From 42df93debccbcb1a18cd377b6de0b5b20527312f Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 18 May 2020 15:51:54 +0200
Subject: stunnel4: Harden and socket-activate.

---
 roles/webmail/tasks/ldap.yml | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

(limited to 'roles/webmail/tasks/ldap.yml')

diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
index 4abbd3a..f0b461c 100644
--- a/roles/webmail/tasks/ldap.yml
+++ b/roles/webmail/tasks/ldap.yml
@@ -1,3 +1,12 @@
+- name: Copy stunnel4@ldap.socket
+  copy: src=etc/systemd/system/stunnel4@ldap.socket
+        dest=/etc/systemd/system/stunnel4@ldap.socket
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Restart stunnel4@ldap.socket
+
 - name: Create /etc/stunnel/certs
   file: path=/etc/stunnel/certs
         state=directory
@@ -9,22 +18,19 @@
         dest=/etc/stunnel/certs/ldap.pem
         owner=root group=root
         mode=0644
-  register: r1
   notify:
-    - Restart stunnel@ldap
+    - Stop stunnel4@ldap.service
 
 - name: Configure stunnel
-  copy: src=etc/stunnel/ldap.conf
-        dest=/etc/stunnel/ldap.conf
-        owner=root group=root
-        mode=0644
-  register: r2
+  template: src=etc/stunnel/ldap.conf.j2
+            dest=/etc/stunnel/ldap.conf
+            owner=root group=root
+            mode=0644
   notify:
-    - Restart stunnel@ldap
+    - Stop stunnel4@ldap.service
 
-- name: Enable stunnel@ldap
-  service: name=stunnel4@ldap enabled=yes
+- name: Disable stunnel4@ldap.service
+  service: name=stunnel4@ldap.service enabled=false
 
-- name: Start stunnel@ldap
-  service: name=stunnel4@ldap state=started
-  when: not (r1.changed or r2.changed)
+- name: Start stunnel4@ldap.socket socket
+  service: name=stunnel4@ldap.socket state=started enabled=true
-- 
cgit v1.2.3