puppetlabs-toy-chest · tremble · Jun 23, 2014 · Jun 23, 2014 · Jun 23, 2014 · Aug 3, 2015
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -49,7 +49,7 @@
     recurse => true,
   }
 
-  if $osfamily == "Debian" {
+  if $::osfamily == 'Debian' {
     exec { 'enable stunnel':
       command => 'sed -i "s/ENABLED=0/ENABLED=1/" /etc/default/stunnel4',
       path    => [ '/bin', '/usr/bin' ],
@@ -67,4 +67,13 @@
       hasstatus  => false,
     }
   }
+
+  if $::osfamily == 'RedHat' {
+    file { '/var/lib/stunnel':
+      ensure => directory,
+      mode   => '0755',
+      owner  => '0',
+      group  => '0',
+    }
+  }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -26,7 +26,7 @@
 # Copyright 2012 Puppet Labs, LLC
 #
 class stunnel::params {
-  case $osfamily {
+  case $::osfamily {
     Debian: {
       $conf_dir = '/etc/stunnel'
       $package  = 'stunnel4'

diff --git a/manifests/tun.pp b/manifests/tun.pp
@@ -65,13 +65,17 @@
 #   For which host and on which port to accept connection from.
 #
 # [*connect*]
-#  What port or host and port to connect to.
+#   What port or host and port to connect to.
 #
 # [*conf_dir*]
 #   The default base configuration directory for your version on stunnel.
 #   By default we look this value up in a stunnel::data class, which has a
 #   list of common answers.
 #
+# [*disable_fips*]
+#   Optionally disable entering FIPS mode if stunnel was compiled with
+#   FIPS 140-2 support.
+#
 # === Examples
 #
 #   stunnel::tun { 'rsyncd':
@@ -101,17 +105,19 @@
     $private_key,
     $ca_file,
     $crl_file,
-    $ssl_version = 'TLSv1',
+    $ssl_version  = 'TLSv1',
     $chroot,
     $user,
     $group,
-    $pid_file    = "/${name}.pid",
-    $debug_level = '0',
-    $log_dest    = "/var/log/${name}.log",
+    $pid_file     = "/${name}.pid",
+    $debug_level  = '0',
+    $log_dest     = "/var/log/${name}.log",
     $client,
     $accept,
     $connect,
-    $conf_dir    = $stunnel::params::conf_dir
+    $conf_dir     = $stunnel::params::conf_dir,
+    $verify       = 2,
+    $disable_fips = false,
 ) {
 
   $ssl_version_real = $ssl_version ? {
@@ -137,6 +143,22 @@
     require => File[$conf_dir],
   }
 
+  if ( $::osfamily == 'RedHat' ) {
+    file { "/etc/init.d/stunnel_${name}":
+      ensure  => file,
+      content => template("${module_name}/redhat_init.erb"),
+      mode    => '0755',
+      owner   => '0',
+      group   => '0',
+    }
+    service { "stunnel_${name}":
+      ensure     => 'running',
+      enable     => true,
+      hasrestart => true,
+      hasstatus  => true,
+    }
+  }
+
   file { $chroot:
     ensure => directory,
     owner  => $user,

diff --git a/templates/redhat_init.erb b/templates/redhat_init.erb
@@ -0,0 +1,145 @@
+#!/bin/bash
+#
+# Script to run stunnel_server in daemon mode at boot time.
+#
+# This script is realeased under the terms of the GPL.
+# You can source a copy at:
+# http://www.fsf.org/copyleft/copyleft.html
+#
+# Author: Gary Myers MIET MBCS CITP
+# Revision 1.0  -  4th March 2005
+#
+# Modified: Anil Prodduturi 04/11/2014 Customized for Red Hat MysqL environments
+
+#====================================================================
+# Run level information:
+# chkconfig: 2345 99 99
+# description: Secure Tunnel server side script
+# processname: stunnel_server
+#====================================================================
+
+#====================================================================
+# Paths and variables and system checks.
+
+# Source function library (It's a Red Hat thing!)
+. /etc/rc.d/init.d/functions
+
+# Check that networking is up.
+#
+[ ${NETWORKING} ="yes" ] || exit 0
+
+# Path to the executable.
+#
+SEXE=/usr/bin/stunnel
+
+# Path to the configuration file.
+#
+CONF=<%= @conf_dir %>/<%= @name %>.conf
+
+# Check the configuration file exists.
+#
+if [ ! -f $CONF ] ; then
+  echo "The configuration file cannot be found!"
+exit 0
+fi
+
+# Path to the lock file.
+#
+LOCK_FILE=/var/lock/subsys/stunnel_<%= @name %>
+
+#====================================================================
+
+#====================================================================
+# Run controls:
+
+<%- if @client -%>
+prog=$"stunnel_client (<%= name %>)"
+<%- else -%>
+prog=$"stunnel_server (<%= name %>)"
+<%- end -%>
+stunnel_pids=$(ps -ef|grep "<%= @conf_dir %>/<%= @name %>.conf"|grep -v grep|awk '{print $2}'| tr '\n' ' ')
+RETVAL=0
+
+# Start stunnel_server as daemon.
+#
+start() {
+  if [ -f $LOCK_FILE ]; then
+    if [ -z "$stunnel_pids" ]; then
+      echo "$prog seems to have terminated abruptly ! cleaning up and restarting"
+      rm -f $LOCK_FILE
+      echo -n $"Starting $prog: "
+      $SEXE $CONF
+    else
+      echo "$prog is already running!"
+      exit 0
+    fi
+  else
+    echo -n $"Starting $prog: "
+    $SEXE $CONF
+  fi
+
+  RETVAL=$?
+  [ $RETVAL -eq 0 ] && success 
+  echo
+  [ $RETVAL -eq 0 ] && touch $LOCK_FILE
+  return $RETVAL
+}
+
+
+# Stop stunnel.
+#
+stop() {
+  if [ ! -f $LOCK_FILE ]; then
+    echo "$prog is not running!"
+    exit 0
+  else
+    if [ -z "$stunnel_pids" ]; then
+      echo $prog was stopped abruptly before ! Cleaning up traces
+      rm -f $LOCK_FILE
+    else
+      echo -n $"Shutting down $prog: "
+      kill $stunnel_pids
+      RETVAL=$?
+      [ $RETVAL -eq 0 ]
+      rm -f $LOCK_FILE
+      echo
+      return $RETVAL
+    fi
+  fi
+}
+
+# See how we were called.
+case "$1" in
+  start)
+    start
+    ;;
+  stop)
+    stop
+    ;;
+  restart)
+    stop
+    start
+    ;;
+  condrestart)
+    if [ -f $LOCK_FILE ]; then
+      stop
+      start
+      RETVAL=$?
+    fi
+    ;;
+  status)
+    # status stunnel
+    if [ -z "$stunnel_pids" ]; then
+      echo "$prog is not running"
+      RETVAL=1
+    else
+      echo "$prog running on pids : $stunnel_pids"
+      RETVAL=0
+    fi
+    ;;
+  *)
+    echo $"Usage: $0 {start|stop|restart|condrestart|status}"
+    RETVAL=1
+esac
+
+exit $RETVAL
diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb
@@ -1,11 +1,23 @@
 ; This stunnel config is managed by Puppet.
 
+<%- if @certificate %>
 cert = <%= certificate %>
+<%- end -%>
+<%- if @private_key %>
 key = <%= private_key %>
+<%- end -%>
+<%- if @ca_file %>
 CAfile = <%= ca_file %>
+<%- end -%>
+<%- if @crl_file %>
 CRLfile = <%= crl_file %>
+<%- end -%>
+<%- if @ssl_version_real %>
 sslVersion = <%= ssl_version_real %>
-verify = 2
+<%- end -%>
+<%- if @verify -%>
+verify = <%= @verify %>
+<%- end -%>
 
 chroot = <%= chroot %>
 setuid = <%= user %>
@@ -20,6 +32,10 @@ output = <%= log_dest %>
 
 client = <%= client_on %>
 
+<%- if @disable_fips -%>
+fips = no
+<%- end -%>
+
 [<%= name -%>]
 accept = <%= accept %>
 connect = <%= connect %>