From 51c7c84136306ce65ac214c7cf6229ca52883e3b Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:03:15 -0500 Subject: [PATCH 01/42] adding puppet lint config --- .puppet-lint.rc | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .puppet-lint.rc diff --git a/.puppet-lint.rc b/.puppet-lint.rc new file mode 100644 index 0000000..74d69d3 --- /dev/null +++ b/.puppet-lint.rc @@ -0,0 +1,3 @@ +--no-autoloader_layout-check +--no-class_inherits_from_params_class-check +--no-80chars-check From 70668ac29b1aa3f1c9311a97e841a38ae2276fe8 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:05:25 -0500 Subject: [PATCH 02/42] puppet-lint updates --- .puppet-lint.rc | 1 + 1 file changed, 1 insertion(+) diff --git a/.puppet-lint.rc b/.puppet-lint.rc index 74d69d3..cfbf67a 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -1,3 +1,4 @@ --no-autoloader_layout-check --no-class_inherits_from_params_class-check --no-80chars-check +--no-parameter_order-check From 1324d198ae44f17fa064fc2ebf80c8efb61f4f67 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:05:34 -0500 Subject: [PATCH 03/42] adding rhel and aix support --- manifests/init.pp | 97 ++++++++++++++++---- manifests/params.pp | 39 +++++++- manifests/tun.pp | 172 ++++++++++++++++++++++++++++++----- templates/init.d/stunnel.erb | 125 +++++++++++++++++++++++++ templates/stunnel.conf.erb | 130 ++++++++++++++++++++++---- 5 files changed, 496 insertions(+), 67 deletions(-) create mode 100644 templates/init.d/stunnel.erb diff --git a/manifests/init.pp b/manifests/init.pp index 217ddc6..0b8a403 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,44 +27,101 @@ # === Authors # # Cody Herriges +# Josh Preston # # === Copyright # # Copyright 2012 Puppet Labs, LLC # class stunnel( - $package = $stunnel::params::package, - $service = $stunnel::params::service, - $conf_dir = $stunnel::params::conf_dir + # These are OS dependent... + $package = $stunnel::params::package, + $service = $stunnel::params::service, + $conf_dir = $stunnel::params::conf_dir, + $log_dir = $stunnel::params::log_dir, + $pid_dir = $stunnel::params::pid_dir, + $chroot_dir = $stunnel::params::chroot_dir, + + # These are stunnel global options + $chroot = $stunnel::params::chroot, + $compression = $stunnel::params::compression, + $debug_level = $stunnel::params::debug_level, + $fips = $stunnel::params::fips, + $foreground = $stunnel::params::foreground, + $group = $stunnel::params::group, + $output = $stunnel::params::output, + $pid_file = $stunnel::params::pid_file, + $sockets = $stunnel::params::sockets, + $syslog = $stunnel::params::syslog, + $user = $stunnel::params::user, ) inherits stunnel::params { - package { $package: - ensure => present, + if $package { + # Make sure the package is installed + package { $package: + ensure => present, + before => File[$conf_dir], + } } + # Make sure our config directory exists file { $conf_dir: ensure => directory, - require => Package[$package], purge => true, recurse => true, } - if $osfamily == "Debian" { - exec { 'enable stunnel': - command => 'sed -i "s/ENABLED=0/ENABLED=1/" /etc/default/stunnel4', - path => [ '/bin', '/usr/bin' ], - unless => 'grep "ENABLED=1" /etc/default/stunnel4', - require => Package[$package], - before => Service[$service], + # Make sure the pid directory exists if needed + if ($pid_dir and !$chroot and !$chroot_dir) { + file { $pid_dir: + ensure => directory, + } + } else { + notify { 'Specifying chroot and pid_dir is not recommended': } + } + + # Make sure the log directory exists if needed + if $log_dir { + file { $log_dir: + ensure => directory, + } + } + + # Make sure the chroot directory exists if needed + if $chroot_dir { + file { $chroot_dir: + ensure => directory, } + } - # There isn't a sysvinit script installed by the "stunnel" package on - # Red Hat systems. - service { $service: - ensure => running, - enable => true, - hasrestart => true, - hasstatus => false, + # Debian must handle stunnel differently and AIX needs telinit -q + case $::osfamily { + + 'AIX': { + exec { 'telinit -q': + command => 'telinit -q', + path => '/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + } } + + 'Debian': { + exec { 'enable stunnel': + command => 'sed -i "s/ENABLED=0/ENABLED=1/" /etc/default/stunnel4', + path => [ '/bin', '/usr/bin' ], + unless => 'grep "ENABLED=1" /etc/default/stunnel4', + require => Package[$package], + before => Service[$service], + } + service { $service: + ensure => running, + enable => true, + hasrestart => true, + hasstatus => false, + } + } + + default: { } } + } diff --git a/manifests/params.pp b/manifests/params.pp index 63c5811..8cd15ee 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,4 +1,4 @@ -# == Class: stunnel::data +# == Class: stunnel::params # # This module sets up SSL encrypted and authenticated tunnels using the # common application stunnel. @@ -20,22 +20,53 @@ # # Cody Herriges # Sam Kottler +# Josh Preston # # === Copyright # # Copyright 2012 Puppet Labs, LLC # class stunnel::params { - case $osfamily { + + case $::osfamily { + + AIX: { + $conf_dir = '/etc/stunnel' + $pid_dir = '/var/run' + $log_dir = '/var/log/stunnel' + } + Debian: { $conf_dir = '/etc/stunnel' + $log_dir = '/var/log/stunnel' $package = 'stunnel4' + $pid_file = '/var/run/stunnel.pid' $service = 'stunnel4' } + RedHat: { $conf_dir = '/etc/stunnel' - $package = 'stunnel' - $service = 'stunnel' + $lock_dir = '/var/lock/subsys' + $log_dir = '/var/log/stunnel' + $package = 'stunnel' + $pid_dir = '/var/run' + } + + default: { + notify { "${::osfamily} is not supported.": } } + } + + $compression = 'deflate' + $debug_level = '4' + $fips = 'no' + $foreground = 'no' + $log = 'append' + $output = '/var/log/stunnel.log' + $sockets = [ + 'l:TCP_NODELAY=1', + 'r:TCP_NODELAY=1', + ] + $syslog = 'yes' } diff --git a/manifests/tun.pp b/manifests/tun.pp index beb5a72..bf7503f 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -91,27 +91,48 @@ # # Cody Herriges # Sam Kottler +# Josh Preston # # === Copyright # # Copyright 2012 Puppet Labs, LLC # -define stunnel::tun( - $certificate, - $private_key, - $ca_file, - $crl_file, - $ssl_version = 'TLSv1', - $chroot, - $user, - $group, - $pid_file = "/${name}.pid", - $debug_level = '0', - $log_dest = "/var/log/${name}.log", - $client, - $accept, - $connect, - $conf_dir = $stunnel::params::conf_dir +define stunnel::tun ( + # These are OS dependent... + $package = $::stunnel::package, + $service = $::stunnel::service, + $conf_dir = $::stunnel::conf_dir, + $log_dir = $::stunnel::log_dir, + $pid_dir = $::stunnel::pid_dir, + $chroot_dir = $::stunnel::chroot_dir, + # These are stunnel global options - use global first + $chroot = $::stunnel::chroot, + $compression = $::stunnel::compression, + $debug_level = $::stunnel::debug_level, + $fips = $::stunnel::fips, + $foreground = $::stunnel::foreground, + $group = $::stunnel::group, + $log_dir = $::stunnel::log_dir, + $output = $::stunnel::output, + $pid_file = $::stunnel::pid_file, + $sockets = $::stunnel::sockets, + $syslog = $::stunnel::syslog, + $user = $::stunnel::user, + # These are service options + $debug_level = 4, + $ssl_version = 'TLSv1', + $verify = 2, + $accept, + $ca_dir, + $ca_file, + $certificate, + $ciphers, + $client, + $connect, + $crl_dir, + $crl_file, + $log_dest, + $private_key, ) { $ssl_version_real = $ssl_version ? { @@ -120,14 +141,66 @@ 'sslv3' => 'SSLv3', default => $ssl_version, } + validate_re($ssl_version_real, '^SSLv2$|^SSLv3$|^TLSv1$', 'The option ssl_version must have a value that is either SSLv2, SSLv3, of TLSv1. The default and prefered option is TLSv1. SSLv2 should be avoided.') + # Configure the client $client_on = $client ? { - true => 'yes', - false => 'no', + true => 'yes', + false => 'no', + default => $client, } + validate_re($client_on, '^yes$|^no$', 'The client option must be true/false or yes/no.') - validate_re($ssl_version_real, '^SSLv2$|^SSLv3$|^TLSv1$', 'The option ssl_version must have a value that is either SSLv2, SSLv3, of TLSv1. The default and prefered option is TLSv1. SSLv2 should be avoided.') + # Configure fips + $fips_on = $fips ? { + true => 'yes', + false => 'no', + default => $fips, + } + validate_re($fips_on, '^yes$|^no$', 'The fips option must be true/false or yes/no.') + + # Configure fips + $foreground_on = $foreground ? { + true => 'yes', + false => 'no', + default => $foreground, + } + validate_re($foreground_on, '^yes$|^no$', 'The foreground option must be true/false or yes/no.') + + # Configure syslog + $syslog_on = $syslog ? { + true => 'yes', + false => 'no', + default => $syslog, + } + validate_re($syslog_on, '^yes$|^no$', 'The syslog option must be true/false or yes/no.') + + # Set our accept server and port correctly + if $accept { + $accept_array = split($accept, ':') + $accept_server = $accept_array[0] + $accept_port = $accept_array[1] + } else { + fail('No accept server:port specified!') + } + + # Set our connect server and port correctly + if $connect { + $connect_array = split($connect, ':') + $connect_server = $connect_array[0] + $connect_port = $connect_array[1] + } else { + fail('No connect server:port specified!') + } + # Make sure our service line exists + file_line { "service ${name}-tun": + path => '/etc/services', + line => "${name}-tun ${accept_port}/tcp", + match => "^${name}-tun", + } + + # Create our configuration file { "${conf_dir}/${name}.conf": ensure => file, content => template("${module_name}/stunnel.conf.erb"), @@ -137,10 +210,61 @@ require => File[$conf_dir], } - file { $chroot: - ensure => directory, - owner => $user, - group => $group, - mode => '0600', + # If we need a chroot directory + if $chroot_dir { + $chroot_real = "${chroot_dir}/${name}" + } elsif $chroot { + $chroot_real = $chroot + } + if $chroot_real { + file { $chroot_real: + ensure => directory, + owner => $user, + group => $group, + mode => '0600', + } + } + + # If we need a log directory + if $log_dir { + $output = "${log_dir}/${name}.log" + } elsif $log_dest { + $output = $log_dest + } + + case $::osfamily { + + 'RedHat': { + file { "/etc/init.d/${service}-${name}": + ensure => file, + owner => 0, + group => 0, + mode => '0755', + content => template("${module_name}/init.d/stunnel.erb"), + require => Package[$package], + before => Service["${service}-${name}"], + } ~> + service { "${service}-${name}": + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => File_line["service ${name}-tun"], + } + } + + 'AIX': { + file_line { "inittab stunnel_${name}": + path => '/etc/inittab', + line => "stunnel_${name}:2345:once:/opt/freeware/bin/stunnel ${conf_dir}/${name}.conf > /dev/console 2>&1", + match => "^stunnel_${name}", + require => File_line["service ${name}-tun"], + notify => Exec['telinit -q'], + } + } + + default: { + + } } } diff --git a/templates/init.d/stunnel.erb b/templates/init.d/stunnel.erb new file mode 100644 index 0000000..e0a58f4 --- /dev/null +++ b/templates/init.d/stunnel.erb @@ -0,0 +1,125 @@ +#!/bin/bash +# +# This file is managed by Puppet. +# +# Init Script to run stunnel in daemon mode at boot time. +# +# Author: Riccardo Riva - RPM S.r.l. +# Contributer: Josh Preston +# Revision 1.1 - 2014 February, 6 + +#==================================================================== +# Run level information: +# +# chkconfig: 2345 99 99 +# description: Secure Tunnel <%= @name -%> +# processname: stunnel-<%= @name -%> +# +# Run "/sbin/chkconfig --add stunnel-<%= @name -%>" to add the Run levels. +# This will setup the symlinks and set the process to run at boot. +#==================================================================== + +#==================================================================== +# Paths and variables and system checks. + +# Source function library +. /etc/rc.d/init.d/functions + +# Check that networking is up. +# +[ ${NETWORKING} ="yes" ] || exit 0 + +# Path to the executable. +# +SEXE=/usr/bin/stunnel + +# Path to the configuration file. +# +CONF=<%= @conf_dir -%>/<%= @name -%>.conf + +# Check the configuration file exists. +# +if [ ! -f $CONF ] ; then + echo "The configuration [${CONF}] file cannot be found!" + exit 1 +fi + +# Path to the lock file. +# +LOCK_FILE=<%= @lock_dir %>/stunnel-<%= @name -%> + +#==================================================================== + +# Run controls: + +prog=$"stunnel-<%= @name -%>" + +RETVAL=0 + +# Start stunnel-<%= @name -%> as daemon. +# +start() { + if [ -f $LOCK_FILE ]; then + echo "stunnel-<%= @name -%> is already running!" + exit 0 + else + echo -n $"Starting $prog: " + $SEXE $CONF + fi + + RETVAL=$? + [ $RETVAL -eq 0 ] && success + echo + [ $RETVAL -eq 0 ] && touch $LOCK_FILE + return $RETVAL +} + +# Stop stunnel-<%= @name -%>. +# +stop() { + if [ ! -f $LOCK_FILE ]; then + echo "stunnel-<%= @name -%> is not running!" + exit 0 + + else + + echo -n $"Shutting down $prog: " + killproc stunnel-<%= @name -%> + RETVAL=$? + [ $RETVAL -eq 0 ] + rm -f $LOCK_FILE + echo + return $RETVAL + + fi +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + condrestart) + if [ -f $LOCK_FILE ]; then + stop + start + RETVAL=$? + fi + ;; + status) + status stunnel-<%= @name -%> + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|condrestart|status}" + RETVAL=1 +esac + +exit $RETVAL diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index f2ff06e..36e9bd8 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -1,25 +1,117 @@ -; This stunnel config is managed by Puppet. +; This stunnel-<%= @name -%> config is managed by Puppet. -cert = <%= certificate %> -key = <%= private_key %> -CAfile = <%= ca_file %> -CRLfile = <%= crl_file %> -sslVersion = <%= ssl_version_real %> -verify = 2 - -chroot = <%= chroot %> -setuid = <%= user %> -setgid = <%= group %> -pid = <%= pid_file %> +<% if @chroot_real -%> +; Note that pid is created inside of the chroot jail +chroot = <%= @chroot_real -%> +<% end -%> -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 +<% if @compression -%> +compression = <%= @compression %> +<% end -%> +<% if @debug_level -%> +; Set our debug level debug = <%= debug_level %> -output = <%= log_dest %> +<% end -%> + +<% if @fips_on -%> +fips = <%= @fips_on %> +<% end -%> + +<% if @foreground_on -%> +foreground = <%= @foreground_on %> +<% end -%> + +<% if @log -%> +log = <%= @log %> +<% end -%> + +<% if @output -%> +output = <%= @output %> +<% end -%> + +<% if @pid_file -%> +pid = <%= @pid_file %> +<% end -%> + +<% if @group -%> +setgid = <%= @group %> +<% end -%> + +<% if @user -%> +setuid = <%= @user %> +<% end -%> + +<% if @sockets -%> +; Some performance tunings +<% sockets.each do |socket| -%> +socket = <%= @socket %> +<% end -%> +<% end -%> + +<% if @syslog_on -%> +syslog = <%= @syslog_on %> +<% end -%> + +[<%= @name -%>] +<% if @accept_server and @accept_port -%> +accept = <%= @accept_server -%>:<%= @accept_port -%> +<% elsif @accept -%> +accept = <%= @accept -%> +<% end -%> -client = <%= client_on %> +<% if @ca_dir -%> +CApath = <%= @ca_dir %> +<% end -%> + +<% if @ca_file -%> +CAfile = <%= @ca_file %> +<% end -%> + +<% if @certificate -%> +cert = <%= @certificate %> +<% end -%> + +<% if @ciphers -%> +ciphers = <%= @ciphers %> +<% end -%> + +<% if @client_on -%> +client = <%= @client_on %> +<% end -%> + +<% if @connect_server and @connect_port -%> +connect = <%= @connect_server -%>:<%= @connect_port -%> +<% elsif @connect -%> +connect = <%= @connect %> +<% end -%> + +<% if @crl_dir -%> +CRLpath = <%= @crl_dir %> +<% end -%> + +<% if @crl_file -%> +CRLfile = <%= @crl_file %> +<% end -%> + +<% if @options -%> +<% options.each do |option| -%> +options = <%= @option %> +<% end -%> +<% end -%> + +<% if @private_key -%> +key = <%= @private_key %> +<% end -%> + +<% if @protocol -%> +protocol = <%= @protocol %> +<% end -%> + +<% if @ssl_version_real -%> +sslVersion = <%= ssl_version_real %> +<% end -%> -[<%= name -%>] -accept = <%= accept %> -connect = <%= connect %> +<% if @verify -%> +verify = <% @verify %> +<% end -%> From 40f1a8c3513e8b608eba58477213a026454dbc1b Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:09:59 -0500 Subject: [PATCH 04/42] using different dependency style --- manifests/init.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0b8a403..1baae37 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -111,8 +111,7 @@ path => [ '/bin', '/usr/bin' ], unless => 'grep "ENABLED=1" /etc/default/stunnel4', require => Package[$package], - before => Service[$service], - } + } -> service { $service: ensure => running, enable => true, From 69f78927fea57fa2c057aa9d17e654e89a123d4c Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:24:19 -0500 Subject: [PATCH 05/42] adding example and fixing whitespace --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7517de9..fc60693 100644 --- a/README.md +++ b/README.md @@ -8,13 +8,22 @@ Provides a defined resource type for managing stunnel on Debian and Red Hat syst private_key => "/etc/puppet/ssl/private_keys/${::clientcert}.pem", ca_file => '/etc/puppet/ssl/certs/ca.pem', crl_file => '/etc/puppet/ssl/crl.pem', - chroot => '/var/lib/stunnel4/rsyncd', + chroot => '/var/lib/stunnel4/rsyncd', user => 'pe-puppet', group => 'pe-puppet', client => false, accept => '1873', connect => '873', } + + stunnel::tun { 'ldap': + ca_file => '/etc/puppet/ssl/certs/ca.pem', + crl_file => '/etc/puppet/ssl/crl.pem', + client => true, + accept => 'localhost:1389', + connect => 'ldap.server.local:636', + } + ``` ## Notes From 74801d1ee55b95b8ca4727227bbf8d644de28e78 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:24:29 -0500 Subject: [PATCH 06/42] documentation update --- manifests/params.pp | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 8cd15ee..9870179 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,10 +1,11 @@ # == Class: stunnel::params # -# This module sets up SSL encrypted and authenticated tunnels using the -# common application stunnel. +# This class sets up the default values for the OS and global options. # # === Variables # +# ==== OS Variables +# # [*package*] # The package name that represents the stunnel application on your # distribution. @@ -16,6 +17,41 @@ # [*conf_dir*] # The default base configuration directory for your version on stunnel. # +# [*pid_dir*] +# The default base pid file directory for stunnel services. +# +# [*log_dir*] +# The default base log file directory for stunnel services. +# +# [*lock_dir*] +# The default base lock file directory for stunnel services. +# +# ==== Global Variables +# +# [*compression*] +# The default compression for stunnel services. +# +# [*debug_level*] +# The default debug level for stunnel services. +# +# [*fips*] +# The default fips flag for stunnel services. +# +# [*foreground*] +# The default foreground flag for stunnel services. +# +# [*log*] +# The default logging type for stunnel services. +# +# [*output*] +# The default log file for stunnel services. +# +# [*sockets*] +# The default socket options for stunnel services. +# +# [*syslog*] +# The default syslog flag for stunnel services. +# # === Authors # # Cody Herriges From 5c19478dd10bead7eb38f4ec1fb5c081ed084a8c Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:25:24 -0500 Subject: [PATCH 07/42] adding options and using output_real --- manifests/tun.pp | 7 +++++-- templates/stunnel.conf.erb | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index bf7503f..6916024 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -132,6 +132,7 @@ $crl_dir, $crl_file, $log_dest, + $options, $private_key, ) { @@ -227,9 +228,11 @@ # If we need a log directory if $log_dir { - $output = "${log_dir}/${name}.log" + $output_real = "${log_dir}/${name}.log" } elsif $log_dest { - $output = $log_dest + $output_real = $log_dest + } elsif $output { + $output_real = $output } case $::osfamily { diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index 36e9bd8..435c975 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -26,8 +26,8 @@ foreground = <%= @foreground_on %> log = <%= @log %> <% end -%> -<% if @output -%> -output = <%= @output %> +<% if @output_real -%> +output = <%= @output_real %> <% end -%> <% if @pid_file -%> From 49b4e874cc3ca12d46d4c5602b41754a1bd3d2c9 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:26:03 -0500 Subject: [PATCH 08/42] format cleanup --- manifests/tun.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 6916024..48138b1 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -267,7 +267,8 @@ } default: { - } + } + } From fb1f3bd30e4cde4e8f23c21662ce72971c4d152b Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:27:24 -0500 Subject: [PATCH 09/42] changing dep type --- manifests/init.pp | 3 ++- manifests/tun.pp | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 1baae37..0b8a403 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -111,7 +111,8 @@ path => [ '/bin', '/usr/bin' ], unless => 'grep "ENABLED=1" /etc/default/stunnel4', require => Package[$package], - } -> + before => Service[$service], + } service { $service: ensure => running, enable => true, diff --git a/manifests/tun.pp b/manifests/tun.pp index 48138b1..a1dc66f 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -246,7 +246,7 @@ content => template("${module_name}/init.d/stunnel.erb"), require => Package[$package], before => Service["${service}-${name}"], - } ~> + } service { "${service}-${name}": ensure => running, enable => true, From b754e8acb3a354811b188205bcf23e8b344165a8 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 7 Feb 2015 23:29:17 -0500 Subject: [PATCH 10/42] fixing aix inittab requires --- manifests/tun.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index a1dc66f..a6481ad 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -261,7 +261,10 @@ path => '/etc/inittab', line => "stunnel_${name}:2345:once:/opt/freeware/bin/stunnel ${conf_dir}/${name}.conf > /dev/console 2>&1", match => "^stunnel_${name}", - require => File_line["service ${name}-tun"], + require => [ + File["${conf_dir}/${name}.conf"], + File_line["service ${name}-tun"], + ], notify => Exec['telinit -q'], } } From a5e8453ce54d03e044decf81aed0a49323975332 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:10:47 -0500 Subject: [PATCH 11/42] fixing naming --- manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0b8a403..3b96357 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,17 +7,17 @@ # # [*package*] # The package name that represents the stunnel application on your -# distribution. By default we look this value up in a stunnel::data class, +# distribution. By default we look this value up in a stunnel::params class, # which has a list of common answers. # # [*service*] # The service name that represents the stunnel application on your -# distribution. By default we look this value up in a stunnel::data class, +# distribution. By default we look this value up in a stunnel::params class, # which has a list of common answers. # # [*conf_dir*] # The default base configuration directory for your version on stunnel. -# By default we look this value up in a stunnel::data class, which has a +# By default we look this value up in a stunnel::params class, which has a # list of common answers. # # === Examples From 958ab5a136e9592c254b10e625365bbcab181e86 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:14:27 -0500 Subject: [PATCH 12/42] adding module build to ignore list --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 02d7f00..a43f0d1 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ tags # Ruby Gemfile.lock +pkg From 73c9bef546f3252cf50f22b885c397eed1c09149 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:21:12 -0500 Subject: [PATCH 13/42] updating authors --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fc60693..caefd3d 100644 --- a/README.md +++ b/README.md @@ -34,3 +34,4 @@ Provides a defined resource type for managing stunnel on Debian and Red Hat syst ## Authors * Cody Herriages * Sam Kottler +* Josh Preston From 22fecf8b0c165e0b02f6fd32a26cb2db488ddb0a Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:21:34 -0500 Subject: [PATCH 14/42] adding operating system support NOTE: AIX does not get package management, but DOES get inittab updates. --- metadata.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index ef05564..88ceaef 100644 --- a/metadata.json +++ b/metadata.json @@ -1,12 +1,25 @@ { "name": "puppetlabs-stunnel", - "version": "0.1.0", + "version": "0.2.0", "author": "puppetlabs", "summary": "A module for creating secure tunnels", "license": "Apache 2.0", "source": "https://github.com/puppetlabs/puppetlabs-stunnel", "project_page": "https://github.com/puppetlabs/puppetlabs-stunnel", "issues_url": "https://tickets.puppetlabs.com/browse/MODULES", + "operatingsystem_support": [ + { + "operatingsystem": "AIX" + },{ + "operatingsystem": "CentOS" + },{ + "operatingsystem": "Debian" + },{ + "operatingsystem": "RedHat" + },{ + "operatingsystem": "Ubuntu" + } + ], "dependencies": [ { "name": "puppetlabs/stdlib", From df1a0beebb5e0162fe1758806b033b0ba076b0e1 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:23:14 -0500 Subject: [PATCH 15/42] updated notes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index caefd3d..f9304e9 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ Provides a defined resource type for managing stunnel on Debian and Red Hat syst ``` ## Notes -* There is no sysvinit script installed as part of the `stunnel` package on Red Hat systems. +* This includes an sysvinit script because the `stunnel` package on Red Hat systems does not provide one. * Use of SSLv2 is highly discouraged because it's known to be vulnerable. -* The chroot defined in `stunnel::tun` needs to be manually created. +* AIX support does not include package installation ## Authors * Cody Herriages From fa026ea633c968d64136ddf5bb4ec903aef3f86d Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:27:12 -0500 Subject: [PATCH 16/42] updated to show AIX support --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f9304e9..c0fc8cc 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ## Summary -Provides a defined resource type for managing stunnel on Debian and Red Hat systems. +Provides a defined resource type for managing stunnel on AIX, Debian and Red Hat systems. ## Usage ``` From 76b4b06a83c453c101d0f1440edbdb117e11f9ce Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:27:39 -0500 Subject: [PATCH 17/42] now supports accept and connect with and without colon --- manifests/tun.pp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index a6481ad..47929d3 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -179,8 +179,13 @@ # Set our accept server and port correctly if $accept { $accept_array = split($accept, ':') - $accept_server = $accept_array[0] - $accept_port = $accept_array[1] + if $accept_array[1] { + $accept_server = $accept_array[0] + $accept_port = $accept_array[1] + } else { + $accept_server = 'localhost' + $accept_port = $accept_array[0] + } } else { fail('No accept server:port specified!') } @@ -188,8 +193,13 @@ # Set our connect server and port correctly if $connect { $connect_array = split($connect, ':') - $connect_server = $connect_array[0] - $connect_port = $connect_array[1] + if $connect_array[1] { + $connect_server = $connect_array[0] + $connect_port = $connect_array[1] + } else { + $connect_server = 'localhost' + $connect_port = $connect_array[0] + } } else { fail('No connect server:port specified!') } From f54fadc349db9feead996dcac1f353fbe9504905 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:31:01 -0500 Subject: [PATCH 18/42] removing parameter order check --- .puppet-lint.rc | 1 - 1 file changed, 1 deletion(-) diff --git a/.puppet-lint.rc b/.puppet-lint.rc index cfbf67a..74d69d3 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -1,4 +1,3 @@ --no-autoloader_layout-check --no-class_inherits_from_params_class-check --no-80chars-check ---no-parameter_order-check From 16f3270800361d36785375adbd4fb1f7d4c9d03b Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 19:31:10 -0500 Subject: [PATCH 19/42] reordering params for linting --- manifests/tun.pp | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 47929d3..a06c758 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -98,6 +98,22 @@ # Copyright 2012 Puppet Labs, LLC # define stunnel::tun ( + # These are service options + $accept, + $ca_dir, + $ca_file, + $certificate, + $ciphers, + $client, + $connect, + $crl_dir, + $crl_file, + $log_dest, + $options, + $private_key, + $debug_level = 4, + $ssl_version = 'TLSv1', + $verify = 2, # These are OS dependent... $package = $::stunnel::package, $service = $::stunnel::service, @@ -118,22 +134,6 @@ $sockets = $::stunnel::sockets, $syslog = $::stunnel::syslog, $user = $::stunnel::user, - # These are service options - $debug_level = 4, - $ssl_version = 'TLSv1', - $verify = 2, - $accept, - $ca_dir, - $ca_file, - $certificate, - $ciphers, - $client, - $connect, - $crl_dir, - $crl_file, - $log_dest, - $options, - $private_key, ) { $ssl_version_real = $ssl_version ? { From 4f16d44bfbda7a7e4c926f359c4cae49e8d5c5a6 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sun, 8 Feb 2015 20:33:08 -0500 Subject: [PATCH 20/42] email removal --- README.md | 2 +- manifests/init.pp | 2 +- manifests/params.pp | 2 +- manifests/tun.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c0fc8cc..8d3ef5a 100644 --- a/README.md +++ b/README.md @@ -34,4 +34,4 @@ Provides a defined resource type for managing stunnel on AIX, Debian and Red Hat ## Authors * Cody Herriages * Sam Kottler -* Josh Preston +* Josh Preston diff --git a/manifests/init.pp b/manifests/init.pp index 3b96357..c202a1d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,7 +27,7 @@ # === Authors # # Cody Herriges -# Josh Preston +# Josh Preston # # === Copyright # diff --git a/manifests/params.pp b/manifests/params.pp index 9870179..2525c21 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -56,7 +56,7 @@ # # Cody Herriges # Sam Kottler -# Josh Preston +# Josh Preston # # === Copyright # diff --git a/manifests/tun.pp b/manifests/tun.pp index a06c758..4ce52cc 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -91,7 +91,7 @@ # # Cody Herriges # Sam Kottler -# Josh Preston +# Josh Preston # # === Copyright # From 4dc6cebe28308fc768628cadd84e6561172ea87b Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Sat, 14 Feb 2015 12:12:29 -0500 Subject: [PATCH 21/42] adding defaults --- manifests/tun.pp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 4ce52cc..4fa6dd8 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -99,18 +99,18 @@ # define stunnel::tun ( # These are service options - $accept, - $ca_dir, - $ca_file, - $certificate, - $ciphers, - $client, - $connect, - $crl_dir, - $crl_file, - $log_dest, - $options, - $private_key, + $accept = '', + $ca_dir = '', + $ca_file = '', + $certificate = '', + $ciphers = '', + $client = '', + $connect = '', + $crl_dir = '', + $crl_file = '', + $log_dest = '', + $options = '', + $private_key = '', $debug_level = 4, $ssl_version = 'TLSv1', $verify = 2, From 45823e7583cb1ef4b02a361f8321a5dd221ce00e Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 08:42:44 -0500 Subject: [PATCH 22/42] making sure options is an array --- templates/stunnel.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index 435c975..0816324 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -94,7 +94,7 @@ CRLpath = <%= @crl_dir %> CRLfile = <%= @crl_file %> <% end -%> -<% if @options -%> +<% if @options and !@options.empty? -%> <% options.each do |option| -%> options = <%= @option %> <% end -%> From f298363cf78bfba5cc3cb98ff31056193d1f3af1 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 08:56:19 -0500 Subject: [PATCH 23/42] adding missing default for service --- manifests/params.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/params.pp b/manifests/params.pp index 2525c21..370e9fb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -98,6 +98,7 @@ $debug_level = '4' $fips = 'no' $foreground = 'no' + $service = 'stunnel' $log = 'append' $output = '/var/log/stunnel.log' $sockets = [ From 725e118a198f7d157dc1a16c82db8289f1bd1201 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 11:28:00 -0500 Subject: [PATCH 24/42] adding notify --- manifests/tun.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 4fa6dd8..c4c14de 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -256,7 +256,7 @@ content => template("${module_name}/init.d/stunnel.erb"), require => Package[$package], before => Service["${service}-${name}"], - } + } ~> service { "${service}-${name}": ensure => running, enable => true, From 7a249599db332f09914ac916402602f703a4e5bc Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 13:52:30 -0500 Subject: [PATCH 25/42] tunnel template update --- templates/stunnel.conf.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index 0816324..fa61ff2 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -42,7 +42,7 @@ setgid = <%= @group %> setuid = <%= @user %> <% end -%> -<% if @sockets -%> +<% if @sockets and !@sockets.empty? -%> ; Some performance tunings <% sockets.each do |socket| -%> socket = <%= @socket %> @@ -68,7 +68,7 @@ CApath = <%= @ca_dir %> CAfile = <%= @ca_file %> <% end -%> -<% if @certificate -%> +<% if @certificate and !@certificate.empty? -%> cert = <%= @certificate %> <% end -%> From e8f692f7638e9246d14db9b3df94be859f38d4ee Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 13:54:40 -0500 Subject: [PATCH 26/42] setting values to undef --- manifests/tun.pp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index c4c14de..d8b3b29 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -99,18 +99,18 @@ # define stunnel::tun ( # These are service options - $accept = '', - $ca_dir = '', - $ca_file = '', - $certificate = '', - $ciphers = '', - $client = '', - $connect = '', - $crl_dir = '', - $crl_file = '', - $log_dest = '', - $options = '', - $private_key = '', + $accept = undef, + $ca_dir = undef, + $ca_file = undef, + $certificate = undef, + $ciphers = undef, + $client = undef, + $connect = undef, + $crl_dir = undef, + $crl_file = undef, + $log_dest = undef, + $options = undef, + $private_key = undef, $debug_level = 4, $ssl_version = 'TLSv1', $verify = 2, From 6e77e0352cd4c481193e9e34d5d91d5907332867 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 13:57:40 -0500 Subject: [PATCH 27/42] altering default compression to zlib --- manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index 370e9fb..054d35a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -94,7 +94,7 @@ } - $compression = 'deflate' + $compression = 'zlib' $debug_level = '4' $fips = 'no' $foreground = 'no' From 8c81877ed75773a436cf6d10a4c587accce4a7bd Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 14:09:50 -0500 Subject: [PATCH 28/42] adding in checks --- templates/stunnel.conf.erb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index fa61ff2..b70e0f4 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -86,11 +86,11 @@ connect = <%= @connect_server -%>:<%= @connect_port -%> connect = <%= @connect %> <% end -%> -<% if @crl_dir -%> +<% if @crl_dir and !@crl_dir.empty? -%> CRLpath = <%= @crl_dir %> <% end -%> -<% if @crl_file -%> +<% if @crl_file and !@crl_file.empty? -%> CRLfile = <%= @crl_file %> <% end -%> @@ -100,18 +100,18 @@ options = <%= @option %> <% end -%> <% end -%> -<% if @private_key -%> +<% if @private_key and !@private_key.empty? -%> key = <%= @private_key %> <% end -%> -<% if @protocol -%> +<% if @protocol and !@protocol.empty? -%> protocol = <%= @protocol %> <% end -%> -<% if @ssl_version_real -%> +<% if @ssl_version_real and !@ssl_version_real.empty? -%> sslVersion = <%= ssl_version_real %> <% end -%> -<% if @verify -%> +<% if @verify and !@verify.empty? -%> verify = <% @verify %> <% end -%> From 0b9c193d85abff46c6caf29fe140f73c55135b98 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 14:18:45 -0500 Subject: [PATCH 29/42] fixing sockets --- manifests/params.pp | 4 ---- manifests/tun.pp | 5 ++++- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 054d35a..7b7f0de 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -101,9 +101,5 @@ $service = 'stunnel' $log = 'append' $output = '/var/log/stunnel.log' - $sockets = [ - 'l:TCP_NODELAY=1', - 'r:TCP_NODELAY=1', - ] $syslog = 'yes' } diff --git a/manifests/tun.pp b/manifests/tun.pp index d8b3b29..6ef789d 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -131,7 +131,10 @@ $log_dir = $::stunnel::log_dir, $output = $::stunnel::output, $pid_file = $::stunnel::pid_file, - $sockets = $::stunnel::sockets, + $sockets = [ + 'l:TCP_NODELAY=1', + 'r:TCP_NODELAY=1', + ], $syslog = $::stunnel::syslog, $user = $::stunnel::user, ) { From e02893fd8d3b54b21f4458f6de6f1d556c0f965d Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 14:33:50 -0500 Subject: [PATCH 30/42] adding check and fail, updating socket to sock --- manifests/tun.pp | 1 + templates/stunnel.conf.erb | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 6ef789d..49dd0b8 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -283,6 +283,7 @@ } default: { + fail("Unsupported OS ${::operatingsystem}") } } diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index b70e0f4..e6da8b5 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -44,8 +44,8 @@ setuid = <%= @user %> <% if @sockets and !@sockets.empty? -%> ; Some performance tunings -<% sockets.each do |socket| -%> -socket = <%= @socket %> +<% sockets.each do |sock| -%> +socket = <%= @sock %> <% end -%> <% end -%> From 5a6942a30c40e354249fcab4dd150ee1ce42285c Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 14:36:46 -0500 Subject: [PATCH 31/42] changing default verify level --- manifests/tun.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 49dd0b8..6c3de1a 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -113,7 +113,7 @@ $private_key = undef, $debug_level = 4, $ssl_version = 'TLSv1', - $verify = 2, + $verify = 'level 3', # These are OS dependent... $package = $::stunnel::package, $service = $::stunnel::service, @@ -266,6 +266,7 @@ hasrestart => true, hasstatus => true, require => File_line["service ${name}-tun"], + subscribe => File["${conf_dir}/${name}.conf"], } } From aa7b4d4edab08a75bdd804be2e930d5cb1c45da2 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 14:54:02 -0500 Subject: [PATCH 32/42] changing name of verify --- manifests/tun.pp | 7 ++----- templates/stunnel.conf.erb | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index 6c3de1a..b4966ad 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -111,9 +111,10 @@ $log_dest = undef, $options = undef, $private_key = undef, + $sockets = undef, $debug_level = 4, $ssl_version = 'TLSv1', - $verify = 'level 3', + $verify_stun = 'level 3', # These are OS dependent... $package = $::stunnel::package, $service = $::stunnel::service, @@ -131,10 +132,6 @@ $log_dir = $::stunnel::log_dir, $output = $::stunnel::output, $pid_file = $::stunnel::pid_file, - $sockets = [ - 'l:TCP_NODELAY=1', - 'r:TCP_NODELAY=1', - ], $syslog = $::stunnel::syslog, $user = $::stunnel::user, ) { diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index e6da8b5..e12a380 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -112,6 +112,6 @@ protocol = <%= @protocol %> sslVersion = <%= ssl_version_real %> <% end -%> -<% if @verify and !@verify.empty? -%> -verify = <% @verify %> +<% if @verify_stun and !@verify_stun.empty? -%> +verify = <% @verify_stun %> <% end -%> From 7b810e3e678b32d578e684bba6ecf4fb9b68d609 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 15:13:10 -0500 Subject: [PATCH 33/42] updating init script to work properly --- templates/init.d/stunnel.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/init.d/stunnel.erb b/templates/init.d/stunnel.erb index e0a58f4..af8b8a4 100644 --- a/templates/init.d/stunnel.erb +++ b/templates/init.d/stunnel.erb @@ -84,7 +84,7 @@ stop() { else echo -n $"Shutting down $prog: " - killproc stunnel-<%= @name -%> + ps -ef | grep stunnel | grep $CONF | grep -v grep | awk '{ print $2 }' | xargs kill > /dev/null 2>&1 RETVAL=$? [ $RETVAL -eq 0 ] rm -f $LOCK_FILE @@ -114,7 +114,7 @@ case "$1" in fi ;; status) - status stunnel-<%= @name -%> + ps -ef | grep stunnel | grep $CONF | grep -v grep > /dev/null 2>&1 RETVAL=$? ;; *) From 9de523160540b3a1bf91cbfc2b959ee830d1cc60 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Mon, 16 Feb 2015 15:20:32 -0500 Subject: [PATCH 34/42] adding verbiage to status and stop --- templates/init.d/stunnel.erb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/init.d/stunnel.erb b/templates/init.d/stunnel.erb index af8b8a4..162d5af 100644 --- a/templates/init.d/stunnel.erb +++ b/templates/init.d/stunnel.erb @@ -86,8 +86,8 @@ stop() { echo -n $"Shutting down $prog: " ps -ef | grep stunnel | grep $CONF | grep -v grep | awk '{ print $2 }' | xargs kill > /dev/null 2>&1 RETVAL=$? - [ $RETVAL -eq 0 ] - rm -f $LOCK_FILE + [ $RETVAL -eq 0 ] && rm -f $LOCK_FILE + [ $RETVAL -eq 0 ] && echo "$prog stopped" || echo "$prog failed stopping" echo return $RETVAL @@ -116,6 +116,7 @@ case "$1" in status) ps -ef | grep stunnel | grep $CONF | grep -v grep > /dev/null 2>&1 RETVAL=$? + [ $RETVAL -eq 0 ] && echo "$prog is running" || echo "$prog is stopped" ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status}" From a3714a51be6a9791ec67fd7b1b6070dd4e22b93d Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 10:22:47 -0500 Subject: [PATCH 35/42] adding rhel4 support --- manifests/tun.pp | 2 +- templates/init.d/stunnel.erb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index b4966ad..f0a5f05 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -247,7 +247,7 @@ case $::osfamily { - 'RedHat': { + 'RedHat', 'CentOS': { file { "/etc/init.d/${service}-${name}": ensure => file, owner => 0, diff --git a/templates/init.d/stunnel.erb b/templates/init.d/stunnel.erb index 162d5af..f6a18ac 100644 --- a/templates/init.d/stunnel.erb +++ b/templates/init.d/stunnel.erb @@ -21,6 +21,7 @@ #==================================================================== # Paths and variables and system checks. +PATH=/usr/bin:/usr/sbin # Source function library . /etc/rc.d/init.d/functions @@ -31,7 +32,7 @@ # Path to the executable. # -SEXE=/usr/bin/stunnel +SEXE=stunnel # Path to the configuration file. # From d14c96c1f91774e3f69292b1fd7bc0effe955a62 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 11:29:54 -0500 Subject: [PATCH 36/42] removing verify level --- templates/stunnel.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index e12a380..f2a135c 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -112,6 +112,6 @@ protocol = <%= @protocol %> sslVersion = <%= ssl_version_real %> <% end -%> -<% if @verify_stun and !@verify_stun.empty? -%> -verify = <% @verify_stun %> -<% end -%> +#<% if @verify_stun and !@verify_stun.empty? -%> +#verify = <% @verify_stun %> +#<% end -%> From a0133dbbb28d9ae8dedf7127a1ed19af6cefe8c1 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 11:32:30 -0500 Subject: [PATCH 37/42] commenting out verify --- templates/stunnel.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb index f2a135c..3506436 100644 --- a/templates/stunnel.conf.erb +++ b/templates/stunnel.conf.erb @@ -112,6 +112,6 @@ protocol = <%= @protocol %> sslVersion = <%= ssl_version_real %> <% end -%> -#<% if @verify_stun and !@verify_stun.empty? -%> -#verify = <% @verify_stun %> -#<% end -%> +<% if @verify_stun and !@verify_stun.empty? -%> +;verify = <% @verify_stun %> +<% end -%> From 0da5a83ca568a10c04eb9d8299f55d0b4c593cb0 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 11:52:04 -0500 Subject: [PATCH 38/42] commenting out verify --- manifests/tun.pp | 6 +- templates/stunnel.conf.rh4.erb | 131 +++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 templates/stunnel.conf.rh4.erb diff --git a/manifests/tun.pp b/manifests/tun.pp index f0a5f05..cf1feb1 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -211,10 +211,14 @@ match => "^${name}-tun", } + if $::operatingsystem == 'RedHat' and $::operatingsystemmajrelease == '4' { + $diff_template = '.rh4' + } + # Create our configuration file { "${conf_dir}/${name}.conf": ensure => file, - content => template("${module_name}/stunnel.conf.erb"), + content => template("${module_name}/stunnel.conf.${diff_template}erb"), mode => '0644', owner => '0', group => '0', diff --git a/templates/stunnel.conf.rh4.erb b/templates/stunnel.conf.rh4.erb new file mode 100644 index 0000000..acf6273 --- /dev/null +++ b/templates/stunnel.conf.rh4.erb @@ -0,0 +1,131 @@ +foreground = no +CApath = /etc/openldap/cacerts +CAfile = /etc/openldap/cacerts/dswincRootCA.crt +client = yes + + +foreground = yes|no foreground mode (don't fork, log to stderr) +key = certificate private key +options = SSL option + set an SSL option +output = file to append log messages +pid = pid file (empty to disable creating) +RNDbytes = bytes to read from random seed files +RNDfile = path to file with random seed data +RNDoverwrite = yes|no overwrite seed datafiles with new random data +service = service name +session = session cache timeout (in seconds) +setgid = groupname for setgid() +setuid = username for setuid() +socket = a|l|r:option=value[:value] + set an option on accept/local/remote socket +verify = level of peer certificate verification + level 1 - verify peer certificate if present + level 2 - require valid peer certificate always + level 3 - verify peer with locally installed certificate + + +<% if @ca_dir -%> +CApath = <%= @ca_dir %> +<% end -%> + +<% if @ca_file -%> +CAfile = <%= @ca_file %> +<% end -%> + +<% if @certificate and !@certificate.empty? -%> +cert = <%= @certificate %> +<% end -%> + +<% if @ciphers -%> +ciphers = <%= @ciphers %> +<% end -%> + +<% if @client_on -%> +client = <%= @client_on %> +<% end -%> + +<% if @chroot_real -%> +chroot = <%= @chroot_real -%> +<% end -%> + +<% if @crl_dir and !@crl_dir.empty? -%> +CRLpath = <%= @crl_dir %> +<% end -%> + +<% if @crl_file and !@crl_file.empty? -%> +CRLfile = <%= @crl_file %> +<% end -%> + +<% if @options and !@options.empty? -%> +<% options.each do |option| -%> +options = <%= @option %> +<% end -%> +<% end -%> + +<% if @private_key and !@private_key.empty? -%> +key = <%= @private_key %> +<% end -%> + +<% if @debug_level -%> +debug = <%= debug_level %> +<% end -%> + +<% if @fips_on -%> +fips = <%= @fips_on %> +<% end -%> + +<% if @foreground_on -%> +foreground = <%= @foreground_on %> +<% end -%> + +<% if @log -%> +log = <%= @log %> +<% end -%> + +<% if @output_real -%> +output = <%= @output_real %> +<% end -%> + +<% if @pid_file -%> +pid = <%= @pid_file %> +<% end -%> + +<% if @group -%> +setgid = <%= @group %> +<% end -%> + +<% if @user -%> +setuid = <%= @user %> +<% end -%> + +<% if @sockets and !@sockets.empty? -%> +; Some performance tunings +<% sockets.each do |sock| -%> +socket = <%= @sock %> +<% end -%> +<% end -%> + +verify = level 2 + + + + +[<%= @name -%>] +<% if @accept_server and @accept_port -%> +accept = <%= @accept_server -%>:<%= @accept_port -%> +<% elsif @accept -%> +accept = <%= @accept -%> +<% end -%> + + +<% if @connect_server and @connect_port -%> +connect = <%= @connect_server -%>:<%= @connect_port -%> +<% elsif @connect -%> +connect = <%= @connect %> +<% end -%> + +<% if @protocol and !@protocol.empty? -%> +protocol = <%= @protocol %> +<% end -%> + From e573cd577b30f593c770c33d778815ebce230b29 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 11:53:14 -0500 Subject: [PATCH 39/42] commenting out verify --- manifests/tun.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index cf1feb1..d5081f8 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -218,7 +218,7 @@ # Create our configuration file { "${conf_dir}/${name}.conf": ensure => file, - content => template("${module_name}/stunnel.conf.${diff_template}erb"), + content => template("${module_name}/stunnel.conf${diff_template}.erb"), mode => '0644', owner => '0', group => '0', From f9c8dba01f788eb47acf77991eb003c16a6bfca7 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 12:00:04 -0500 Subject: [PATCH 40/42] working on stunnel templates --- templates/stunnel.conf.rh4.erb | 27 --------- templates/stunnel.conf.rh5.erb | 105 +++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+), 27 deletions(-) create mode 100644 templates/stunnel.conf.rh5.erb diff --git a/templates/stunnel.conf.rh4.erb b/templates/stunnel.conf.rh4.erb index acf6273..8960132 100644 --- a/templates/stunnel.conf.rh4.erb +++ b/templates/stunnel.conf.rh4.erb @@ -1,30 +1,3 @@ -foreground = no -CApath = /etc/openldap/cacerts -CAfile = /etc/openldap/cacerts/dswincRootCA.crt -client = yes - - -foreground = yes|no foreground mode (don't fork, log to stderr) -key = certificate private key -options = SSL option - set an SSL option -output = file to append log messages -pid = pid file (empty to disable creating) -RNDbytes = bytes to read from random seed files -RNDfile = path to file with random seed data -RNDoverwrite = yes|no overwrite seed datafiles with new random data -service = service name -session = session cache timeout (in seconds) -setgid = groupname for setgid() -setuid = username for setuid() -socket = a|l|r:option=value[:value] - set an option on accept/local/remote socket -verify = level of peer certificate verification - level 1 - verify peer certificate if present - level 2 - require valid peer certificate always - level 3 - verify peer with locally installed certificate - - <% if @ca_dir -%> CApath = <%= @ca_dir %> <% end -%> diff --git a/templates/stunnel.conf.rh5.erb b/templates/stunnel.conf.rh5.erb new file mode 100644 index 0000000..8d9ff6f --- /dev/null +++ b/templates/stunnel.conf.rh5.erb @@ -0,0 +1,105 @@ +; This stunnel-<%= @name -%> config is managed by Puppet. + +<% if @chroot_real -%> +; Note that pid is created inside of the chroot jail +chroot = <%= @chroot_real -%> +<% end -%> + +<% if @compression -%> +compression = <%= @compression %> +<% end -%> + +<% if @debug_level -%> +; Set our debug level +debug = <%= debug_level %> +<% end -%> + +<% if @foreground_on -%> +foreground = <%= @foreground_on %> +<% end -%> + +<% if @log -%> +log = <%= @log %> +<% end -%> + +<% if @output_real -%> +output = <%= @output_real %> +<% end -%> + +<% if @pid_file -%> +pid = <%= @pid_file %> +<% end -%> + +<% if @group -%> +setgid = <%= @group %> +<% end -%> + +<% if @user -%> +setuid = <%= @user %> +<% end -%> + +<% if @sockets and !@sockets.empty? -%> +; Some performance tunings +<% sockets.each do |sock| -%> +socket = <%= @sock %> +<% end -%> +<% end -%> + +[<%= @name -%>] +<% if @accept_server and @accept_port -%> +accept = <%= @accept_server -%>:<%= @accept_port -%> +<% elsif @accept -%> +accept = <%= @accept -%> +<% end -%> + +<% if @ca_dir -%> +CApath = <%= @ca_dir %> +<% end -%> + +<% if @ca_file -%> +CAfile = <%= @ca_file %> +<% end -%> + +<% if @certificate and !@certificate.empty? -%> +cert = <%= @certificate %> +<% end -%> + +<% if @ciphers -%> +ciphers = <%= @ciphers %> +<% end -%> + +<% if @client_on -%> +client = <%= @client_on %> +<% end -%> + +<% if @connect_server and @connect_port -%> +connect = <%= @connect_server -%>:<%= @connect_port -%> +<% elsif @connect -%> +connect = <%= @connect %> +<% end -%> + +<% if @crl_dir and !@crl_dir.empty? -%> +CRLpath = <%= @crl_dir %> +<% end -%> + +<% if @crl_file and !@crl_file.empty? -%> +CRLfile = <%= @crl_file %> +<% end -%> + +<% if @options and !@options.empty? -%> +<% options.each do |option| -%> +options = <%= @option %> +<% end -%> +<% end -%> + +<% if @private_key and !@private_key.empty? -%> +key = <%= @private_key %> +<% end -%> + +<% if @protocol and !@protocol.empty? -%> +protocol = <%= @protocol %> +<% end -%> + +<% if @verify_stun and !@verify_stun.empty? -%> +;verify = <% @verify_stun %> +<% end -%> From fa911c40f0988a9a29741f50e043810e853be7d3 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 12:02:22 -0500 Subject: [PATCH 41/42] working on stunnel templates --- manifests/tun.pp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/manifests/tun.pp b/manifests/tun.pp index d5081f8..ccd6fb8 100644 --- a/manifests/tun.pp +++ b/manifests/tun.pp @@ -211,8 +211,16 @@ match => "^${name}-tun", } - if $::operatingsystem == 'RedHat' and $::operatingsystemmajrelease == '4' { - $diff_template = '.rh4' + if $::operatingsystem == 'RedHat' { + case $::operatingsystemmajrelease { + '4': { + $diff_template = '.rh4' + } + '5': { + $diff_template = '.rh5' + } + default: { } + } } # Create our configuration From b98d1a9c36e719b7218856d400ecbe14e77db069 Mon Sep 17 00:00:00 2001 From: Josh Preston Date: Tue, 17 Feb 2015 13:01:02 -0500 Subject: [PATCH 42/42] fixing rhel4 template --- templates/stunnel.conf.rh4.erb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/templates/stunnel.conf.rh4.erb b/templates/stunnel.conf.rh4.erb index 8960132..910926f 100644 --- a/templates/stunnel.conf.rh4.erb +++ b/templates/stunnel.conf.rh4.erb @@ -44,10 +44,6 @@ key = <%= @private_key %> debug = <%= debug_level %> <% end -%> -<% if @fips_on -%> -fips = <%= @fips_on %> -<% end -%> - <% if @foreground_on -%> foreground = <%= @foreground_on %> <% end -%>