Skip to content
This repository has been archived by the owner on Feb 18, 2022. It is now read-only.

v0.2.0 Updates #11

Open
wants to merge 42 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
51c7c84
adding puppet lint config
mrjoshuap Feb 8, 2015
70668ac
puppet-lint updates
mrjoshuap Feb 8, 2015
1324d19
adding rhel and aix support
mrjoshuap Feb 8, 2015
40f1a8c
using different dependency style
mrjoshuap Feb 8, 2015
69f7892
adding example and fixing whitespace
mrjoshuap Feb 8, 2015
74801d1
documentation update
mrjoshuap Feb 8, 2015
5c19478
adding options and using output_real
mrjoshuap Feb 8, 2015
49b4e87
format cleanup
mrjoshuap Feb 8, 2015
fb1f3bd
changing dep type
mrjoshuap Feb 8, 2015
b754e8a
fixing aix inittab requires
mrjoshuap Feb 8, 2015
a5e8453
fixing naming
mrjoshuap Feb 9, 2015
958ab5a
adding module build to ignore list
mrjoshuap Feb 9, 2015
73c9bef
updating authors
mrjoshuap Feb 9, 2015
22fecf8
adding operating system support
mrjoshuap Feb 9, 2015
df1a0be
updated notes
mrjoshuap Feb 9, 2015
fa026ea
updated to show AIX support
mrjoshuap Feb 9, 2015
76b4b06
now supports accept and connect with and without colon
mrjoshuap Feb 9, 2015
f54fadc
removing parameter order check
mrjoshuap Feb 9, 2015
16f3270
reordering params for linting
mrjoshuap Feb 9, 2015
4f16d44
email removal
mrjoshuap Feb 9, 2015
4dc6ceb
adding defaults
mrjoshuap Feb 14, 2015
45823e7
making sure options is an array
mrjoshuap Feb 16, 2015
f298363
adding missing default for service
mrjoshuap Feb 16, 2015
725e118
adding notify
mrjoshuap Feb 16, 2015
7a24959
tunnel template update
mrjoshuap Feb 16, 2015
e8f692f
setting values to undef
mrjoshuap Feb 16, 2015
6e77e03
altering default compression to zlib
mrjoshuap Feb 16, 2015
8c81877
adding in checks
mrjoshuap Feb 16, 2015
0b9c193
fixing sockets
mrjoshuap Feb 16, 2015
e02893f
adding check and fail, updating socket to sock
mrjoshuap Feb 16, 2015
5a6942a
changing default verify level
mrjoshuap Feb 16, 2015
aa7b4d4
changing name of verify
mrjoshuap Feb 16, 2015
7b810e3
updating init script to work properly
mrjoshuap Feb 16, 2015
9de5231
adding verbiage to status and stop
mrjoshuap Feb 16, 2015
a3714a5
adding rhel4 support
mrjoshuap Feb 17, 2015
d14c96c
removing verify level
mrjoshuap Feb 17, 2015
a0133db
commenting out verify
mrjoshuap Feb 17, 2015
0da5a83
commenting out verify
mrjoshuap Feb 17, 2015
e573cd5
commenting out verify
mrjoshuap Feb 17, 2015
f9c8dba
working on stunnel templates
mrjoshuap Feb 17, 2015
fa911c4
working on stunnel templates
mrjoshuap Feb 17, 2015
b98d1a9
fixing rhel4 template
mrjoshuap Feb 17, 2015
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -16,3 +16,4 @@ tags

# Ruby
Gemfile.lock
pkg
3 changes: 3 additions & 0 deletions .puppet-lint.rc
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
--no-autoloader_layout-check
--no-class_inherits_from_params_class-check
--no-80chars-check
18 changes: 14 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Summary
Provides a defined resource type for managing stunnel on Debian and Red Hat systems.
Provides a defined resource type for managing stunnel on AIX, Debian and Red Hat systems.

## Usage
```
@@ -8,20 +8,30 @@ Provides a defined resource type for managing stunnel on Debian and Red Hat syst
private_key => "/etc/puppet/ssl/private_keys/${::clientcert}.pem",
ca_file => '/etc/puppet/ssl/certs/ca.pem',
crl_file => '/etc/puppet/ssl/crl.pem',
chroot => '/var/lib/stunnel4/rsyncd',
chroot => '/var/lib/stunnel4/rsyncd',
user => 'pe-puppet',
group => 'pe-puppet',
client => false,
accept => '1873',
connect => '873',
}

stunnel::tun { 'ldap':
ca_file => '/etc/puppet/ssl/certs/ca.pem',
crl_file => '/etc/puppet/ssl/crl.pem',
client => true,
accept => 'localhost:1389',
connect => 'ldap.server.local:636',
}

```

## Notes
* There is no sysvinit script installed as part of the `stunnel` package on Red Hat systems.
* This includes an sysvinit script because the `stunnel` package on Red Hat systems does not provide one.
* Use of SSLv2 is highly discouraged because it's known to be vulnerable.
* The chroot defined in `stunnel::tun` needs to be manually created.
* AIX support does not include package installation

## Authors
* Cody Herriages <cody@puppetlabs.com>
* Sam Kottler <shk@linux.com>
* Josh Preston
103 changes: 80 additions & 23 deletions manifests/init.pp
Original file line number Diff line number Diff line change
@@ -7,17 +7,17 @@
#
# [*package*]
# The package name that represents the stunnel application on your
# distribution. By default we look this value up in a stunnel::data class,
# distribution. By default we look this value up in a stunnel::params class,
# which has a list of common answers.
#
# [*service*]
# The service name that represents the stunnel application on your
# distribution. By default we look this value up in a stunnel::data class,
# distribution. By default we look this value up in a stunnel::params class,
# which has a list of common answers.
#
# [*conf_dir*]
# The default base configuration directory for your version on stunnel.
# By default we look this value up in a stunnel::data class, which has a
# By default we look this value up in a stunnel::params class, which has a
# list of common answers.
#
# === Examples
@@ -27,44 +27,101 @@
# === Authors
#
# Cody Herriges <cody@puppetlabs.com>
# Josh Preston
#
# === Copyright
#
# Copyright 2012 Puppet Labs, LLC
#
class stunnel(
$package = $stunnel::params::package,
$service = $stunnel::params::service,
$conf_dir = $stunnel::params::conf_dir
# These are OS dependent...
$package = $stunnel::params::package,
$service = $stunnel::params::service,
$conf_dir = $stunnel::params::conf_dir,
$log_dir = $stunnel::params::log_dir,
$pid_dir = $stunnel::params::pid_dir,
$chroot_dir = $stunnel::params::chroot_dir,

# These are stunnel global options
$chroot = $stunnel::params::chroot,
$compression = $stunnel::params::compression,
$debug_level = $stunnel::params::debug_level,
$fips = $stunnel::params::fips,
$foreground = $stunnel::params::foreground,
$group = $stunnel::params::group,
$output = $stunnel::params::output,
$pid_file = $stunnel::params::pid_file,
$sockets = $stunnel::params::sockets,
$syslog = $stunnel::params::syslog,
$user = $stunnel::params::user,
) inherits stunnel::params {

package { $package:
ensure => present,
if $package {
# Make sure the package is installed
package { $package:
ensure => present,
before => File[$conf_dir],
}
}

# Make sure our config directory exists
file { $conf_dir:
ensure => directory,
require => Package[$package],
purge => true,
recurse => true,
}

if $osfamily == "Debian" {
exec { 'enable stunnel':
command => 'sed -i "s/ENABLED=0/ENABLED=1/" /etc/default/stunnel4',
path => [ '/bin', '/usr/bin' ],
unless => 'grep "ENABLED=1" /etc/default/stunnel4',
require => Package[$package],
before => Service[$service],
# Make sure the pid directory exists if needed
if ($pid_dir and !$chroot and !$chroot_dir) {
file { $pid_dir:
ensure => directory,
}
} else {
notify { 'Specifying chroot and pid_dir is not recommended': }
}

# Make sure the log directory exists if needed
if $log_dir {
file { $log_dir:
ensure => directory,
}
}

# Make sure the chroot directory exists if needed
if $chroot_dir {
file { $chroot_dir:
ensure => directory,
}
}

# There isn't a sysvinit script installed by the "stunnel" package on
# Red Hat systems.
service { $service:
ensure => running,
enable => true,
hasrestart => true,
hasstatus => false,
# Debian must handle stunnel differently and AIX needs telinit -q
case $::osfamily {

'AIX': {
exec { 'telinit -q':
command => 'telinit -q',
path => '/usr/bin:/usr/sbin:/bin:/sbin',
refreshonly => true,
}
}

'Debian': {
exec { 'enable stunnel':
command => 'sed -i "s/ENABLED=0/ENABLED=1/" /etc/default/stunnel4',
path => [ '/bin', '/usr/bin' ],
unless => 'grep "ENABLED=1" /etc/default/stunnel4',
require => Package[$package],
before => Service[$service],
}
service { $service:
ensure => running,
enable => true,
hasrestart => true,
hasstatus => false,
}
}

default: { }
}

}
76 changes: 70 additions & 6 deletions manifests/params.pp
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
# == Class: stunnel::data
# == Class: stunnel::params
#
# This module sets up SSL encrypted and authenticated tunnels using the
# common application stunnel.
# This class sets up the default values for the OS and global options.
#
# === Variables
#
# ==== OS Variables
#
# [*package*]
# The package name that represents the stunnel application on your
# distribution.
@@ -16,26 +17,89 @@
# [*conf_dir*]
# The default base configuration directory for your version on stunnel.
#
# [*pid_dir*]
# The default base pid file directory for stunnel services.
#
# [*log_dir*]
# The default base log file directory for stunnel services.
#
# [*lock_dir*]
# The default base lock file directory for stunnel services.
#
# ==== Global Variables
#
# [*compression*]
# The default compression for stunnel services.
#
# [*debug_level*]
# The default debug level for stunnel services.
#
# [*fips*]
# The default fips flag for stunnel services.
#
# [*foreground*]
# The default foreground flag for stunnel services.
#
# [*log*]
# The default logging type for stunnel services.
#
# [*output*]
# The default log file for stunnel services.
#
# [*sockets*]
# The default socket options for stunnel services.
#
# [*syslog*]
# The default syslog flag for stunnel services.
#
# === Authors
#
# Cody Herriges <cody@puppetlabs.com>
# Sam Kottler <shk@linux.com>
# Josh Preston
#
# === Copyright
#
# Copyright 2012 Puppet Labs, LLC
#
class stunnel::params {
case $osfamily {

case $::osfamily {

AIX: {
$conf_dir = '/etc/stunnel'
$pid_dir = '/var/run'
$log_dir = '/var/log/stunnel'
}

Debian: {
$conf_dir = '/etc/stunnel'
$log_dir = '/var/log/stunnel'
$package = 'stunnel4'
$pid_file = '/var/run/stunnel.pid'
$service = 'stunnel4'
}

RedHat: {
$conf_dir = '/etc/stunnel'
$package = 'stunnel'
$service = 'stunnel'
$lock_dir = '/var/lock/subsys'
$log_dir = '/var/log/stunnel'
$package = 'stunnel'
$pid_dir = '/var/run'
}

default: {
notify { "${::osfamily} is not supported.": }
}

}

$compression = 'zlib'
$debug_level = '4'
$fips = 'no'
$foreground = 'no'
$service = 'stunnel'
$log = 'append'
$output = '/var/log/stunnel.log'
$syslog = 'yes'
}
205 changes: 180 additions & 25 deletions manifests/tun.pp
Original file line number Diff line number Diff line change
@@ -91,27 +91,49 @@
#
# Cody Herriges <cody@puppetlabs.com>
# Sam Kottler <shk@linux.com>
# Josh Preston
#
# === Copyright
#
# Copyright 2012 Puppet Labs, LLC
#
define stunnel::tun(
$certificate,
$private_key,
$ca_file,
$crl_file,
$ssl_version = 'TLSv1',
$chroot,
$user,
$group,
$pid_file = "/${name}.pid",
$debug_level = '0',
$log_dest = "/var/log/${name}.log",
$client,
$accept,
$connect,
$conf_dir = $stunnel::params::conf_dir
define stunnel::tun (
# These are service options
$accept = undef,
$ca_dir = undef,
$ca_file = undef,
$certificate = undef,
$ciphers = undef,
$client = undef,
$connect = undef,
$crl_dir = undef,
$crl_file = undef,
$log_dest = undef,
$options = undef,
$private_key = undef,
$sockets = undef,
$debug_level = 4,
$ssl_version = 'TLSv1',
$verify_stun = 'level 3',
# These are OS dependent...
$package = $::stunnel::package,
$service = $::stunnel::service,
$conf_dir = $::stunnel::conf_dir,
$log_dir = $::stunnel::log_dir,
$pid_dir = $::stunnel::pid_dir,
$chroot_dir = $::stunnel::chroot_dir,
# These are stunnel global options - use global first
$chroot = $::stunnel::chroot,
$compression = $::stunnel::compression,
$debug_level = $::stunnel::debug_level,
$fips = $::stunnel::fips,
$foreground = $::stunnel::foreground,
$group = $::stunnel::group,
$log_dir = $::stunnel::log_dir,
$output = $::stunnel::output,
$pid_file = $::stunnel::pid_file,
$syslog = $::stunnel::syslog,
$user = $::stunnel::user,
) {

$ssl_version_real = $ssl_version ? {
@@ -120,27 +142,160 @@
'sslv3' => 'SSLv3',
default => $ssl_version,
}
validate_re($ssl_version_real, '^SSLv2$|^SSLv3$|^TLSv1$', 'The option ssl_version must have a value that is either SSLv2, SSLv3, of TLSv1. The default and prefered option is TLSv1. SSLv2 should be avoided.')

# Configure the client
$client_on = $client ? {
true => 'yes',
false => 'no',
true => 'yes',
false => 'no',
default => $client,
}
validate_re($client_on, '^yes$|^no$', 'The client option must be true/false or yes/no.')

validate_re($ssl_version_real, '^SSLv2$|^SSLv3$|^TLSv1$', 'The option ssl_version must have a value that is either SSLv2, SSLv3, of TLSv1. The default and prefered option is TLSv1. SSLv2 should be avoided.')
# Configure fips
$fips_on = $fips ? {
true => 'yes',
false => 'no',
default => $fips,
}
validate_re($fips_on, '^yes$|^no$', 'The fips option must be true/false or yes/no.')

# Configure fips
$foreground_on = $foreground ? {
true => 'yes',
false => 'no',
default => $foreground,
}
validate_re($foreground_on, '^yes$|^no$', 'The foreground option must be true/false or yes/no.')

# Configure syslog
$syslog_on = $syslog ? {
true => 'yes',
false => 'no',
default => $syslog,
}
validate_re($syslog_on, '^yes$|^no$', 'The syslog option must be true/false or yes/no.')

# Set our accept server and port correctly
if $accept {
$accept_array = split($accept, ':')
if $accept_array[1] {
$accept_server = $accept_array[0]
$accept_port = $accept_array[1]
} else {
$accept_server = 'localhost'
$accept_port = $accept_array[0]
}
} else {
fail('No accept server:port specified!')
}

# Set our connect server and port correctly
if $connect {
$connect_array = split($connect, ':')
if $connect_array[1] {
$connect_server = $connect_array[0]
$connect_port = $connect_array[1]
} else {
$connect_server = 'localhost'
$connect_port = $connect_array[0]
}
} else {
fail('No connect server:port specified!')
}

# Make sure our service line exists
file_line { "service ${name}-tun":
path => '/etc/services',
line => "${name}-tun ${accept_port}/tcp",
match => "^${name}-tun",
}

if $::operatingsystem == 'RedHat' {
case $::operatingsystemmajrelease {
'4': {
$diff_template = '.rh4'
}
'5': {
$diff_template = '.rh5'
}
default: { }
}
}

# Create our configuration
file { "${conf_dir}/${name}.conf":
ensure => file,
content => template("${module_name}/stunnel.conf.erb"),
content => template("${module_name}/stunnel.conf${diff_template}.erb"),
mode => '0644',
owner => '0',
group => '0',
require => File[$conf_dir],
}

file { $chroot:
ensure => directory,
owner => $user,
group => $group,
mode => '0600',
# If we need a chroot directory
if $chroot_dir {
$chroot_real = "${chroot_dir}/${name}"
} elsif $chroot {
$chroot_real = $chroot
}
if $chroot_real {
file { $chroot_real:
ensure => directory,
owner => $user,
group => $group,
mode => '0600',
}
}

# If we need a log directory
if $log_dir {
$output_real = "${log_dir}/${name}.log"
} elsif $log_dest {
$output_real = $log_dest
} elsif $output {
$output_real = $output
}

case $::osfamily {

'RedHat', 'CentOS': {
file { "/etc/init.d/${service}-${name}":
ensure => file,
owner => 0,
group => 0,
mode => '0755',
content => template("${module_name}/init.d/stunnel.erb"),
require => Package[$package],
before => Service["${service}-${name}"],
} ~>
service { "${service}-${name}":
ensure => running,
enable => true,
hasrestart => true,
hasstatus => true,
require => File_line["service ${name}-tun"],
subscribe => File["${conf_dir}/${name}.conf"],
}
}

'AIX': {
file_line { "inittab stunnel_${name}":
path => '/etc/inittab',
line => "stunnel_${name}:2345:once:/opt/freeware/bin/stunnel ${conf_dir}/${name}.conf > /dev/console 2>&1",
match => "^stunnel_${name}",
require => [
File["${conf_dir}/${name}.conf"],
File_line["service ${name}-tun"],
],
notify => Exec['telinit -q'],
}
}

default: {
fail("Unsupported OS ${::operatingsystem}")
}

}

}
15 changes: 14 additions & 1 deletion metadata.json
Original file line number Diff line number Diff line change
@@ -1,12 +1,25 @@
{
"name": "puppetlabs-stunnel",
"version": "0.1.0",
"version": "0.2.0",
"author": "puppetlabs",
"summary": "A module for creating secure tunnels",
"license": "Apache 2.0",
"source": "https://github.com/puppetlabs/puppetlabs-stunnel",
"project_page": "https://github.com/puppetlabs/puppetlabs-stunnel",
"issues_url": "https://tickets.puppetlabs.com/browse/MODULES",
"operatingsystem_support": [
{
"operatingsystem": "AIX"
},{
"operatingsystem": "CentOS"
},{
"operatingsystem": "Debian"
},{
"operatingsystem": "RedHat"
},{
"operatingsystem": "Ubuntu"
}
],
"dependencies": [
{
"name": "puppetlabs/stdlib",
127 changes: 127 additions & 0 deletions templates/init.d/stunnel.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
#!/bin/bash
#
# This file is managed by Puppet.
#
# Init Script to run stunnel in daemon mode at boot time.
#
# Author: Riccardo Riva - RPM S.r.l.
# Contributer: Josh Preston
# Revision 1.1 - 2014 February, 6

#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel <%= @name -%>
# processname: stunnel-<%= @name -%>
#
# Run "/sbin/chkconfig --add stunnel-<%= @name -%>" to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================

#====================================================================
# Paths and variables and system checks.
PATH=/usr/bin:/usr/sbin

# Source function library
. /etc/rc.d/init.d/functions

# Check that networking is up.
#
[ ${NETWORKING} ="yes" ] || exit 0

# Path to the executable.
#
SEXE=stunnel

# Path to the configuration file.
#
CONF=<%= @conf_dir -%>/<%= @name -%>.conf

# Check the configuration file exists.
#
if [ ! -f $CONF ] ; then
echo "The configuration [${CONF}] file cannot be found!"
exit 1
fi

# Path to the lock file.
#
LOCK_FILE=<%= @lock_dir %>/stunnel-<%= @name -%>

#====================================================================

# Run controls:

prog=$"stunnel-<%= @name -%>"

RETVAL=0

# Start stunnel-<%= @name -%> as daemon.
#
start() {
if [ -f $LOCK_FILE ]; then
echo "stunnel-<%= @name -%> is already running!"
exit 0
else
echo -n $"Starting $prog: "
$SEXE $CONF
fi

RETVAL=$?
[ $RETVAL -eq 0 ] && success
echo
[ $RETVAL -eq 0 ] && touch $LOCK_FILE
return $RETVAL
}

# Stop stunnel-<%= @name -%>.
#
stop() {
if [ ! -f $LOCK_FILE ]; then
echo "stunnel-<%= @name -%> is not running!"
exit 0

else

echo -n $"Shutting down $prog: "
ps -ef | grep stunnel | grep $CONF | grep -v grep | awk '{ print $2 }' | xargs kill > /dev/null 2>&1
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f $LOCK_FILE
[ $RETVAL -eq 0 ] && echo "$prog stopped" || echo "$prog failed stopping"
echo
return $RETVAL

fi
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
condrestart)
if [ -f $LOCK_FILE ]; then
stop
start
RETVAL=$?
fi
;;
status)
ps -ef | grep stunnel | grep $CONF | grep -v grep > /dev/null 2>&1
RETVAL=$?
[ $RETVAL -eq 0 ] && echo "$prog is running" || echo "$prog is stopped"
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac

exit $RETVAL
130 changes: 111 additions & 19 deletions templates/stunnel.conf.erb
Original file line number Diff line number Diff line change
@@ -1,25 +1,117 @@
; This stunnel config is managed by Puppet.
; This stunnel-<%= @name -%> config is managed by Puppet.

cert = <%= certificate %>
key = <%= private_key %>
CAfile = <%= ca_file %>
CRLfile = <%= crl_file %>
sslVersion = <%= ssl_version_real %>
verify = 2

chroot = <%= chroot %>
setuid = <%= user %>
setgid = <%= group %>
pid = <%= pid_file %>
<% if @chroot_real -%>
; Note that pid is created inside of the chroot jail
chroot = <%= @chroot_real -%>
<% end -%>

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
<% if @compression -%>
compression = <%= @compression %>
<% end -%>

<% if @debug_level -%>
; Set our debug level
debug = <%= debug_level %>
output = <%= log_dest %>
<% end -%>

<% if @fips_on -%>
fips = <%= @fips_on %>
<% end -%>

<% if @foreground_on -%>
foreground = <%= @foreground_on %>
<% end -%>

<% if @log -%>
log = <%= @log %>
<% end -%>

<% if @output_real -%>
output = <%= @output_real %>
<% end -%>

<% if @pid_file -%>
pid = <%= @pid_file %>
<% end -%>

<% if @group -%>
setgid = <%= @group %>
<% end -%>

<% if @user -%>
setuid = <%= @user %>
<% end -%>

<% if @sockets and !@sockets.empty? -%>
; Some performance tunings
<% sockets.each do |sock| -%>
socket = <%= @sock %>
<% end -%>
<% end -%>

<% if @syslog_on -%>
syslog = <%= @syslog_on %>
<% end -%>

[<%= @name -%>]
<% if @accept_server and @accept_port -%>
accept = <%= @accept_server -%>:<%= @accept_port -%>
<% elsif @accept -%>
accept = <%= @accept -%>
<% end -%>

client = <%= client_on %>
<% if @ca_dir -%>
CApath = <%= @ca_dir %>
<% end -%>

<% if @ca_file -%>
CAfile = <%= @ca_file %>
<% end -%>

<% if @certificate and !@certificate.empty? -%>
cert = <%= @certificate %>
<% end -%>

<% if @ciphers -%>
ciphers = <%= @ciphers %>
<% end -%>

<% if @client_on -%>
client = <%= @client_on %>
<% end -%>

<% if @connect_server and @connect_port -%>
connect = <%= @connect_server -%>:<%= @connect_port -%>
<% elsif @connect -%>
connect = <%= @connect %>
<% end -%>

<% if @crl_dir and !@crl_dir.empty? -%>
CRLpath = <%= @crl_dir %>
<% end -%>

<% if @crl_file and !@crl_file.empty? -%>
CRLfile = <%= @crl_file %>
<% end -%>

<% if @options and !@options.empty? -%>
<% options.each do |option| -%>
options = <%= @option %>
<% end -%>
<% end -%>

<% if @private_key and !@private_key.empty? -%>
key = <%= @private_key %>
<% end -%>

<% if @protocol and !@protocol.empty? -%>
protocol = <%= @protocol %>
<% end -%>

<% if @ssl_version_real and !@ssl_version_real.empty? -%>
sslVersion = <%= ssl_version_real %>
<% end -%>

[<%= name -%>]
accept = <%= accept %>
connect = <%= connect %>
<% if @verify_stun and !@verify_stun.empty? -%>
;verify = <% @verify_stun %>
<% end -%>
100 changes: 100 additions & 0 deletions templates/stunnel.conf.rh4.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
<% if @ca_dir -%>
CApath = <%= @ca_dir %>
<% end -%>

<% if @ca_file -%>
CAfile = <%= @ca_file %>
<% end -%>

<% if @certificate and !@certificate.empty? -%>
cert = <%= @certificate %>
<% end -%>

<% if @ciphers -%>
ciphers = <%= @ciphers %>
<% end -%>

<% if @client_on -%>
client = <%= @client_on %>
<% end -%>

<% if @chroot_real -%>
chroot = <%= @chroot_real -%>
<% end -%>

<% if @crl_dir and !@crl_dir.empty? -%>
CRLpath = <%= @crl_dir %>
<% end -%>

<% if @crl_file and !@crl_file.empty? -%>
CRLfile = <%= @crl_file %>
<% end -%>

<% if @options and !@options.empty? -%>
<% options.each do |option| -%>
options = <%= @option %>
<% end -%>
<% end -%>

<% if @private_key and !@private_key.empty? -%>
key = <%= @private_key %>
<% end -%>

<% if @debug_level -%>
debug = <%= debug_level %>
<% end -%>

<% if @foreground_on -%>
foreground = <%= @foreground_on %>
<% end -%>

<% if @log -%>
log = <%= @log %>
<% end -%>

<% if @output_real -%>
output = <%= @output_real %>
<% end -%>

<% if @pid_file -%>
pid = <%= @pid_file %>
<% end -%>

<% if @group -%>
setgid = <%= @group %>
<% end -%>

<% if @user -%>
setuid = <%= @user %>
<% end -%>

<% if @sockets and !@sockets.empty? -%>
; Some performance tunings
<% sockets.each do |sock| -%>
socket = <%= @sock %>
<% end -%>
<% end -%>

verify = level 2




[<%= @name -%>]
<% if @accept_server and @accept_port -%>
accept = <%= @accept_server -%>:<%= @accept_port -%>
<% elsif @accept -%>
accept = <%= @accept -%>
<% end -%>


<% if @connect_server and @connect_port -%>
connect = <%= @connect_server -%>:<%= @connect_port -%>
<% elsif @connect -%>
connect = <%= @connect %>
<% end -%>

<% if @protocol and !@protocol.empty? -%>
protocol = <%= @protocol %>
<% end -%>

105 changes: 105 additions & 0 deletions templates/stunnel.conf.rh5.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
; This stunnel-<%= @name -%> config is managed by Puppet.

<% if @chroot_real -%>
; Note that pid is created inside of the chroot jail
chroot = <%= @chroot_real -%>
<% end -%>

<% if @compression -%>
compression = <%= @compression %>
<% end -%>

<% if @debug_level -%>
; Set our debug level
debug = <%= debug_level %>
<% end -%>

<% if @foreground_on -%>
foreground = <%= @foreground_on %>
<% end -%>

<% if @log -%>
log = <%= @log %>
<% end -%>

<% if @output_real -%>
output = <%= @output_real %>
<% end -%>

<% if @pid_file -%>
pid = <%= @pid_file %>
<% end -%>

<% if @group -%>
setgid = <%= @group %>
<% end -%>

<% if @user -%>
setuid = <%= @user %>
<% end -%>

<% if @sockets and !@sockets.empty? -%>
; Some performance tunings
<% sockets.each do |sock| -%>
socket = <%= @sock %>
<% end -%>
<% end -%>

[<%= @name -%>]
<% if @accept_server and @accept_port -%>
accept = <%= @accept_server -%>:<%= @accept_port -%>
<% elsif @accept -%>
accept = <%= @accept -%>
<% end -%>

<% if @ca_dir -%>
CApath = <%= @ca_dir %>
<% end -%>

<% if @ca_file -%>
CAfile = <%= @ca_file %>
<% end -%>

<% if @certificate and !@certificate.empty? -%>
cert = <%= @certificate %>
<% end -%>

<% if @ciphers -%>
ciphers = <%= @ciphers %>
<% end -%>

<% if @client_on -%>
client = <%= @client_on %>
<% end -%>

<% if @connect_server and @connect_port -%>
connect = <%= @connect_server -%>:<%= @connect_port -%>
<% elsif @connect -%>
connect = <%= @connect %>
<% end -%>

<% if @crl_dir and !@crl_dir.empty? -%>
CRLpath = <%= @crl_dir %>
<% end -%>

<% if @crl_file and !@crl_file.empty? -%>
CRLfile = <%= @crl_file %>
<% end -%>

<% if @options and !@options.empty? -%>
<% options.each do |option| -%>
options = <%= @option %>
<% end -%>
<% end -%>

<% if @private_key and !@private_key.empty? -%>
key = <%= @private_key %>
<% end -%>

<% if @protocol and !@protocol.empty? -%>
protocol = <%= @protocol %>
<% end -%>

<% if @verify_stun and !@verify_stun.empty? -%>
;verify = <% @verify_stun %>
<% end -%>