Skip to content

Commit

Permalink
Merge pull request #5 from migibert/psk_support
Browse files Browse the repository at this point in the history
Psk support
  • Loading branch information
migibert authored Sep 17, 2019
2 parents 59393e3 + 973245b commit 1175a7e
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 14 deletions.
40 changes: 35 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Stunnel
=========
[![Galaxy](http://img.shields.io/badge/ansible--galaxy-stunnel-blue.svg)](https://galaxy.ansible.com/list#/roles/3502)
[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org)
[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org)


Ansible role to install stunnel in order to achieve SSL Termination on Linux machines.
Expand All @@ -13,6 +13,8 @@ Role Variables
--------------

```
stunnel_use_cert (default True) : determines if we use certificates
stunnel_use_psk (default False) : determines if we use psk
stunnel_certificate_generation (default False) : determines if this role has to generate a self signed certificate
stunnel_certificate_duration: (optional, if stunnel_certificate_generation is True, default 365) : self signed certificate validity duration
stunnel_certificate_domain: (optional, if stunnel_certificate_generation is True, default www.domain.com) : self signed certificate domain field
Expand All @@ -22,12 +24,16 @@ stunnel_certificate_state_name: (optional, if stunnel_certificate_generation is
stunnel_certificate_locality: (optional, if stunnel_certificate_generation is True, default locality) : self signed certificate locality field
stunnel_certificate_file: certificate file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/certificate.pem
stunnel_key_file: key file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/key.pem
stunnel_psks: a list of psk. This look like this:
- name: client1
psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym
stunnel_services: list of services. They look like this:
- service:
name: https
accept: 443
connect: 80
name: https
accept: 443
connect: 80
```

Dependencies
Expand Down Expand Up @@ -59,6 +65,30 @@ Example Playbook
connect: 80
```

you may also use [PSK (Pre Shared Keys)](https://www.stunnel.org/auth.html)
which allow faster communication
at the cost of knowing clients in advance.

```
- hosts: all
roles:
- role: stunnel-role
stunnel_use_certificate: false
stunnel_use_psk: true
stunnel_psks:
- name: client1
key: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt
- name: client2
key: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v
stunnel_services:
- service:
name: postfix
accept: 12221
connect: 21
```


License
-------

Expand Down
9 changes: 4 additions & 5 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
---
stunnel_use_certificate: true
stunnel_use_psk: false
stunnel_certificate_generation: False
stunnel_certificate_duration: 365
stunnel_certificate_domain: www.domain.com
Expand All @@ -8,8 +10,5 @@ stunnel_certificate_state_name: state
stunnel_certificate_locality: locality
stunnel_certificate_file: /tmp/certificate.pem
stunnel_key_file: /tmp/key.pem
stunnel_services:
- service:
name: https
accept: 443
connect: 80
stunnel_services: []
stunnel_psks: []
18 changes: 16 additions & 2 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
---
# tasks file for stunnel-role

- name: sanity check that we use at least one of certificate or psk
fail:
msg: You should activate at least one of stunnel_use_certificate and stunnel_use_psk
when: not (stunnel_use_certificate or stunnel_use_psk)

- name: Install SSL backend
package:
name: openssl
Expand All @@ -12,7 +18,11 @@
force: yes
register: install_stunnel_4

- include: certificate.yml
- include: certificate.yml
when: stunnel_use_certificate | bool

- include: psk.yml
when: stunnel_use_psk | bool

- name: Stunnel configuration
template:
Expand All @@ -33,4 +43,8 @@
name: stunnel4
state: restarted
enabled: true
when: install_stunnel_4 is changed or enable_stunnel is changed or stunnel_configuration is changed
when: >
install_stunnel_4.changed or
enable_stunnel.changed or
stunnel_configuration.changed or
(stunnel_psk_file.changed|default(false))
15 changes: 15 additions & 0 deletions tasks/psk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
# tasks to use psk
- name: sanity check for psk existence
fail:
msg: If you have stunnel_use_psk you should provide at least one key
when: not (stunnel_psks|default(false))

- name: Generate psk file
template:
src: psk.txt.j2
owner: root
group: root
mode: u=rw,g=,o=
dest: /etc/stunnel/psk.txt
register: stunnel_psk_file
3 changes: 3 additions & 0 deletions templates/psk.txt.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{% for psk in stunnel_psks %}
{{ psk.name }}:{{ psk.key }}
{% endfor %}
12 changes: 10 additions & 2 deletions templates/stunnel.conf.j2
Original file line number Diff line number Diff line change
@@ -1,9 +1,17 @@
pid=/var/run/stunnel.pid
output = /var/log/stunnel.log

{% if stunnel_use_certificate %}
cert=/etc/stunnel/stunnel.pem
output=/var/log/stunnel.log
{% endif %}

{% for service in stunnel_services %}
[{{service.name}}]
accept = {{service.accept}}
connect= {{service.connect}}
connect = {{service.connect}}
{% if stunnel_use_psk %}
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
{% endif %}

{% endfor %}

0 comments on commit 1175a7e

Please sign in to comment.