summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/common/files/etc/systemd/system/stunnel4@.service5
-rw-r--r--roles/common/tasks/stunnel.yml12
-rw-r--r--roles/webmail/files/etc/roundcube/plugins/password/config.inc.php2
-rw-r--r--roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket11
-rw-r--r--roles/webmail/handlers/main.yml6
-rw-r--r--roles/webmail/tasks/ldap.yml32
-rw-r--r--roles/webmail/templates/etc/stunnel/ldap.conf.j2 (renamed from roles/webmail/files/etc/stunnel/ldap.conf)30
7 files changed, 53 insertions, 45 deletions
diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index 1a30599..4d69702 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,10 +1,15 @@
[Unit]
Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
After=network.target nss-lookup.target
PartOf=stunnel4.service
ReloadPropagatedFrom=stunnel4.service
[Service]
+DynamicUser=yes
+; force dynamic user/group allocation (stunnel4 user exists already)
+User=_stunnel4-%i
+Group=_stunnel4-%i
ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml
index 7cb8823..1522f1f 100644
--- a/roles/common/tasks/stunnel.yml
+++ b/roles/common/tasks/stunnel.yml
@@ -1,14 +1,7 @@
- name: Install stunnel4
apt: pkg=stunnel4
-- name: Set 'ENABLED=0' in /etc/default/stunnel4
- lineinfile: dest=/etc/default/stunnel4
- regexp='^(\s*#)?\s*ENABLED='
- line='ENABLED=0'
- owner=root group=root
- mode=0644
-
-- name: Copy stunnel4 service file
+- name: Copy stunnel4 service files
copy: src=etc/systemd/system/{{ item }}
dest=/etc/systemd/system/{{ item }}
owner=root group=root
@@ -18,3 +11,6 @@
with_items:
- stunnel4.service
- stunnel4@.service
+
+- name: Disable stunnel4 service
+ service: name=stunnel4.service enabled=false
diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
index c32f58e..e53b753 100644
--- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
+++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
@@ -122,7 +122,7 @@ $config['password_saslpasswd_args'] = '';
// You can provide one or several hosts in an array in which case the hosts are tried from left to right.
// Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
// Default: 'localhost'
-$config['password_ldap_host'] = 'localhost';
+$config['password_ldap_host'] = '127.0.0.1';
// LDAP server port to connect to
// Default: '389'
diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
new file mode 100644
index 0000000..72aa82c
--- /dev/null
+++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
+
+[Socket]
+BindToDevice=lo
+ListenStream=127.0.0.1:389
+NoDelay=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 0515c8b..5b730d7 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -7,3 +7,9 @@
- name: Restart Nginx
service: name=nginx state=restarted
+
+- name: Stop stunnel4@ldap.service
+ service: name=stunnel4@ldap.service state=stopped
+
+- name: Restart stunnel4@ldap.socket
+ service: name=stunnel4@ldap.socket state=restarted
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
index 4abbd3a..f0b461c 100644
--- a/roles/webmail/tasks/ldap.yml
+++ b/roles/webmail/tasks/ldap.yml
@@ -1,3 +1,12 @@
+- name: Copy stunnel4@ldap.socket
+ copy: src=etc/systemd/system/stunnel4@ldap.socket
+ dest=/etc/systemd/system/stunnel4@ldap.socket
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemctl daemon-reload
+ - Restart stunnel4@ldap.socket
+
- name: Create /etc/stunnel/certs
file: path=/etc/stunnel/certs
state=directory
@@ -9,22 +18,19 @@
dest=/etc/stunnel/certs/ldap.pem
owner=root group=root
mode=0644
- register: r1
notify:
- - Restart stunnel@ldap
+ - Stop stunnel4@ldap.service
- name: Configure stunnel
- copy: src=etc/stunnel/ldap.conf
- dest=/etc/stunnel/ldap.conf
- owner=root group=root
- mode=0644
- register: r2
+ template: src=etc/stunnel/ldap.conf.j2
+ dest=/etc/stunnel/ldap.conf
+ owner=root group=root
+ mode=0644
notify:
- - Restart stunnel@ldap
+ - Stop stunnel4@ldap.service
-- name: Enable stunnel@ldap
- service: name=stunnel4@ldap enabled=yes
+- name: Disable stunnel4@ldap.service
+ service: name=stunnel4@ldap.service enabled=false
-- name: Start stunnel@ldap
- service: name=stunnel4@ldap state=started
- when: not (r1.changed or r2.changed)
+- name: Start stunnel4@ldap.socket socket
+ service: name=stunnel4@ldap.socket state=started enabled=true
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/templates/etc/stunnel/ldap.conf.j2
index 1a60a4f..6fce2bc 100644
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2
@@ -2,11 +2,6 @@
; * Global options *
; **************************************************************************
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
pid =
foreground = yes
@@ -17,31 +12,18 @@ debug = 4
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
-; Certificate/key is needed in server mode and optional in client mode
-;cert = /etc/stunnel/mail.pem
-;key = /etc/stunnel/mail.pem
client = yes
-socket = a:SO_BINDTODEVICE=lo
; Some performance tunings
-socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Prevent MITM attacks
-verify = 4
+verifyPeer = yes
; Disable support for insecure protocols
-;options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
+sslVersionMin = TLSv1.2
options = NO_COMPRESSION
-; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
-
; Select permitted SSL ciphers
ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
@@ -50,8 +32,10 @@ ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
; **************************************************************************
[ldaps]
-accept = localhost:389
-connect = ldap.fripost.org:636
-CAfile = /etc/stunnel/certs/ldap.pem
+; dummy address (socket-activated)
+accept = 127.0.0.1:0
+connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636
+checkHost = ldap.fripost.org
+CAfile = /etc/stunnel/certs/ldap.pem
; vim:ft=dosini
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 09:14:16 +0000