diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2023-01-12 19:41:57 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2023-01-12 19:41:57 +0100 |
commit | a06fc3085705c16f7c31fd406e78ffa94e663d84 (patch) | |
tree | c17367a7a746acc19da8031e4751ca4ce6f4f5d1 /roles/clients/files/nfs-nfs1.conf | |
parent | 9c6158e621b4958740ddd5886b951a75c64feff4 (diff) | |
download | playbooks-ansible-a06fc3085705c16f7c31fd406e78ffa94e663d84.tar.gz playbooks-ansible-a06fc3085705c16f7c31fd406e78ffa94e663d84.tar.xz playbooks-ansible-a06fc3085705c16f7c31fd406e78ffa94e663d84.zip |
Add stunnel config in clients role
Diffstat (limited to 'roles/clients/files/nfs-nfs1.conf')
-rw-r--r-- | roles/clients/files/nfs-nfs1.conf | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/roles/clients/files/nfs-nfs1.conf b/roles/clients/files/nfs-nfs1.conf new file mode 100644 index 0000000..eac5443 --- /dev/null +++ b/roles/clients/files/nfs-nfs1.conf @@ -0,0 +1,42 @@ +# +# Ansible managed. +# +#GLOBAL####################################################### + +sslVersion = TLSv1.3 +TIMEOUTidle = 600 +TIMEOUTconnect = 5 +renegotiation = no + FIPS = no + options = NO_SSLv2 + options = NO_SSLv3 + options = SINGLE_DH_USE + options = SINGLE_ECDH_USE + options = CIPHER_SERVER_PREFERENCE + syslog = yes + debug = 5 + setuid = nobody + setgid = nobody + chroot = /var/stunnel/chroot + + service = stunnel-nfs1 + ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc; + ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny; + ; chcon -t stunnel_etc_t hosts.deny + + curve = secp521r1 + ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + +#CREDENTIALS################################################## + + verify = 2 + CAfile = /etc/pki/tls/certs/mon-ca.crt + CRLfile = /etc/pki/tls/certs/crt-crl.pem + cert = /etc/pki/tls/certs/matthieu.3.crt + key = /etc/pki/tls/private/matthieu.3.key + +#ROLE######################################################### + + client = yes + connect = nfs1-freeway.casperlefantom.net:443 |