Skip to content

Latest commit

 

History

History
1841 lines (1034 loc) · 55.1 KB

REFERENCE.md

File metadata and controls

1841 lines (1034 loc) · 55.1 KB

Reference

Table of Contents

Classes

Defined types

Resource types

  • stunnel_instance_purge: Disables all services and removes all associated files for stunnel::instance created resources that are no longer under management. This

Data types

Classes

stunnel

Set up stunnel

Parameters

The following parameters are available in the stunnel class:

pki

Data type: Variant[Enum['simp'],Boolean]

  • If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/stunnel/x509
  • If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/stunnel/x509
  • If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
    • app_pki_dir
    • app_pki_key
    • app_pki_cert
    • app_pki_ca
    • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

app_pki_external_source

Data type: String

  • If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

  • If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

app_pki_dir

Data type: Stdlib::Absolutepath

This variable controls the source of certs in the chroot, and the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/stunnel/x509.

  • NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path

Default value: '/etc/pki/simp_apps/stunnel/x509'

app_pki_key

Data type: Stdlib::Absolutepath

Path and name of the private SSL key file

Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"

app_pki_cert

Data type: Stdlib::Absolutepath

Path and name of the public SSL certificate

Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"

app_pki_ca_dir

Data type: Stdlib::Absolutepath

Directory external from the stunnel chroot to copy the CA certificates from.

  • This should be the full path to a directory containing hashed versions of the CA certificates

Default value: "${app_pki_dir}/cacerts"

app_pki_crl

Data type: Optional[Stdlib::Absolutepath]

Directory external from the stunnel chroot to copy the Certificate Revocation List from.

Default value: undef

setuid

Data type: String

The user stunnel should run as

Default value: 'stunnel'

setgid

Data type: String

The group stunnel should run as

Default value: 'stunnel'

uid

Data type: Integer

The user id of the stunnel user

Default value: 600

gid

Data type: Integer

The group id of the stunnel group

Default value: $uid

syslog

Data type: Boolean

Whether or not to log to syslog

Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })

fips

Data type: Boolean

Set the fips global option

  • NOTE: This has no effect on EL < 7 due to stunnel not accepting the fips option in that version of stunnel.

Default value: simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) })

haveged

Data type: Boolean

Include the SIMP haveged module to assist with entropy generation

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })

pki

Whether or not to use the SIMP PKI subsystem

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

purge_instance_resources

Data type: Boolean

Enable purging of stunnel instance resources that are no longer managed

  • It is highly recommended that you leave this enabled

Default value: true

stunnel::config

Global stunnel options

Parameters

The following parameters are available in the stunnel::config class:

chroot

Data type: Stdlib::Absolutepath

The location of the chroot jail, if it is not set to undef If SELinux is set to Enforced or Permissive, $chroot will be set to undef. This option only affects stunnel::connection.

  • Do NOT make this anything under /var/run

Default value: '/var/stunnel'

pki

Data type: Variant[Enum['simp'],Boolean]

  • If simp, include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/stunnel/x509
  • If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/stunnel/x509
  • If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
    • app_pki_dir
    • app_pki_key
    • app_pki_cert
    • app_pki_ca_dir

Default value: $stunnel::pki

app_pki_external_source

Data type: String

  • If pki = simp or true, this is the directory from which certs will be copied, via pki::copy

  • If pki = false, this variable has no effect

Default value: $stunnel::app_pki_external_source

app_pki_dir

Data type: Stdlib::Absolutepath

The source of certs in the chroot, and the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl

  • NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path

Default value: $stunnel::app_pki_dir

app_pki_key

Data type: Stdlib::Absolutepath

Path and name of the private SSL key file

Default value: $stunnel::app_pki_key

app_pki_cert

Data type: Stdlib::Absolutepath

Path and name of the public SSL certificate

Default value: $stunnel::app_pki_cert

app_pki_ca_dir

Data type: Stdlib::Absolutepath

Since stunnel runs in a chroot, you need to copy the appropriate CA certificates in from an external source

  • This should be the full path to a directory containing hashed versions of the CA certificates

Default value: $stunnel::app_pki_ca_dir

app_pki_crl

Data type: Optional[Stdlib::Absolutepath]

Since stunnel runs in a chroot, you need to copy the appropriate CRL in from an external source

Default value: $stunnel::app_pki_crl

pid

Data type: Optional[Stdlib::Absolutepath]

The PID file

  • Relative to the chroot jail!
  • Let the startup script handle it by default

Default value: undef

setuid

Data type: String

The user stunnel should run as

Default value: $stunnel::setuid

setgid

Data type: String

The group stunnel should run as

Default value: $stunnel::setgid

uid

Data type: Integer

The UID of the stunnel user

Default value: $stunnel::uid

gid

Data type: Integer

The GID of the stunnel user

Default value: $stunnel::gid

stunnel_debug

Data type: String

The debug level for logging

Default value: 'err'

syslog

Data type: Boolean

Enable logging to syslog

Default value: $stunnel::syslog

compression

Data type: Optional[Enum['zlib','rle']]

The compression type to use for this service

Default value: undef

egd

Data type: Optional[String]

The path to the Entropy Gathering Daemon socket used to feed the OpenSSL Random Number Generator

Default value: undef

engine

Data type: String

If $egd is set, sets the Hardware Engine to be used

Default value: 'auto'

engine_ctrl

Data type: Optional[String]

If $egd is set, sets the Hardware Engine Control parameters

Default value: undef

fips

Data type: Boolean

Set the fips global option

  • We don't enable FIPS mode by default since we want to be able to use TLS1.2

  • NOTE: This has no effect on EL < 7 due to stunnel not accepting the fips option in that version of stunnel

Default value: $stunnel::fips

output

Data type: Optional[Stdlib::Absolutepath]

The path to a log output file to use

Default value: undef

rnd_bytes

Data type: Optional[Integer]

The number of bytes to read from the random seed file

Default value: undef

rnd_file

Data type: Optional[Stdlib::Absolutepath]

The path to the random seed data file

Default value: undef

rnd_overwrite

Data type: Boolean

Overwrite the random seed file with new random data

Default value: true

socket_options

Data type: Array[String]

Default value: []

stunnel::install

NOTE: THIS IS A PRIVATE Defined Type

Install the Stunnel components

Parameters

The following parameters are available in the stunnel::install class:

version

Data type: Variant[String, Integer]

The version of stunnel to install

  • Accepts anything that the ensure parameter of the package resource can handle

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

stunnel::instance_purge

The native type has an autobefore that will ensure ordering.

It is highly recommended that you always include this class if you have ever used the stunnel defined types. If you choose not to, then you will likely have stunnel instance processes that remain on your system and which may not function properly.

Parameters

The following parameters are available in the stunnel::instance_purge class:

purge_dirs

Data type: Array[Stdlib::Absolutepath]

The directories to search for files to purge

Default value:

[ '/etc/stunnel',
                                              '/etc/rc.d/init.d',
                                              '/etc/systemd/system'
                                            ]

stunnel::monolithic

NOTE: THIS IS A PRIVATE CLASS

Prevent global connection and configuration from being instantiated when only stunnel::instance resources are required.

stunnel::service

Manage the Stunnel Service

Defined types

stunnel::account

NOTE: THIS IS A PRIVATE CLASS A define for setting up stunnel service users and groups

This is necessary so that services using the same user and group can successfully be spawned via a define.

Parameters

The following parameters are available in the stunnel::account defined type:

name

The user name for the account

groupname

Data type: String

The group name for the account

Default value: $name

uid

Data type: Integer

The UID of the user

Default value: 600

gid

Data type: Integer

The GID of the user

Default value: 600

home

Data type: Stdlib::Absolutepath

The home directory of the user

Default value: '/var/run/stunnel'

shell

Data type: Stdlib::Absolutepath

The shell for the user

Default value: '/sbin/nologin'

stunnel::connection

NOTE: Since many of the parameters here may need to be modified on a case-by-base basis, this defined type uses capabilities presented by the simplib::dlookup function to allow for either global overrides or instance-specific overrides.

Global overrides work the same way as classes (stunnel::instance::ssl_version: 'TLSv1.2') but will affect all instances of the defined type that are not specifically overridden as shown below.

Instance specific overrides preclude the need for a resource collector in that you can place the follwing in Hiera to affect a single instance named rsync: Stunnel::Connection[rsync]::ssl_version: 'TLSv1.2'

All other configuration options can be found in the stunnel man pages

  • See also
    • stunnel.conf(5)
    • stunnel.conf(8)
    • stunnel.conf(5)
    • stunnel.conf(8)

Examples

Add an Rsync listener
stunnel::connection ('rsync':
  accept       => '873',
  connect_addr => ['1.2.3.4:8730']
}

Parameters

The following parameters are available in the stunnel::connection defined type:

name

Data type: String

The service name

connect

Data type: Stunnel::Connect

Address and port to which to forward connections

  • For a client, this is the port of the stunnel server

  • For the stunnel server, this is the listening port of the tunneled service

  • Just a port indicates that you wish to listen on all interfaces

  • Examples:

    • ['my.server:3000','my.server2:3001']
    • ['my.server:3000']
    • ['3000']
accept

Data type: Variant[Simplib::Port, Simplib::Host::Port]

Address and port upon which to accept connections

  • For a client, this is generally localhost

  • For a server, it should be whichever external address is appropriate

    • If this is omitted, then connections are accepted on all addresses

  • Examples:

    • '1.2.3.4:3000'
    • '3000'
client

Data type: Boolean

Indicates that this connection is a client connection

Default value: true

failover

Data type: Enum['rr','prio']

The failover strategy for multiple connect targets

Default value: simplib::dlookup('stunnel::connection', 'failover', $name, { 'default_value' => 'rr' })

sni

Data type: Optional[String]

See the 'sni' option documentation in stunnel(8)

This option is only valid on EL 7+

Default value: simplib::dlookup('stunnel::connection', 'sni', $name, { 'default_value' => undef })

app_pki_key

Data type: Optional[Stdlib::Absolutepath]

Path and name of the private SSL key file

Default value: simplib::dlookup('stunnel::connection', 'app_pki_key', $name, { 'default_value' => undef })

app_pki_cert

Data type: Optional[Stdlib::Absolutepath]

Path and name of the public SSL certificate

Default value: simplib::dlookup('stunnel::connection', 'app_pki_cert', $name, { 'default_value' => undef })

app_pki_cacert

Data type: Stdlib::Absolutepath

Path to the OpenSSL compatible CA certificates

  • NOTE: this path is relative to the chroot path if set and is expected to be a directory

Default value: simplib::dlookup('stunnel::connection', 'app_pki_cacert', $name, { 'default_value' => '/etc/pki/simp_apps/stunnel/x509/cacerts/cacerts.pem' })

app_pki_crl

Data type: Optional[Stdlib::Absolutepath]

Path to the OpenSSL compatible CRL directory

Default value: simplib::dlookup('stunnel::connection', 'app_pki_crl', $name, { 'default_value' => undef })

openssl_cipher_suite

Data type: Array[String]

OpenSSL compatible array of ciphers to allow on the system

Default value: simplib::dlookup('stunnel::connection', 'openssl_cipher_suite', $name, { 'default_value' => ['HIGH','-SSLv2'] })

curve

Data type: Optional[String]

The ECDH curve name to use. To get a list of supported curves use: openssl ecparam -list_curves on your client

Default value: simplib::dlookup('stunnel::connection', 'curve', $name, { 'default_value' => undef })

ssl_version

Data type: Optional[String]

Dictate the SSL version that can be used on the system

  • This default, combined with the default $ciphers, will only negotiate at TLSv1.1 or higher

Default value: simplib::dlookup('stunnel::connection', 'ssl_version', $name, { 'default_value' => 'TLSv1.2'})

options

Data type: Array[String]

The OpenSSL library options

Default value: simplib::dlookup('stunnel::connection', 'options', $name, { 'default_value' => [] })

verify

Data type: Integer

Level of mutual authentication to perform

  • RHEL 7 Options:
    • level 0 - Request and ignore peer certificate.
    • level 1 - Verify peer certificate if present.
    • level 2 - Verify peer certificate.
    • level 3 - Verify peer with locally installed certificate.
    • level 4 - Ignore CA chain and only verify peer certificate.
    • default - No verify

Default value: simplib::dlookup('stunnel::connection', 'verify', $name, { 'default_value' => 2 })

ocsp

Data type: Optional[Simplib::URI]

The OCSP responder to use for certificate validation

Default value: simplib::dlookup('stunnel::connection', 'ocsp', $name, { 'default_value' => undef })

ocsp_flags

Data type: Stunnel::OcspFlags

The OCSP server flags

Default value: simplib::dlookup('stunnel::connection', 'ocsp_flags', $name, { 'default_value' => [] })

local

Data type: Optional[String]

The outgoing IP to which to bind

By default, stunnel binds to all interfaces

Default value: simplib::dlookup('stunnel::connection', 'local', $name, { 'default_value' => undef })

protocol

Data type: Optional[String]

The application protocol to negotiate SSL.

  • RHEL/CentOS 7+: [cifs|connect|imap|nntp|pgsql|pop3|proxy|smtp]

Default value: simplib::dlookup('stunnel::connection', 'protocol', $name, { 'default_value' => undef })

protocol_authentication

Data type: Optional[Enum['basic','NTLM']]

Authentication type for protocol negotiations

Default value: simplib::dlookup('stunnel::connection', 'protocol_authentication', $name, { 'default_value' => undef })

protocol_host

Data type: Optional[String]

The destination address for protocol negotiations

Default value: simplib::dlookup('stunnel::connection', 'protocol_host', $name, { 'default_value' => undef })

protocol_password

Data type: Optional[String]

The password for protocol negotiations

Default value: simplib::dlookup('stunnel::connection', 'protocol_password', $name, { 'default_value' => undef })

protocol_username

Data type: Optional[String]

The username for protocol negotiations

Default value: simplib::dlookup('stunnel::connection', 'protocol_username', $name, { 'default_value' => undef })

delay

Data type: Boolean

Delay DNS lookup for connect option

Default value: simplib::dlookup('stunnel::connection', 'delay', $name, { 'default_value' => false })

engine_num

Data type: Optional[Integer]

The engine number from which to read the private key

Default value: simplib::dlookup('stunnel::connection', 'engine_num', $name, { 'default_value' => undef })

pty

Data type: Boolean

Reserve and assign a pty to a program that is run by stunnel inetd-style using the exec option

Default value: simplib::dlookup('stunnel::connection', 'pty', $name, { 'default_value' => false })

renegotiation

Data type: Boolean

Support SSL renegotiation

Default value: simplib::dlookup('stunnel::connection', 'renegotiation', $name, { 'default_value' => true })

reset

Data type: Boolean

Attempt to use TCP RST flag to indicate an error

Default value: simplib::dlookup('stunnel::connection', 'reset', $name, { 'default_value' => true })

retry

Data type: Boolean

Reconnect a connect+exec session after it has been disconnected

Default value: simplib::dlookup('stunnel::connection', 'retry', $name, { 'default_value' => false })

session_cache_size

Data type: Optional[Integer]

The maximum number of internal session cache entries

  • Set to 0 for unlimited (not advised)

  • This option is only valid on EL 7+

Default value: simplib::dlookup('stunnel::connection', 'session_cache_size', $name, { 'default_value' => undef })

session_cache_timeout

Data type: Optional[Integer]

The number of seconds to keep cached SSL sessions

Default value: simplib::dlookup('stunnel::connection', 'session_cache_timeout', $name, { 'default_value' => undef })

stack

Data type: Optional[Integer]

Thread stack size in bytes

Default value: simplib::dlookup('stunnel::connection', 'stack', $name, { 'default_value' => undef })

timeout_busy

Data type: Optional[Integer]

Time to wait for expected data in seconds

Default value: simplib::dlookup('stunnel::connection', 'timeout_busy', $name, { 'default_value' => undef })

timeout_close

Data type: Optional[Integer]

Time to wait for close notify in seconds

Default value: simplib::dlookup('stunnel::connection', 'timeout_close', $name, { 'default_value' => undef })

timeout_connect

Data type: Optional[Integer]

Time to wait for a remote host connection in seconds

Default value: simplib::dlookup('stunnel::connection', 'timeout_connect', $name, { 'default_value' => undef })

timeout_idle

Data type: Optional[Integer]

Time to keep an idle connection in seconds

Default value: simplib::dlookup('stunnel::connection', 'timeout_idle', $name, { 'default_value' => undef })

trusted_nets

Data type: Simplib::Netlist

Set this if you don't want to allow all IP addresses to access this connection

  • This only makes sense for servers

Default value: pick(simplib::dlookup('stunnel::connection', 'trusted_nets', $name, {'default_value' => undef }), simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }))

firewall

Data type: Boolean

Include the SIMP iptables module to manage the firewall

Default value: pick(simplib::dlookup('stunnel::connection', 'firewall', $name, {'default_value' => undef }), simplib::lookup('simp_options::firewall', { 'default_value' => false }))

tcpwrappers

Data type: Boolean

Include the SIMP tcpwrappers module to manage tcpwrappers

Default value: pick(simplib::dlookup('stunnel::connection', 'tcpwrappers', $name, {'default_value' => undef }), simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }))

exec

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::connection', 'exec', $name, { 'default_value' => undef })

execargs

Data type: Array[String]

Default value: simplib::dlookup('stunnel::connection', 'execargs', $name, { 'default_value' => [] })

stunnel::instance

NOTE: Since many of the parameters here may need to be modified on a case-by-base basis, this defined type uses capabilities presented by the simplib::dlookup function to allow for either global overrides or instance-specific overrides.

Global overrides work the same way as classes (stunnel::instance::ssl_version: 'TLSv1.2') but will affect all instances of the defined type that are not specifically overridden as shown below.

Instance specific overrides preclude the need for a resource collector in that you can place the follwing in Hiera to affect a single instance named rsync: Stunnel::Instance[rsync]::ssl_version: 'TLSv1.2'

  • Creates /etc/stunnel/stunnel_managed_by_puppet_rsync.conf
  • Spawns service 'stunnel_managed_by_puppet_rsync' from the configuration file

Any instances created with this defined type will be removed from the system if no longer managed to prevent conflicts.

Instances created with versions of the module prior to 6.3.0 may need to be independently removed since there is no safe way to remove those files.

All other configuration options can be found in the stunnel man pages

  • See also
    • stunnel.conf(5)
    • stunnel.conf(8)

Examples

Add an Rsync listener
stunnel::instance {'rsync':
  accept  => 873,
  connect => ['1.2.3.4:8730']
}

Parameters

The following parameters are available in the stunnel::instance defined type:

name

Data type: String

The name of the stunnel process.

connect

Data type: Stunnel::Connect

Address and port to which to forward connections

  • For a client, this is the port of the stunnel server

  • For the stunnel server, this is the listening port of the tunneled service

  • Just a port indicates that you wish to listen on all interfaces

  • Examples:

    • ['my.server:3000','my.server2:3001']
    • ['my.server:3000']
    • ['3000']
accept

Data type: Variant[Simplib::Port, Simplib::Host::Port]

Address and port upon which to accept connections

  • For a client, this is generally localhost

  • For a server, it should be whichever external address is appropriate

    • If this is omitted, then connections are accepted on all addresses

  • Examples:

    • '1.2.3.4:3000'
    • '3000'
trusted_nets

Data type: Simplib::Netlist

Set this if you don't want to allow all IP addresses to access this connection

  • This only makes sense for servers

Default value: simplib::dlookup('stunnel::instance', 'trusted_nets', $name, { 'default_value' => simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }) })

haveged

Data type: Boolean

Include haveged support when setting up stunnel (highly recommended)

Default value: simplib::dlookup('stunnel::instance', 'haveged', $name, { 'default_value' => simplib::lookup('simp_options::haveged', { 'default_value' => true }) })

firewall

Data type: Boolean

Include the SIMP iptables module to manage the firewall

Default value: simplib::dlookup('stunnel::instance', 'firewall', $name, { 'default_value' => simplib::lookup('simp_options::firewall', { 'default_value' => false }) })

tcpwrappers

Data type: Boolean

Include the SIMP tcpwrappers module to manage tcpwrappers

Default value: simplib::dlookup('stunnel::instance', 'tcpwrappers', $name, { 'default_value' => simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }) })

pki

Data type: Variant[Enum['simp'],Boolean]

  • If simp, include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/stunnel/x509
  • If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/stunnel/x509
  • If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
    • app_pki_dir
    • app_pki_key
    • app_pki_cert
    • app_pki_ca_dir

Default value: simplib::dlookup('stunnel::instance', 'pki', $name, { 'default_value' => simplib::lookup('simp_options::pki', { 'default_value' => false }) })

app_pki_external_source

Data type: String

  • If pki = simp or true, this is the directory from which certs will be copied, via pki::copy

  • If pki = false, this variable has no effect

Default value: simplib::dlookup('stunnel::instance', 'app_pki_external_source', $name, { 'default_value' => simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }) })

app_pki_dir

Data type: Stdlib::Absolutepath

The source of certs in the chroot, and the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl

  • NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path

Default value: simplib::dlookup('stunnel::instance', 'app_pki_dir', $name, { 'default_value' => "/etc/pki/simp_apps/stunnel_${name}/x509" })

app_pki_key

Data type: Stdlib::Absolutepath

Path and name of the private SSL key file

Default value: simplib::dlookup('stunnel::instance', 'app_pki_key', $name, { 'default_value' => "${app_pki_dir}/private/${facts['fqdn']}.pem" })

app_pki_cert

Data type: Stdlib::Absolutepath

Path and name of the public SSL certificate

Default value: simplib::dlookup('stunnel::instance', 'app_pki_cert', $name, { 'default_value' => "${app_pki_dir}/public/${facts['fqdn']}.pub" })

app_pki_ca_dir

Data type: Stdlib::Absolutepath

Since stunnel runs in a chroot, you need to copy the appropriate CA certificates in from an external source

  • This should be the full path to a directory containing hashed versions of the CA certificates

Default value: simplib::dlookup('stunnel::instance', 'app_pki_ca_dir', $name, { 'default_value' => "${app_pki_dir}/cacerts" })

app_pki_cacert

Data type: Stdlib::Absolutepath

The path to the full CA certificate for the Stunnel connections

Default value: simplib::dlookup('stunnel::instance', 'app_pki_cacert', $name, { 'default_value' => "${app_pki_dir}/cacerts/cacerts.pem" })

app_pki_crl

Data type: Optional[Stdlib::Absolutepath]

Since stunnel runs in a chroot, you need to copy the appropriate CRL in from an external source

Default value: simplib::dlookup('stunnel::instance', 'app_pki_crl', $name, { 'default_value' => undef })

chroot

Data type: Optional[Stdlib::Absolutepath]

The location of the chroot jail. If left unset, and selinux is NOT disabled, it will default to /var/stunnel_<local bind port>.

  • Do NOT make this anything under /var/run

Default value: simplib::dlookup('stunnel::instance', 'chroot', $name, { 'default_value' => undef })

client

Data type: Boolean

Indicates that this connection is a client connection

Default value: true

fips

Data type: Boolean

Set the fips global option

  • We don't enable FIPS mode by default since we want to be able to use TLS1.2

Default value: simplib::dlookup('stunnel::instance', 'fips', $name, { 'default_value' => simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }) })

openssl_cipher_suite

Data type: Array[String]

OpenSSL compatible array of ciphers to allow on the system

Default value: simplib::dlookup('stunnel::instance', 'openssl_cipher_suite', $name, { 'default_value' => ['HIGH','-SSLv2'] })

ssl_version

Data type: Optional[String]

Dictate the SSL version that can be used on the system

  • This default, combined with the default $ciphers, will only negotiate at TLSv1.1 or higher

Default value: simplib::dlookup('stunnel::instance', 'ssl_version', $name, { 'default_value' => 'TLSv1.2'})

options

Data type: Array[String]

The OpenSSL library options

Default value: simplib::dlookup('stunnel::instance', 'options', $name, { 'default_value' => [] })

uid

Data type: Integer

The user id of the stunnel user

Default value: simplib::dlookup('stunnel::instance', 'uid', $name, { 'default_value' => 600 })

gid

Data type: Integer

The group id of the stunnel group

Default value: simplib::dlookup('stunnel::instance', 'gid', $name, { 'default_value' => $uid })

pid

Data type: Optional[Stdlib::Absolutepath]

Leave undef if no PID is desired. Default on systemd systems.

Default value: simplib::dlookup('stunnel::instance', 'pid', $name, { 'default_value' => undef })

systemd_wantedby

Data type: Optional[Array[String]]

Systemd services or targets that want stunnel

Default value: simplib::dlookup('stunnel::instance', 'systemd_wantedby', $name, { 'default_value' => undef })

systemd_requiredby

Data type: Optional[Array[String]]

Systemd services or targets that require stunnel

Default value: simplib::dlookup('stunnel::instance', 'systemd_requiredby', $name, { 'default_value' => undef })

client

Default value: true

compression

Data type: Optional[Enum['zlib','rle']]

Default value: simplib::dlookup('stunnel::instance', 'compression', $name, { 'default_value' => undef })

curve

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'curve', $name, { 'default_value' => undef })

delay

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'delay', $name, { 'default_value' => false })

egd

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'egd', $name, { 'default_value' => undef })

engine

Data type: String

Default value: simplib::dlookup('stunnel::instance', 'engine', $name, { 'default_value' => 'auto' })

engine_ctrl

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'engine_ctrl', $name, { 'default_value' => undef })

engine_num

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'engine_num', $name, { 'default_value' => undef })

exec

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'exec', $name, { 'default_value' => undef })

execargs

Data type: Array[String]

Default value: simplib::dlookup('stunnel::instance', 'execargs', $name, { 'default_value' => [] })

failover

Data type: Enum['rr','prio']

Default value: simplib::dlookup('stunnel::instance', 'failover', $name, { 'default_value' => 'rr' })

local

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'local', $name, { 'default_value' => undef })

ocsp

Data type: Optional[Simplib::URI]

Default value: simplib::dlookup('stunnel::instance', 'ocsp', $name, { 'default_value' => undef })

ocsp_flags

Data type: Stunnel::OcspFlags

Default value: simplib::dlookup('stunnel::instance', 'ocsp_flags', $name, { 'default_value' => [] })

output

Data type: Optional[Stdlib::Absolutepath]

Default value: simplib::dlookup('stunnel::instance', 'output', $name, { 'default_value' => undef })

protocol

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'protocol', $name, { 'default_value' => undef })

protocol_host

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'protocol_host', $name, { 'default_value' => undef })

protocol_username

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'protocol_username', $name, { 'default_value' => undef })

protocol_password

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'protocol_password', $name, { 'default_value' => undef })

protocol_authentication

Data type: Optional[Enum['basic','NTLM']]

Default value: simplib::dlookup('stunnel::instance', 'protocol_authentication', $name, { 'default_value' => undef })

pty

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'pty', $name, { 'default_value' => false })

renegotiation

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'renegotiation', $name, { 'default_value' => true })

reset

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'reset', $name, { 'default_value' => true })

retry

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'retry', $name, { 'default_value' => false })

rnd_bytes

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'rnd_bytes', $name, { 'default_value' => undef })

rnd_file

Data type: Optional[Stdlib::Absolutepath]

Default value: simplib::dlookup('stunnel::instance', 'rnd_file', $name, { 'default_value' => undef })

rnd_overwrite

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'rnd_overwrite', $name, { 'default_value' => true })

session_cache_size

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'session_cache_size', $name, { 'default_value' => undef })

session_cache_timeout

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'session_cache_timeout', $name, { 'default_value' => undef })

setuid

Data type: String

Default value: simplib::dlookup('stunnel::instance', 'setuid', $name, { 'default_value' => 'stunnel' })

setgid

Data type: String

Default value: simplib::dlookup('stunnel::instance', 'setgid', $name, { 'default_value' => 'stunnel' })

sni

Data type: Optional[String]

Default value: simplib::dlookup('stunnel::instance', 'sni', $name, { 'default_value' => undef })

socket_options

Data type: Array[String]

Default value: simplib::dlookup('stunnel::instance', 'socket_options', $name, { 'default_value' => [] })

stack

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'stack', $name, { 'default_value' => undef })

stunnel_debug

Data type: String

Default value: simplib::dlookup('stunnel::instance', 'stunnel_debug', $name, { 'default_value' => 'err' })

syslog

Data type: Boolean

Default value: simplib::dlookup('stunnel::instance', 'syslog', $name, { 'default_value' => simplib::lookup('simp_options::syslog', { 'default_value' => false }) })

timeout_busy

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'timeout_busy', $name, { 'default_value' => undef })

timeout_close

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'timeout_close', $name, { 'default_value' => undef })

timeout_connect

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'timeout_connect', $name, { 'default_value' => undef })

timeout_idle

Data type: Optional[Integer]

Default value: simplib::dlookup('stunnel::instance', 'timeout_idle', $name, { 'default_value' => undef })

verify

Data type: Integer

Default value: simplib::dlookup('stunnel::instance', 'verify', $name, { 'default_value' => 2 })

stunnel::instance::reserve_port

NOTE: THIS IS A PRIVATE DEFINED TYPE

This is a 'canary' defined type that allow us to fail a compile in the case that the stunnel::interface and stunnel::connection defined types have an overlapping listen port.

Resource types

stunnel_instance_purge

Disables all services and removes all associated files for stunnel::instance created resources that are no longer under management.

This is required so that newly created resources do not have port conflicts upon starting a new service.

Example:

stunnel_instance_purge { 'stunnel_managed_by_puppet': dirs => [ '/etc/stunnel', '/etc/rc.d/init.d', '/etc/systemd/system' ] }

This will disable all services that start with $namevar and will subsequently remove all files in the directories specified in the $dirs Array that match ${dir}/${namevar}.*.

WARNING: BE VERY CAREFUL THAT ${namevar} IS PRECISE

Properties

The following properties are available in the stunnel_instance_purge type.

dirs

Valid values: /^\//

The directories from which the files matching "${name}.*" should be purged

Parameters

The following parameters are available in the stunnel_instance_purge type.

name

namevar

The prefix name of the services to disable and files to remove

provider

The specific backend to use for this stunnel_instance_purge resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

verbose

Valid values: true, false, yes, no

Provide verbose output in the change message regarding services to be purged

Data types

Stunnel::Connect

Valid entries for an stunnel connect entry

Alias of Variant[Array[Simplib::Port], Array[Simplib::Netlist::Port], Simplib::Netlist::Port]

Stunnel::OcspFlags

Valid stunnel OCSP flag options

Alias of Tuple[Pattern[/(?i:NOCERTS|NOINTERN|NOSIGS|NOCHAIN|NOVERIFY|NOEXPLICIT|NOCASIGN|NODELEGATED|NOCHECKS|TRUSTOTHER|RESPID_KEY|NOTIME)/], 0]