Skip to content

Commit

Permalink
Merge pull request #6 from Andor/master
Browse files Browse the repository at this point in the history
Added multiple options for config file: pid, output, PSKIdentity, client
  • Loading branch information
migibert authored Feb 10, 2020
2 parents 1175a7e + cc67c40 commit e168282
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 37 deletions.
69 changes: 40 additions & 29 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,29 +12,36 @@ Install it with `ansible-galaxy install migibert.stunnel`
Role Variables
--------------

```
stunnel_use_cert (default True) : determines if we use certificates
stunnel_use_psk (default False) : determines if we use psk
stunnel_certificate_generation (default False) : determines if this role has to generate a self signed certificate
stunnel_certificate_duration: (optional, if stunnel_certificate_generation is True, default 365) : self signed certificate validity duration
stunnel_certificate_domain: (optional, if stunnel_certificate_generation is True, default www.domain.com) : self signed certificate domain field
stunnel_certificate_country: (optional, if stunnel_certificate_generation is True, default FR) : self signed certificate country field
stunnel_certificate_organization: (optional, if stunnel_certificate_generation is True, default organization) : self signed certificate organization field
stunnel_certificate_state_name: (optional, if stunnel_certificate_generation is True, default state) : self signed certificate state field
stunnel_certificate_locality: (optional, if stunnel_certificate_generation is True, default locality) : self signed certificate locality field
stunnel_certificate_file: certificate file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/certificate.pem
stunnel_key_file: key file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/key.pem
stunnel_psks: a list of psk. This look like this:
- name: client1
psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym
stunnel_services: list of services. They look like this:
- service:
name: https
accept: 443
connect: 80
```
1. `stunnel_install_ssl_backend` (optional, default False) : determines if we want to install openssl by this role
1. `stunnel_use_certificate` (default True) : determines if we use certificates
1. `stunnel_use_psk` (default False) : determines if we use psk
1. `stunnel_certificate_generation` (default False) : determines if this role has to generate a self signed certificate
1. `stunnel_certificate_duration` (optional, if `stunnel_certificate_generation` is True, default 365) : self signed certificate validity duration
1. `stunnel_certificate_domain` (optional, if `stunnel_certificate_generation` is True, default www.domain.com) : self signed certificate domain field
1. `stunnel_certificate_country` (optional, if `stunnel_certificate_generation` is True, default FR) : self signed certificate country field
1. `stunnel_certificate_organization` (optional, if `stunnel_certificate_generation` is True, default organization) : self signed certificate organization field
1. `stunnel_certificate_state_name` (optional, if `stunnel_certificate_generation` is True, default state) : self signed certificate state field
1. `stunnel_certificate_locality` (optional, if `stunnel_certificate_generation` is True, default locality) : self signed certificate locality field
1. `stunnel_certificate_file` certificate file to generate or use, depends on `stunnel_certificate_generation` value. Default is /tmp/certificate.pem
1. `stunnel_key_file` key file to generate or use, depends on `stunnel_certificate_generation` value. Default is /tmp/key.pem
1. `stunnel_psks` a list of psk. This look like this:

- name: client1
psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym

1. `stunnel_services`: list of services.
They look like this:

- name: https
accept: 443
connect: 80

Each service accepts parameters:
1. `accept` (required) : determines address:port to listen
1. `connect` (required) : determines address:port to connect
1. `client` (optional, default `False`) : determines client-mode
1. `use_psk` (optional, defaults to global `stunnel_use_psk`) : determines PSK usage for this specific service
1. `PSKidentity` (optional, depends on `use_psk`) : determines PSK identity for this specific service. This identity should be configured in `PSKsecrets`

Dependencies
------------
Expand All @@ -44,7 +51,7 @@ This role has no dependencies.
Example Playbook
----------------

```
```yaml
- hosts: all

roles:
Expand All @@ -59,8 +66,7 @@ Example Playbook
stunnel_certificate_file: /tmp/stunnel.pem
stunnel_key_file: /tmp/key.pem
stunnel_services:
- service:
name: https
- name: https
accept: 443
connect: 80
```
Expand All @@ -69,7 +75,7 @@ you may also use [PSK (Pre Shared Keys)](https://www.stunnel.org/auth.html)
which allow faster communication
at the cost of knowing clients in advance.
```
```yaml
- hosts: all

roles:
Expand All @@ -82,10 +88,15 @@ at the cost of knowing clients in advance.
- name: client2
key: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v
stunnel_services:
- service:
name: postfix
- name: postfix
accept: 12221
connect: 21
- name: mysql
accept: 3307
connect: 3306
use_psk: yes
client: yes
PSKidentity: client2
```
Expand Down
3 changes: 3 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
stunnel_install_ssl_backend: false
stunnel_use_certificate: true
stunnel_use_psk: false
stunnel_certificate_generation: False
Expand All @@ -12,3 +13,5 @@ stunnel_certificate_file: /tmp/certificate.pem
stunnel_key_file: /tmp/key.pem
stunnel_services: []
stunnel_psks: []
stunnel_pid: /var/run/stunnel.pid
stunnel_output: /var/log/stunnel.log
1 change: 1 addition & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
name: openssl
update_cache: yes
register: install_ssl_backend
when: stunnel_install_ssl_backend

- name: Install package
package:
Expand Down
21 changes: 13 additions & 8 deletions templates/stunnel.conf.j2
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
pid=/var/run/stunnel.pid
output = /var/log/stunnel.log
pid = {{ stunnel_pid }}
output = {{ stunnel_output }}

{% if stunnel_use_certificate %}
cert=/etc/stunnel/stunnel.pem
{% endif %}
cert = /etc/stunnel/stunnel.pem
{% endif -%}

{% for service in stunnel_services %}
[{{service.name}}]
accept = {{service.accept}}
connect = {{service.connect}}
{% if stunnel_use_psk %}
{% if service.client | default(false) %}
client = yes
{% endif %}
{% if ( stunnel_use_psk or service.use_psk ) and service.PSKidentity | default(false) %}
PSKidentity = {{ service.PSKidentity }}
{% endif %}
accept = {{ service.accept }}
connect = {{ service.connect }}
{% if stunnel_use_psk or service.use_psk %}
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
{% endif %}

{% endfor %}

0 comments on commit e168282

Please sign in to comment.