Puppet Class: stunnel

Inherited by:
stunnel::config
Defined in:
manifests/init.pp

Overview

Set up stunnel

Parameters:

  • pki (Variant[Enum['simp'],Boolean]) (defaults to: simplib::lookup('simp_options::pki', { 'default_value' => false }))
    • If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/stunnel/x509

    • If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/stunnel/x509

    • If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:

    • app_pki_dir

    • app_pki_key

    • app_pki_cert

    • app_pki_ca

    • app_pki_ca_dir

  • app_pki_external_source (Stdlib::Absolutepath) (defaults to: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }))
    • If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

    • If pki = false, this variable has no effect.

  • app_pki_dir (Stdlib::Absolutepath) (defaults to: '/etc/pki/simp_apps/stunnel/x509')

    This variable controls the source of certs in the chroot, and the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/stunnel/x509.

    • NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path

  • app_pki_key (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/private/${facts['fqdn']}.pem")

    Path and name of the private SSL key file

  • app_pki_cert (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/public/${facts['fqdn']}.pub")

    Path and name of the public SSL certificate

  • app_pki_ca_dir (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/cacerts")

    Directory external from the stunnel chroot to copy the CA certificates from.

    • This should be the full path to a directory containing hashed versions of the CA certificates

  • app_pki_crl (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/crl")

    Directory external from the stunnel chroot to copy the Certificate Revocation List from.

  • setuid (String) (defaults to: 'stunnel')

    The user stunnel should run as

  • setgid (String) (defaults to: 'stunnel')

    The group stunnel should run as

  • uid (Integer) (defaults to: 600)

    The user id of the stunnel user

  • gid (Integer) (defaults to: $uid)

    The group id of the stunnel group

  • syslog (Boolean) (defaults to: simplib::lookup('simp_options::syslog', { 'default_value' => false }))

    Whether or not to log to syslog

  • fips (Boolean) (defaults to: simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }))

    Set the fips global option

    • We don't enable FIPS mode by default since we want to be able to use TLS1.2

    • NOTE: This has no effect on EL < 7 due to stunnel not accepting the fips option in that version of stunnel.

  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', { 'default_value' => false }))

    Include the SIMP haveged module to assist with entropy generation

Author:



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# File 'manifests/init.pp', line 76

class stunnel (
  Stdlib::Absolutepath          $app_pki_dir             = '/etc/pki/simp_apps/stunnel/x509',
  Stdlib::Absolutepath          $app_pki_external_source = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }),
  Stdlib::Absolutepath          $app_pki_key             = "${app_pki_dir}/private/${facts['fqdn']}.pem",
  Stdlib::Absolutepath          $app_pki_cert            = "${app_pki_dir}/public/${facts['fqdn']}.pub",
  Stdlib::Absolutepath          $app_pki_ca_dir          = "${app_pki_dir}/cacerts",
  Stdlib::Absolutepath          $app_pki_crl             = "${app_pki_dir}/crl",
  String                        $setuid                  = 'stunnel',
  String                        $setgid                  = 'stunnel',
  Integer                       $uid                     = 600,
  Integer                       $gid                     = $uid,
  Boolean                       $syslog                  = simplib::lookup('simp_options::syslog', { 'default_value'      => false }),
  Boolean                       $fips                    = simplib::lookup('simp_options::fips', { 'default_value'        => pick($facts['fips_enabled'], false) }),
  Boolean                       $haveged                 = simplib::lookup('simp_options::haveged', { 'default_value'     => false }),
  Variant[Enum['simp'],Boolean] $pki                     = simplib::lookup('simp_options::pki', { 'default_value'         => false })
) {
  if $haveged { include '::haveged' }

  contain '::stunnel::install'
  contain '::stunnel::config'
  contain '::stunnel::service'

  ensure_resource('stunnel::account', $setuid, { 'groupname' => $setgid, 'uid' => $uid, 'gid' => $gid })

  Class['stunnel::install'] -> Stunnel::Account[$setuid] -> Class['stunnel::config']
  Class['stunnel::config'] ~> Class['stunnel::service']
}