Vendor Galaxy Roles and Collections

ansible_collections/debops/debops/roles/stunnel/COPYRIGHT

@@ -0,0 +1,19 @@
+debops.stunnel - manage STunnel proxy using Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.

ansible_collections/debops/debops/roles/stunnel/defaults/main.yml

@@ -0,0 +1,146 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _stunnel__ref_defaults:
+
+# debops.stunnel default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Tunnel connections [[[
+# ----------------------
+
+# .. envvar:: stunnel_services [[[
+#
+# List of client-server tunnels configurd by ``debops.stunnel``
+# See :ref:`stunnel_services` for more details.
+stunnel_services: []
+
+                                                                   # ]]]
+# .. envvar:: stunnel_server [[[
+#
+# List of hostnames, CNAMEs or service names which indicate that this host
+# should be configured as a stunnel server.
+stunnel_server: []
+
+                                                                   # ]]]
+# .. envvar:: stunnel_server_addresses [[[
+#
+# List of hostnames, IP addresses and FQDN domains configured on a given
+# server. If any entries here are included in ``item.client_connect``, a given
+# host will be configured as the stunnel server, otherwise it will be
+# configured as stunnel client.
+stunnel_server_addresses: '{{ [ansible_hostname, ansible_fqdn] +
+                              ansible_all_ipv4_addresses | d([]) +
+                              ansible_all_ipv6_addresses | d([]) +
+                              stunnel_server }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSL, PKI and encryption [[[
+# ---------------------------
+
+# .. envvar:: stunnel_ssl_ciphers [[[
+#
+# List of SSL ciphers used by stunnel
+stunnel_ssl_ciphers: 'ALL:ECDHE:!SSLv3:!SSLv2:!kEDH:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!RC4:RSA:HIGH'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_curve [[[
+#
+# Elliptic Curve used by stunnel
+stunnel_ssl_curve: 'prime256v1'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_opts [[[
+#
+# List of SSL options passed to the OpenSSL library
+# See stunnel4(8) for more details.
+stunnel_ssl_opts: [ 'NO_SSLv3' ]
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_verify [[[
+#
+# What level of scrutiny should stunnel use to check validity of
+# a client/server certificate. See stunnel4(8) for more details.
+stunnel_ssl_verify: '2'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_check_crl [[[
+#
+# Should stunnel use CRL to check validity of the certificate?
+stunnel_ssl_check_crl: False
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki [[[
+#
+# Enable or disable support for PKI/SSL/TLS in stunnel, managed by
+# ``debops.pki`` role
+stunnel_pki: '{{ ansible_local.pki.enabled | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_path [[[
+#
+# PKI base directory
+stunnel_pki_path: '{{ ansible_local.pki.base_path
+                      if (ansible_local | d() and ansible_local.pki | d())
+                      else "/etc/pki" }}'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_realm [[[
+#
+# PKI realm to use for stunnel
+stunnel_pki_realm: '{{ ansible_local.pki.realm
+                       if (ansible_local | d() and ansible_local.pki | d())
+                       else "system" }}'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_ca [[[
+#
+# CA certificate to use, relative to ``stunnel_pki_realm`` variable
+stunnel_pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_crl [[[
+#
+# Certificate Revocation List file to use, relative to ``stunnel_pki_realm``
+# variable
+stunnel_pki_crl: 'default.crl'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_crt [[[
+#
+# Certificate file to use, relative to ``stunnel_pki_crt`` variable
+stunnel_pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_key [[[
+#
+# Private key file to use, relative to ``stunnel_pki_key`` variable
+stunnel_pki_key: 'default.key'
+                                                                   # ]]]
+                                                                   # ]]]
+# Other options [[[
+# -----------------
+
+# .. envvar:: stunnel_options [[[
+#
+# Additional options added to all tunnel configuration files, specified as
+# a YAML text block
+stunnel_options: ''
+
+                                                                   # ]]]
+# .. envvar:: stunnel_debug [[[
+#
+# Debug level, determines log verbosity
+stunnel_debug: '4'
+                                                                   # ]]]
+                                                                   # ]]]

ansible_collections/debops/debops/roles/stunnel/meta/main.yml

@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Create an encrypted TCP tunnel between two hosts using stunnel and SSL'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - tunnel
+    - ssl

ansible_collections/debops/debops/roles/stunnel/tasks/main.yml

@@ -0,0 +1,63 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "stunnel/pre_main.yml") }}'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (["stunnel4", "openssl", "ssl-cert"])) }}'
+    state: 'present'
+  register: stunnel__register_packages
+  until: stunnel__register_packages is succeeded
+
+- name: Configure default variables
+  ansible.builtin.template:
+    src: 'etc/default/stunnel4.j2'
+    dest: '/etc/default/stunnel4'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart stunnel' ]
+
+- name: Add stunnel user to ssl-cert system group
+  ansible.builtin.user:
+    name: 'stunnel4'
+    state: 'present'
+    createhome: False
+    groups: 'ssl-cert'
+    append: True
+
+- name: Remove SSL tunnels if requested
+  ansible.builtin.file:
+    path: '/etc/stunnel/{{ item.filename | default(item.name) }}.conf'
+    state: 'absent'
+  with_items: "{{ stunnel_services }}"
+  when: ((item.name is defined and item.name) and
+         (item.delete is defined and item.delete | bool))
+  notify: [ 'Restart stunnel' ]
+
+- name: Configure SSL tunnels
+  ansible.builtin.template:
+    src: 'etc/stunnel/service.conf.j2'
+    dest: '/etc/stunnel/{{ item.filename | default(item.name) }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: "{{ stunnel_services }}"
+  when: ((item.name is defined and item.name) and
+         (item.delete is undefined or not item.delete | bool))
+  notify: [ 'Restart stunnel' ]
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "stunnel/post_main.yml") }}'

ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/post_main.yml

@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only

ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/pre_main.yml

@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only

ansible_collections/debops/debops/roles/stunnel/templates/etc/default/stunnel4.j2

@@ -0,0 +1,17 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel automatic startup
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS=""
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0

ansible_collections/debops/debops/roles/stunnel/templates/etc/stunnel/service.conf.j2

@@ -0,0 +1,110 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set stunnel_tpl_server = [] %}
+{% if item.name in stunnel_server %}
+{%   set _ = stunnel_tpl_server.append('true') %}
+{% endif %}
+{% if ((item.client_accept is undefined or item.client_accept is defined and not item.client_accept) and
+       (item.client_port is undefined or item.client_port is defined and not item.client_port)) %}
+{%   set _ = stunnel_tpl_server.append('true') %}
+# server: {{ stunnel_tpl_server }}
+{% endif %}
+{% if item.client_connect is defined and item.client_connect %}
+{%   if item.client_connect is string %}
+{%     if item.client_connect.split(':')[0] in stunnel_server_addresses %}
+{%       set _ = stunnel_tpl_server.append('true') %}
+{%     endif %}
+{%   elif item.client_connect is mapping %}
+{%     for key, value in item.client_connect.items() %}
+{%       if key in stunnel_server_addresses %}
+{%         set _ = stunnel_tpl_server.append('true') %}
+{%       endif %}
+{%     endfor %}
+{%   else %}
+{%     for entry in item.client_connect %}
+{%       if entry in stunnel_server_addresses %}
+{%         set _ = stunnel_tpl_server.append('true') %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+# {{ ansible_managed }}
+
+setuid		= stunnel4
+setgid		= stunnel4
+pid		= /var/run/stunnel4/{{ item.name }}.pid
+debug		= {{ item.debug | default(stunnel_debug) }}
+
+ciphers		= {{ item.ssl_ciphers | default(stunnel_ssl_ciphers) }}
+curve		= {{ item.ssl_curve   | default(stunnel_ssl_curve) }}
+
+sslVersion	= all
+{% if item.ssl_opts is defined and item.ssl_opts %}
+{%   for opt in item.ssl_opts %}
+options         = {{ opt }}
+{%   endfor %}
+{% else %}
+{%   for opt in stunnel_ssl_opts %}
+options         = {{ opt }}
+{%   endfor %}
+{% endif %}
+verify		= {{ item.ssl_verify | default(stunnel_ssl_verify) }}
+
+{% if stunnel_pki is defined and stunnel_pki %}
+CAfile		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_ca  | default(stunnel_pki_ca)  }}
+{% if stunnel_ssl_check_crl %}
+CRLfile		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_crl | default(stunnel_pki_crl) }}
+{% endif %}
+cert		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_crt | default(stunnel_pki_crt) }}
+key		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_key | default(stunnel_pki_key) }}
+{% endif %}
+{% if stunnel_options is defined and stunnel_options %}
+
+{{ stunnel_options }}
+{% endif %}
+
+[{{ item.name }}]
+
+{% if stunnel_tpl_server %}
+client		= no
+accept		= {{ item.server_accept if item.server_accept | d() else (':::' + item.server_port) }}
+{% if item.server_connect is defined %}
+{% if item.server_connect is string %}
+connect		= {{ item.server_connect }}
+{% elif item.server_connect is mapping %}
+{% for key, value in item.server_connect.items() %}
+connect		= {{ key + ':' + value }}
+{% endfor %}
+{% else %}
+{% for entry in item.server_connect %}
+connect		= {{ entry + ':' + (item.client_accept.split(':')[-1] if item.client_accept | d() else item.client_port) }}
+{% endfor %}
+{% endif %}
+{% else %}
+connect		= {{ item.client_port }}
+{% endif %}
+{% if item.server_options is defined and item.server_options %}
+{{ item.server_options }}
+{% endif %}
+{% else %}
+client		= yes
+accept		= {{ item.client_accept if item.client_accept | d() else (':::' + item.client_port) }}
+{% if item.client_connect is defined and item.client_connect %}
+{% if item.client_connect is string %}
+connect		= {{ item.client_connect }}
+{% elif item.client_connect is mapping %}
+{% for key, value in item.client_connect.items() %}
+connect		= {{ key + ':' + value }}
+{% endfor %}
+{% else %}
+{% for entry in item.client_connect %}
+connect		= {{ entry + ':' + (item.server_accept.split(':')[-1] if item.server_accept | d() else item.server_port) }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if item.client_options is defined and item.client_options %}
+{{ item.client_options }}
+{% endif %}
+{% endif %}