Defined Type: nfs::client::stunnel

Defined in:
manifests/client/stunnel.pp

Summary

Connect to an NFSv4 server over stunnel

Overview

No stunnel connection can be made to the local system due to the likelihood of a port conflict. So if you’re connecting to the local system, a direct connection is required.

When you know this host is also the NFS server, configuring the mount for a direct connection to ‘127.0.0.1` is best. However, this attempts to determine if the host is trying to connect to itself and use a direct, local connection in lieu of a stunnel in this case.

  • Auto-detect logic only works with IPv4 addresses.

  • When the auto-detect logic detects a local connection, this define does not need to do anything further, because ‘nfs::client::mount` has already set the NFS server IP to `127.0.0.1` in the mount.

Parameters:

  • name (Simplib::Host::Port)

    An ‘<ip>:<port>` combination to the remote NFSv4 server

    • The ‘port` is the listening port of the NFS server daemon.

  • nfs_server (Simplib::Ip)

    The IP address of the NFS server to which you will be connecting

  • nfsd_accept_port (Simplib::Port)

    The NFS server daemon listening port

  • nfsd_connect_port (Simplib::Port)

    Listening port on the NFS server for the tunneled connection to the NFS server daemon

  • stunnel_socket_options (Array[String])

    Additional stunnel socket options to be applied to the stunnel to the NFS server

  • stunnel_verify (Integer[0])

    The level at which to verify TLS connections

  • stunnel_wantedby (Array[String])

    The ‘systemd` targets that need `stunnel` to be active prior to being activated

  • firewall (Boolean)

    Use the SIMP ‘iptables` module to manage firewall connections

  • tcpwrappers (Boolean)

    Use the SIMP ‘tcpwrappers` module to manage TCP wrappers

Author:



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'manifests/client/stunnel.pp', line 52

define nfs::client::stunnel(
  Simplib::Ip   $nfs_server,
  Simplib::Port $nfsd_accept_port,
  Simplib::Port $nfsd_connect_port,
  Array[String] $stunnel_socket_options,
  Integer[0]    $stunnel_verify,
  Array[String] $stunnel_wantedby,
  Boolean       $firewall,
  Boolean       $tcpwrappers
) {
  assert_private()

  # When you are connecting to a collocated NFS server, the stunnel is
  # unnecessary and the destination IP has already been correctly configured
  # to be 127.0.0.1.
  unless simplib::host_is_me($nfs_server) {
    simplib::assert_optional_dependency($module_name, 'simp/stunnel')

    stunnel::instance { "nfs_${name}_client_nfsd":
      connect          => ["${nfs_server}:${nfsd_connect_port}"],
      accept           => "127.0.0.1:${nfsd_accept_port}",
      verify           => $stunnel_verify,
      socket_options   => $stunnel_socket_options,
      systemd_wantedby => $stunnel_wantedby,
      firewall         => $firewall,
      tcpwrappers      => $tcpwrappers,
      tag              => ['nfs']
    }
  }
}