Puppet Class: stunnel

Inherited by:
stunnel::config
Defined in:
manifests/init.pp

Summary

Set up stunnel

Overview

Parameters:

  • pki (Variant[Enum['simp'],Boolean]) (defaults to: simplib::lookup('simp_options::pki', { 'default_value' => false }))

    • If ‘simp’, include SIMP’s pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/stunnel/x509

    • If true, do not include SIMP’s pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/stunnel/x509

    • If false, do not include SIMP’s pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:

      • app_pki_dir

      • app_pki_key

      • app_pki_cert

      • app_pki_ca

      • app_pki_ca_dir

  • app_pki_external_source (String) (defaults to: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }))

    • If pki = ‘simp’ or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

    • If pki = false, this variable has no effect.

  • app_pki_dir (Stdlib::Absolutepath) (defaults to: '/etc/pki/simp_apps/stunnel/x509')

    This variable controls the source of certs in the chroot, and the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/stunnel/x509.

    • NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path

  • app_pki_key (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem")

    Path and name of the private SSL key file

  • app_pki_cert (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub")

    Path and name of the public SSL certificate

  • app_pki_ca_dir (Stdlib::Absolutepath) (defaults to: "${app_pki_dir}/cacerts")

    Directory external from the stunnel chroot to copy the CA certificates from.

    • This should be the full path to a directory containing hashed

    versions of the CA certificates

  • app_pki_crl (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Directory external from the stunnel chroot to copy the Certificate Revocation List from.

  • setuid (String) (defaults to: 'stunnel')

    The user stunnel should run as

  • setgid (String) (defaults to: 'stunnel')

    The group stunnel should run as

  • uid (Integer) (defaults to: 600)

    The user id of the stunnel user

  • gid (Integer) (defaults to: $uid)

    The group id of the stunnel group

  • syslog (Boolean) (defaults to: simplib::lookup('simp_options::syslog', { 'default_value' => false }))

    Whether or not to log to syslog

  • fips (Boolean) (defaults to: simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }))

    Set the fips global option

    • NOTE: This has no effect on EL < 7 due to stunnel not accepting the fips option in that version of stunnel.

  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', { 'default_value' => false }))

    Include the SIMP “haveged“ module to assist with entropy generation

  • pki (defaults to: simplib::lookup('simp_options::pki', { 'default_value' => false }))

    Whether or not to use the SIMP PKI subsystem

  • purge_instance_resources (Boolean) (defaults to: true)

    Enable purging of stunnel instance resources that are no longer managed

    • It is highly recommended that you leave this enabled

Author:



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'manifests/init.pp', line 80

class stunnel (
  Stdlib::Absolutepath           $app_pki_dir              = '/etc/pki/simp_apps/stunnel/x509',
  String                         $app_pki_external_source  = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }),
  Stdlib::Absolutepath           $app_pki_key              = "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem",
  Stdlib::Absolutepath           $app_pki_cert             = "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub",
  Stdlib::Absolutepath           $app_pki_ca_dir           = "${app_pki_dir}/cacerts",
  Optional[Stdlib::Absolutepath] $app_pki_crl              = undef,
  String                         $setuid                   = 'stunnel',
  String                         $setgid                   = 'stunnel',
  Integer                        $uid                      = 600,
  Integer                        $gid                      = $uid,
  Boolean                        $syslog                   = simplib::lookup('simp_options::syslog', { 'default_value' => false }),
  Boolean                        $fips                     = simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }),
  Boolean                        $haveged                  = simplib::lookup('simp_options::haveged', { 'default_value' => false }),
  Variant[Enum['simp'],Boolean]  $pki                      = simplib::lookup('simp_options::pki', { 'default_value' => false }),
  Boolean                        $purge_instance_resources = true
) {

  contain 'stunnel::install'

  if $purge_instance_resources {
    include 'stunnel::instance_purge'
  }
}