summaryrefslogtreecommitdiffstats
path: root/roles/common/files
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-11 18:07:09 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-12 11:33:55 +0200
commit90d498034b891123350785a134402172de477f4f (patch)
treea6e3c924054c3f689cdaffffe3a479e88fb97282 /roles/common/files
parente370313ad5895871479fffc922e3c72c0375dbf2 (diff)
Use systemd unit files for stunnel4.
Diffstat (limited to 'roles/common/files')
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/common-local2
-rw-r--r--roles/common/files/lib/systemd/system/stunnel4.service14
-rw-r--r--roles/common/files/lib/systemd/system/stunnel4@.service23
3 files changed, 38 insertions, 1 deletions
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local
index 32bb906..8e654da 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local
@@ -37,4 +37,4 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: err .* main::check_action_parameters\(\) user not logged in$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: (flushing old values|rotating journals|started new journal /\S+$|removing old journal /\S+$)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: queue_thread_main: rrd_update_r \(([^)]+)\) failed with status -1. \(opening '\1': No such file or directory\)
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ stunnel: LOG3\[[[:digit:]]+\]: SSL_accept: (Peer suddenly disconnected|[[:xdigit:]]+: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ stunnel(:|4\[[[:digit:]]+\]: [0-9]{4}\.[0-9]{2}\.[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}) LOG3\[[[:digit:]]+\]: SSL_accept: (Peer suddenly disconnected|[[:xdigit:]]+: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))$
diff --git a/roles/common/files/lib/systemd/system/stunnel4.service b/roles/common/files/lib/systemd/system/stunnel4.service
new file mode 100644
index 0000000..990e07b
--- /dev/null
+++ b/roles/common/files/lib/systemd/system/stunnel4.service
@@ -0,0 +1,14 @@
+# This service is actually a systemd target,
+# but we are using a service since targets cannot be reloaded.
+
+[Unit]
+Description=SSL tunnel for network daemons (multi-instance-master)
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+ExecReload=/bin/true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/common/files/lib/systemd/system/stunnel4@.service b/roles/common/files/lib/systemd/system/stunnel4@.service
new file mode 100644
index 0000000..e53d29e
--- /dev/null
+++ b/roles/common/files/lib/systemd/system/stunnel4@.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=SSL tunnel for network daemons (instance %i)
+After=network.target nss-lookup.target
+PartOf=stunnel4.service
+ReloadPropagatedFrom=stunnel4.service
+
+[Service]
+ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutStartSec=120
+TimeoutStopSec=60
+Restart=on-failure
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+
+[Install]
+WantedBy=multi-user.target