diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2011-06-30 16:45:14 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2011-06-30 16:45:14 -0300 |
commit | baee1e0c8e3500ab73845d522a57ba4ebfa10cfe (patch) | |
tree | ffaf6032aadb4ee23d57007efcb3d2f2c7e21fd4 /manifests/tunnel.pp | |
parent | 1f1962afc2839da75c6d77c228c6b74a178c06a5 (diff) | |
download | puppet-ekeyd-baee1e0c8e3500ab73845d522a57ba4ebfa10cfe.tar.gz puppet-ekeyd-baee1e0c8e3500ab73845d522a57ba4ebfa10cfe.tar.bz2 |
Incorporating Riseup code
Diffstat (limited to 'manifests/tunnel.pp')
-rw-r--r-- | manifests/tunnel.pp | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp new file mode 100644 index 0000000..ccb3ecd --- /dev/null +++ b/manifests/tunnel.pp @@ -0,0 +1,92 @@ +class ekeyd-tunnel { + + include site-stunnel + + # set the ekeyd bind address/port that the actual ekeyd will use and this + # tunnel will connect to + $ekeyd_address = '127.0.0.1' + $ekeyd_port = '8889' + + # the ekeyd class ensures that we're not on a vserver or xen domU + # so we're either on a vhost, a xen dom0, or a plain old machine, all of + # which might be places we'd want to run this class + include ekeyd + + # stunnel service that listens on pn 8888/SSL and sends to localhost + # 8889/nonSSL + stunnel::service { + "ekeyd": + accept => "${ekeyd_tunnel_address}:8888", + connect => "127.0.0.1:8889", + client => false, + chroot => false, + pid => "/var/run/stunnel4/ekeyd.pid", + cafile => "/etc/certs/roots/${domain}.pem", + cert => "/etc/certs/stunnel/certs/${fqdn}/${fqdn}_server.crt", + key => "/etc/certs/stunnel/keys/${fqdn}/${fqdn}_server.key", + verify => "2", + rndfile => "/var/lib/stunnel4/.rnd", + debuglevel => "4"; + } + +} + +class egd-tunnel { + + include site-stunnel + + # set the ekeyd bind address that egd will connect to, which is stunnel on + # localhost, then the tunnel will connect to the tunnel on the ekeyd server + $ekeyd_address = '127.0.0.1' + + # the egd class ensures that we're not on a vserver, so we're either + # on a vhost, a xen dom0, a xen domU, or a plain old machine, all of + # which might be places we'd want to run this class + include egd + + # stunnel service that listens on localhost 8888/nonSSL and sends to + # pn 8888/SSL on the ekeyd server + stunnel::service { + "egd": + accept => "127.0.0.1:8888", + connect => "${ekeyd_tunnel_address}:8888", + client => true, + chroot => false, + pid => "/var/run/stunnel4/egd.pid", + cafile => "/etc/certs/roots/${domain}.pem", + cert => "/etc/certs/stunnel/certs/${fqdn}/${fqdn}_client.crt", + key => "/etc/certs/stunnel/keys/${fqdn}/${fqdn}_client.key", + verify => "2", + rndfile => "/var/lib/stunnel4/.rnd", + debuglevel => "4"; + } + + # egd needs stunnel to be up, but by default egd starts before stunnel + # (both are started at rc2.d/s20). So we need to adjust egd. + # See #576387 + + # On machines where we use loop-aes, we need to move egd to + # runlevel 3 (since stunnel starts there too since it needs the certs + # in /crypt). Unfortunately we don't have a variable to tell us + # if a machine is running loop-aes. But since all of our machines + # use either dmcrypt or loop-aes and we have a way to know if they + # are using the former, then we can just do all machines NOT using + # dmcrypt. If someone ends up using this on machines without + # encryption, this will break. + if ( ! $root_is_encrypted ) { + # We're on a loop-aes machine + exec { + "fix_egd_priority": + command => "/bin/sh -c 'update-rc.d -f ekeyd-egd-linux remove && update-rc.d ekeyd-egd-linux start 21 3 . stop 21 0 1 2 4 5 6 .'", + onlyif => '/usr/bin/test -L /etc/rc3.d/S20ekeyd-egd-linux'; + } + } + else { + # We're on a dmcrypt machine + exec { + "fix_egd_priority": + command => "/bin/sh -c 'update-rc.d -f ekeyd-egd-linux remove && update-rc.d ekeyd-egd-linux defaults 21'", + onlyif => '/usr/bin/test -L /etc/rc3.d/S20ekeyd-egd-linux'; + } + } +} |