stunnel4: Harden and socket-activate.

2 files changed, 9 insertions, 8 deletions

diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index 1a30599..4d69702 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,10 +1,15 @@
 [Unit]
 Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
 After=network.target nss-lookup.target
 PartOf=stunnel4.service
 ReloadPropagatedFrom=stunnel4.service
 
 [Service]
+DynamicUser=yes
+; force dynamic user/group allocation (stunnel4 user exists already)
+User=_stunnel4-%i
+Group=_stunnel4-%i
 ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml
index 7cb8823..1522f1f 100644
--- a/roles/common/tasks/stunnel.yml
+++ b/roles/common/tasks/stunnel.yml
@@ -1,14 +1,7 @@
 - name: Install stunnel4
   apt: pkg=stunnel4
 
-- name: Set 'ENABLED=0' in /etc/default/stunnel4
-  lineinfile: dest=/etc/default/stunnel4
-              regexp='^(\s*#)?\s*ENABLED='
-              line='ENABLED=0'
-              owner=root group=root
-              mode=0644
-
-- name: Copy stunnel4 service file
+- name: Copy stunnel4 service files
   copy: src=etc/systemd/system/{{ item }}
         dest=/etc/systemd/system/{{ item }}
         owner=root group=root
@@ -18,3 +11,6 @@
   with_items:
     - stunnel4.service
     - stunnel4@.service
+
+- name: Disable stunnel4 service
+  service: name=stunnel4.service enabled=false