diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-11 18:07:09 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-12 11:33:55 +0200 |
| commit | 90d498034b891123350785a134402172de477f4f (patch) | |
| tree | a6e3c924054c3f689cdaffffe3a479e88fb97282 /roles/common/files | |
| parent | e370313ad5895871479fffc922e3c72c0375dbf2 (diff) | |
Use systemd unit files for stunnel4.
Diffstat (limited to 'roles/common/files')
3 files changed, 38 insertions, 1 deletions
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local index 32bb906..8e654da 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local @@ -37,4 +37,4 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: err .* main::check_action_parameters\(\) user not logged in$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: (flushing old values|rotating journals|started new journal /\S+$|removing old journal /\S+$) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: queue_thread_main: rrd_update_r \(([^)]+)\) failed with status -1. \(opening '\1': No such file or directory\) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ stunnel: LOG3\[[[:digit:]]+\]: SSL_accept: (Peer suddenly disconnected|[[:xdigit:]]+: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ stunnel(:|4\[[[:digit:]]+\]: [0-9]{4}\.[0-9]{2}\.[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}) LOG3\[[[:digit:]]+\]: SSL_accept: (Peer suddenly disconnected|[[:xdigit:]]+: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))$ diff --git a/roles/common/files/lib/systemd/system/stunnel4.service b/roles/common/files/lib/systemd/system/stunnel4.service new file mode 100644 index 0000000..990e07b --- /dev/null +++ b/roles/common/files/lib/systemd/system/stunnel4.service @@ -0,0 +1,14 @@ +# This service is actually a systemd target, +# but we are using a service since targets cannot be reloaded. + +[Unit] +Description=SSL tunnel for network daemons (multi-instance-master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/roles/common/files/lib/systemd/system/stunnel4@.service b/roles/common/files/lib/systemd/system/stunnel4@.service new file mode 100644 index 0000000..e53d29e --- /dev/null +++ b/roles/common/files/lib/systemd/system/stunnel4@.service @@ -0,0 +1,23 @@ +[Unit] +Description=SSL tunnel for network daemons (instance %i) +After=network.target nss-lookup.target +PartOf=stunnel4.service +ReloadPropagatedFrom=stunnel4.service + +[Service] +ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutStartSec=120 +TimeoutStopSec=60 +Restart=on-failure + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ + +[Install] +WantedBy=multi-user.target |