 +1,4 @@
 #
-# usage:
-#   create_resource(site_stunnel::servers, hiera('stunnel')['servers'])
-#
 # example hiera yaml:
 #
 #   stunnel:
-- 
cgit v1.2.3


From 38d7c80fae4efc1d365ec9f982cb025dc67a4386 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Sun, 2 Nov 2014 20:53:34 -0500
Subject: add missing TLSv1 sslversion parameter to site_stunnel::serviers

Change-Id: I48dc8135943393bd11c7181853985f4a5799011e
---
 puppet/modules/site_stunnel/manifests/servers.pp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'puppet/modules/site_stunnel/manifests/servers.pp')

diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
index b1da5c59..8d537644 100644
--- a/puppet/modules/site_stunnel/manifests/servers.pp
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -35,6 +35,7 @@ define site_stunnel::servers (
     pid        => "/var/run/stunnel4/${pid}.pid",
     rndfile    => '/var/lib/stunnel4/.rnd',
     debuglevel => $debuglevel,
+    sslversion => 'TLSv1',
     require    => [
       Class['Site_config::X509::Key'],
       Class['Site_config::X509::Cert'],
-- 
cgit v1.2.3


From 896dd69710fa24a0235fc70081a71f35adbf9af1 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Thu, 20 Nov 2014 15:22:09 -0500
Subject: Make sure that stunnel restarts when cert/key change (#6181)

Change-Id: I5085247a87018e18e73833119ac73225afbfea1e
---
 puppet/modules/site_stunnel/manifests/servers.pp | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

(limited to 'puppet/modules/site_stunnel/manifests/servers.pp')

diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
index 8d537644..b6fac319 100644
--- a/puppet/modules/site_stunnel/manifests/servers.pp
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -35,11 +35,7 @@ define site_stunnel::servers (
     pid        => "/var/run/stunnel4/${pid}.pid",
     rndfile    => '/var/lib/stunnel4/.rnd',
     debuglevel => $debuglevel,
-    sslversion => 'TLSv1',
-    require    => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
+    sslversion => 'TLSv1';
   }
 
   # allow incoming connections on $accept_port
-- 
cgit v1.2.3