Use stunnel to secure the connection from the webmail to ldap.fripost.org.

We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
author: Guilhem Moulin <guilhem@fripost.org> 2016-06-05 17:30:00 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-06-05 17:33:25 +0200
commit: 17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch)
tree: 00dc894e22ab7221e908faeac98095835b0a0782 /roles/webmail/tasks/ldap.yml
parent: 57e40efc54c230566fd5f6bd10d25692709909b7 (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
new file mode 100644
index 0000000..6df3324
--- /dev/null
+++ b/roles/webmail/tasks/ldap.yml
@@ -0,0 +1,32 @@
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy the ldap's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.pem
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart stunnel@ldap
+
+- name: Configure stunnel
+  copy: src=etc/stunnel/ldap.conf
+        dest=/etc/stunnel/ldap.conf
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel@ldap
+
+- name: Enable stunnel@ldap
+  service: name=stunnel4@ldap enabled=yes
+
+- name: Start stunnel@ldap
+  service: name=stunnel4@ldap state=started
+  when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
author	Guilhem Moulin <guilhem@fripost.org>	2016-06-05 17:30:00 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-06-05 17:33:25 +0200
commit	17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch)
tree	00dc894e22ab7221e908faeac98095835b0a0782 /roles/webmail/tasks/ldap.yml
parent	57e40efc54c230566fd5f6bd10d25692709909b7 (diff)