diff --git a/README.md b/README.md index 50d9ad0..50a55d8 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ Stunnel ========= [![Galaxy](http://img.shields.io/badge/ansible--galaxy-stunnel-blue.svg)](https://galaxy.ansible.com/list#/roles/3502) -[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) +[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) Ansible role to install stunnel in order to achieve SSL Termination on Linux machines. @@ -13,6 +13,8 @@ Role Variables -------------- ``` +stunnel_use_cert (default True) : determines if we use certificates +stunnel_use_psk (default False) : determines if we use psk stunnel_certificate_generation (default False) : determines if this role has to generate a self signed certificate stunnel_certificate_duration: (optional, if stunnel_certificate_generation is True, default 365) : self signed certificate validity duration stunnel_certificate_domain: (optional, if stunnel_certificate_generation is True, default www.domain.com) : self signed certificate domain field @@ -22,12 +24,16 @@ stunnel_certificate_state_name: (optional, if stunnel_certificate_generation is stunnel_certificate_locality: (optional, if stunnel_certificate_generation is True, default locality) : self signed certificate locality field stunnel_certificate_file: certificate file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/certificate.pem stunnel_key_file: key file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/key.pem +stunnel_psks: a list of psk. This look like this: +- name: client1 + psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym + stunnel_services: list of services. They look like this: - service: - name: https - accept: 443 - connect: 80 - + name: https + accept: 443 + connect: 80 + ``` Dependencies @@ -59,6 +65,30 @@ Example Playbook connect: 80 ``` +you may also use [PSK (Pre Shared Keys)](https://www.stunnel.org/auth.html) +which allow faster communication +at the cost of knowing clients in advance. + +``` +- hosts: all + + roles: + - role: stunnel-role + stunnel_use_certificate: false + stunnel_use_psk: true + stunnel_psks: + - name: client1 + key: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt + - name: client2 + key: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v + stunnel_services: + - service: + name: postfix + accept: 12221 + connect: 21 +``` + + License ------- diff --git a/defaults/main.yml b/defaults/main.yml index 6255f91..92e96af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,6 @@ --- +stunnel_use_certificate: true +stunnel_use_psk: false stunnel_certificate_generation: False stunnel_certificate_duration: 365 stunnel_certificate_domain: www.domain.com @@ -8,8 +10,5 @@ stunnel_certificate_state_name: state stunnel_certificate_locality: locality stunnel_certificate_file: /tmp/certificate.pem stunnel_key_file: /tmp/key.pem -stunnel_services: - - service: - name: https - accept: 443 - connect: 80 +stunnel_services: [] +stunnel_psks: [] diff --git a/tasks/main.yml b/tasks/main.yml index e6bd1d5..53565ab 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,11 @@ --- # tasks file for stunnel-role + +- name: sanity check that we use at least one of certificate or psk + fail: + msg: You should activate at least one of stunnel_use_certificate and stunnel_use_psk + when: not (stunnel_use_certificate or stunnel_use_psk) + - name: Install SSL backend package: name: openssl @@ -12,7 +18,11 @@ force: yes register: install_stunnel_4 -- include: certificate.yml +- include: certificate.yml + when: stunnel_use_certificate | bool + +- include: psk.yml + when: stunnel_use_psk | bool - name: Stunnel configuration template: @@ -33,4 +43,8 @@ name: stunnel4 state: restarted enabled: true - when: install_stunnel_4 is changed or enable_stunnel is changed or stunnel_configuration is changed + when: > + install_stunnel_4.changed or + enable_stunnel.changed or + stunnel_configuration.changed or + (stunnel_psk_file.changed|default(false)) diff --git a/tasks/psk.yml b/tasks/psk.yml new file mode 100644 index 0000000..c4faf44 --- /dev/null +++ b/tasks/psk.yml @@ -0,0 +1,15 @@ +--- +# tasks to use psk +- name: sanity check for psk existence + fail: + msg: If you have stunnel_use_psk you should provide at least one key + when: not (stunnel_psks|default(false)) + +- name: Generate psk file + template: + src: psk.txt.j2 + owner: root + group: root + mode: u=rw,g=,o= + dest: /etc/stunnel/psk.txt + register: stunnel_psk_file diff --git a/templates/psk.txt.j2 b/templates/psk.txt.j2 new file mode 100644 index 0000000..1e4300c --- /dev/null +++ b/templates/psk.txt.j2 @@ -0,0 +1,3 @@ +{% for psk in stunnel_psks %} +{{ psk.name }}:{{ psk.key }} +{% endfor %} diff --git a/templates/stunnel.conf.j2 b/templates/stunnel.conf.j2 index 62db1e3..1b210bb 100644 --- a/templates/stunnel.conf.j2 +++ b/templates/stunnel.conf.j2 @@ -1,9 +1,17 @@ pid=/var/run/stunnel.pid +output = /var/log/stunnel.log + +{% if stunnel_use_certificate %} cert=/etc/stunnel/stunnel.pem -output=/var/log/stunnel.log +{% endif %} {% for service in stunnel_services %} [{{service.name}}] accept = {{service.accept}} - connect= {{service.connect}} + connect = {{service.connect}} +{% if stunnel_use_psk %} + ciphers = PSK + PSKsecrets = /etc/stunnel/psk.txt +{% endif %} + {% endfor %}