Add stunnel config in clients role

11 files changed, 243 insertions, 0 deletions

diff --git a/roles/clients/files/nfs-nfs1.conf b/roles/clients/files/nfs-nfs1.conf
new file mode 100644
index 0000000..eac5443
--- /dev/null
+++ b/roles/clients/files/nfs-nfs1.conf
@@ -0,0 +1,42 @@
+#
+# Ansible managed.
+#
+#GLOBAL#######################################################
+
+sslVersion      =       TLSv1.3
+TIMEOUTidle     =       600
+TIMEOUTconnect  =       5
+renegotiation   =       no
+        FIPS    =       no
+        options =       NO_SSLv2
+        options =       NO_SSLv3
+        options =       SINGLE_DH_USE
+        options =       SINGLE_ECDH_USE
+        options =       CIPHER_SERVER_PREFERENCE
+        syslog  =       yes
+        debug   =       5
+        setuid  =       nobody
+        setgid  =       nobody
+        chroot  =       /var/stunnel/chroot
+
+        service =       stunnel-nfs1
+        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+        ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+        ; chcon -t stunnel_etc_t hosts.deny
+
+        curve   =       secp521r1
+        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+        verify  =       2
+        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
+        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
+        cert    =       /etc/pki/tls/certs/matthieu.3.crt
+        key     =       /etc/pki/tls/private/matthieu.3.key
+
+#ROLE#########################################################
+
+        client  =       yes
+        connect =       nfs1-freeway.casperlefantom.net:443
diff --git a/roles/clients/files/nfs-nfs2.conf b/roles/clients/files/nfs-nfs2.conf
new file mode 100644
index 0000000..61c037d
--- /dev/null
+++ b/roles/clients/files/nfs-nfs2.conf
@@ -0,0 +1,42 @@
+#
+# Ansible managed.
+#
+#GLOBAL#######################################################
+
+sslVersion      =       TLSv1.3
+TIMEOUTidle     =       600
+TIMEOUTconnect  =       5
+renegotiation   =       no
+        FIPS    =       no
+        options =       NO_SSLv2
+        options =       NO_SSLv3
+        options =       SINGLE_DH_USE
+        options =       SINGLE_ECDH_USE
+        options =       CIPHER_SERVER_PREFERENCE
+        syslog  =       yes
+        debug   =       5
+        setuid  =       nobody
+        setgid  =       nobody
+        chroot  =       /var/stunnel/chroot
+
+        service =       stunnel-nfs-nsb
+        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+        ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+        ; chcon -t stunnel_etc_t hosts.deny
+
+        curve   =       secp521r1
+        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+        verify  =       2
+        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
+        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
+        cert    =       /etc/pki/tls/certs/matthieu.3.crt
+        key     =       /etc/pki/tls/private/matthieu.3.key
+
+#ROLE#########################################################
+
+        client  =       yes
+        connect =       nfs2-freeway.casperlefantom.net:443
diff --git a/roles/clients/files/nfs-nfs3.conf b/roles/clients/files/nfs-nfs3.conf
new file mode 100644
index 0000000..03437b0
--- /dev/null
+++ b/roles/clients/files/nfs-nfs3.conf
@@ -0,0 +1,42 @@
+#
+# Ansible managed.
+#
+#GLOBAL#######################################################
+
+sslVersion      =       TLSv1.3
+TIMEOUTidle     =       600
+TIMEOUTconnect  =       5
+renegotiation   =       no
+        FIPS    =       no
+        options =       NO_SSLv2
+        options =       NO_SSLv3
+        options =       SINGLE_DH_USE
+        options =       SINGLE_ECDH_USE
+        options =       CIPHER_SERVER_PREFERENCE
+        syslog  =       yes
+        debug   =       5
+        setuid  =       nobody
+        setgid  =       nobody
+        chroot  =       /var/stunnel/chroot
+
+        service =       stunnel-nfs3
+        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+        ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+        ; chcon -t stunnel_etc_t hosts.deny
+
+        curve   =       secp521r1
+        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+        verify  =       2
+        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
+        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
+        cert    =       /etc/pki/tls/certs/matthieu.3.crt
+        key     =       /etc/pki/tls/private/matthieu.3.key
+
+#ROLE#########################################################
+
+        client  =       yes
+        connect =       nfs3-freeway.casperlefantom.net:443
diff --git a/roles/clients/files/stunnel-nfs-nfs1.socket b/roles/clients/files/stunnel-nfs-nfs1.socket
new file mode 100644
index 0000000..ebb5a52
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs1.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Socket]
+ListenStream=9060
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/clients/files/stunnel-nfs-nfs1@.service b/roles/clients/files/stunnel-nfs-nfs1@.service
new file mode 100644
index 0000000..c2789f7
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs1@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs1.conf
+StandardInput=socket
diff --git a/roles/clients/files/stunnel-nfs-nfs2.socket b/roles/clients/files/stunnel-nfs-nfs2.socket
new file mode 100644
index 0000000..8666a3e
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs2.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Socket]
+ListenStream=9061
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/clients/files/stunnel-nfs-nfs2@.service b/roles/clients/files/stunnel-nfs-nfs2@.service
new file mode 100644
index 0000000..c82ae04
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs2@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs2.conf
+StandardInput=socket
diff --git a/roles/clients/files/stunnel-nfs-nfs3.socket b/roles/clients/files/stunnel-nfs-nfs3.socket
new file mode 100644
index 0000000..9adee58
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs3.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Socket]
+ListenStream=9062
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/clients/files/stunnel-nfs-nfs3@.service b/roles/clients/files/stunnel-nfs-nfs3@.service
new file mode 100644
index 0000000..7e69fe1
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs3@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs3.conf
+StandardInput=socket
diff --git a/roles/clients/tasks/main.yml b/roles/clients/tasks/main.yml
index af417e2..7e2e341 100644
--- a/roles/clients/tasks/main.yml
+++ b/roles/clients/tasks/main.yml
@@ -25,6 +25,9 @@
 - name: Configuration du serveur XMPP onion
   import_tasks: prosody.yml
 
+- name: Configuration stunnel pour nfs
+  import_tasks: stunnel.yml
+
 - name: Configuration démon Cron
   import_tasks: cron.yml
 
diff --git a/roles/clients/tasks/stunnel.yml b/roles/clients/tasks/stunnel.yml
new file mode 100644
index 0000000..6a918c6
--- /dev/null
+++ b/roles/clients/tasks/stunnel.yml
@@ -0,0 +1,48 @@
+- name: Installation config stunnel
+  copy:
+    src: "nfs-{{ item }}.conf"
+    dest: "/etc/stunnel/"
+    mode: 0644
+  loop:
+    - nfs1
+    - nfs2
+    - nfs3
+
+- name: Installation du service systemd
+  copy:
+    src: "stunnel-nfs-{{ item }}@.service"
+    dest: "/etc/systemd/system/"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - nfs1
+    - nfs2
+    - nfs3
+  notify: reload systemd
+
+- name: Installation du socket systemd
+  copy:
+    src: "stunnel-nfs-{{ item }}.socket"
+    dest: "/etc/systemd/system/"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - nfs1
+    - nfs2
+    - nfs3
+  notify: reload systemd
+
+- name: Création du répertoire du chroot
+  file:
+    path: /var/stunnel/chroot/etc
+    state: directory
+
+- name: Création des fichiers du chroot
+  file:
+    path: "/var/stunnel/chroot/etc/{{ item }}"
+    state: touch
+  loop:
+    - hosts.allow
+    - hosts.deny