From 42df93debccbcb1a18cd377b6de0b5b20527312f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 18 May 2020 15:51:54 +0200 Subject: stunnel4: Harden and socket-activate. --- roles/common/files/etc/systemd/system/stunnel4@.service | 5 +++++ roles/common/tasks/stunnel.yml | 12 ++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) (limited to 'roles/common') diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index 1a30599..4d69702 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -1,10 +1,15 @@ [Unit] Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) After=network.target nss-lookup.target PartOf=stunnel4.service ReloadPropagatedFrom=stunnel4.service [Service] +DynamicUser=yes +; force dynamic user/group allocation (stunnel4 user exists already) +User=_stunnel4-%i +Group=_stunnel4-%i ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml index 7cb8823..1522f1f 100644 --- a/roles/common/tasks/stunnel.yml +++ b/roles/common/tasks/stunnel.yml @@ -1,14 +1,7 @@ - name: Install stunnel4 apt: pkg=stunnel4 -- name: Set 'ENABLED=0' in /etc/default/stunnel4 - lineinfile: dest=/etc/default/stunnel4 - regexp='^(\s*#)?\s*ENABLED=' - line='ENABLED=0' - owner=root group=root - mode=0644 - -- name: Copy stunnel4 service file +- name: Copy stunnel4 service files copy: src=etc/systemd/system/{{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root @@ -18,3 +11,6 @@ with_items: - stunnel4.service - stunnel4@.service + +- name: Disable stunnel4 service + service: name=stunnel4.service enabled=false -- cgit v1.2.3