11 files changed, 186 insertions, 0 deletions
diff --git a/roles/dbreplication/files/stunnel-mariadb-nsa-2.socket b/roles/dbreplication/files/stunnel-mariadb-nsa-2.socket
new file mode 100644
index 0000000..e6d0ab7
--- /dev/null
+++ b/roles/dbreplication/files/stunnel-mariadb-nsa-2.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=MariaDB over stunnel/TLS client
+
+[Socket]
+ListenStream=9061
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/dbreplication/files/stunnel-mariadb-nsa-2@.service b/roles/dbreplication/files/stunnel-mariadb-nsa-2@.service
new file mode 100644
index 0000000..601d135
--- /dev/null
+++ b/roles/dbreplication/files/stunnel-mariadb-nsa-2@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=MariaDB over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/mariadb-nsa-2.conf
+StandardInput=socket
diff --git a/roles/dbreplication/files/stunnel-mariadb-nsa.socket b/roles/dbreplication/files/stunnel-mariadb-nsa.socket
new file mode 100644
index 0000000..c08f510
--- /dev/null
+++ b/roles/dbreplication/files/stunnel-mariadb-nsa.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=MariaDB over stunnel/TLS client
+
+[Socket]
+ListenStream=9060
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/dbreplication/files/stunnel-mariadb-nsa@.service b/roles/dbreplication/files/stunnel-mariadb-nsa@.service
new file mode 100644
index 0000000..e609ccb
--- /dev/null
+++ b/roles/dbreplication/files/stunnel-mariadb-nsa@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=MariaDB over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/mariadb-nsa.conf
+StandardInput=socket
diff --git a/roles/dbreplication/handlers/main.yml b/roles/dbreplication/handlers/main.yml
new file mode 100644
index 0000000..8db0dde
--- /dev/null
+++ b/roles/dbreplication/handlers/main.yml
@@ -0,0 +1 @@
+- import_tasks: systemd.yml
diff --git a/roles/dbreplication/handlers/systemd.yml b/roles/dbreplication/handlers/systemd.yml
new file mode 100644
index 0000000..48f3849
--- /dev/null
+++ b/roles/dbreplication/handlers/systemd.yml
@@ -0,0 +1,15 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: launch mariadb nsa
+  service:
+    name: stunnel-mariadb-nsa.socket
+    state: started
+    enabled: no
+
+- name: launch mariadb nsa 2
+  service:
+    name: stunnel-mariadb-nsa-2.socket
+    state: started
+    enabled: no
diff --git a/roles/dbreplication/tasks/main.yml b/roles/dbreplication/tasks/main.yml
index a61319c..2b3975a 100644
--- a/roles/dbreplication/tasks/main.yml
+++ b/roles/dbreplication/tasks/main.yml
@@ -1 +1,3 @@
 - import_tasks: crt.yml
+- import_tasks: pkgs.yml
+- import_tasks: stunnel.yml
diff --git a/roles/dbreplication/tasks/pkgs.yml b/roles/dbreplication/tasks/pkgs.yml
new file mode 100644
index 0000000..776de24
--- /dev/null
+++ b/roles/dbreplication/tasks/pkgs.yml
@@ -0,0 +1,4 @@
+- name: Installation de stunnel
+  package:
+    name: "stunnel"
+    state: present
diff --git a/roles/dbreplication/tasks/stunnel.yml b/roles/dbreplication/tasks/stunnel.yml
new file mode 100644
index 0000000..b24580d
--- /dev/null
+++ b/roles/dbreplication/tasks/stunnel.yml
@@ -0,0 +1,38 @@
+- name: Installation des config stunnel
+  template:
+    src: "{{ item.name }}"
+    dest: "/etc/stunnel/{{ item.dest }}"
+    mode: 0644
+  loop:
+    - { name: 'mariadb-nsa.conf.j2', dest: 'mariadb-nsa.conf' }
+    - { name: 'mariadb-nsa-2.conf.j2', dest: 'mariadb-nsa-2.conf' }
+
+- name: Installation des unités systemd
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload systemd
+    - launch mariadb nsa
+    - launch mariadb nsa 2
+  loop:
+    - stunnel-mariadb-nsa-2@.service
+    - stunnel-mariadb-nsa-2.socket
+    - stunnel-mariadb-nsa@.service
+    - stunnel-mariadb-nsa.socket
+
+- name: Création du répertoire du chroot
+  file:
+    path: /var/stunnel/chroot/etc
+    state: directory
+
+- name: Création des fichiers du chroot
+  file:
+    path: "/var/stunnel/chroot/etc/{{ item }}"
+    state: touch
+  loop:
+    - hosts.allow
+    - hosts.deny
diff --git a/roles/dbreplication/templates/mariadb-nsa-2.conf.j2 b/roles/dbreplication/templates/mariadb-nsa-2.conf.j2
new file mode 100644
index 0000000..f7d9507
--- /dev/null
+++ b/roles/dbreplication/templates/mariadb-nsa-2.conf.j2
@@ -0,0 +1,41 @@
+#
+# {{ ansible_managed }}
+#
+#GLOBAL#######################################################
+
+sslVersion      =       TLSv1.3
+TIMEOUTidle     =       600
+renegotiation   =       no
+        FIPS    =       no
+        options =       NO_SSLv2
+        options =       NO_SSLv3
+        options =       SINGLE_DH_USE
+        options =       SINGLE_ECDH_USE
+        options =       CIPHER_SERVER_PREFERENCE
+        syslog  =       yes
+        debug   =       5
+        setuid  =       nobody
+        setgid  =       nobody
+        chroot  =       /var/stunnel/chroot
+
+        service =       stunnel-mariadb-nsa-2
+        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+        ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+        ; chcon -t stunnel_etc_t hosts.deny
+
+        curve   =       secp521r1
+        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+        verify  =       2
+        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
+        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
+        cert    =       /etc/pki/tls/certs/{{ ansible_hostname }}.dbjabber.crt
+        key     =       /etc/pki/tls/private/{{ ansible_hostname }}.dbjabber.key
+
+#ROLE#########################################################
+
+        client  =       yes
+        connect =       jabber1.{{ maindomain }}:29397
diff --git a/roles/dbreplication/templates/mariadb-nsa.conf.j2 b/roles/dbreplication/templates/mariadb-nsa.conf.j2
new file mode 100644
index 0000000..cdbde4c
--- /dev/null
+++ b/roles/dbreplication/templates/mariadb-nsa.conf.j2
@@ -0,0 +1,41 @@
+#
+# {{ ansible_managed }}
+#
+#GLOBAL#######################################################
+
+sslVersion      =       TLSv1.3
+TIMEOUTidle     =       600
+renegotiation   =       no
+        FIPS    =       no
+        options =       NO_SSLv2
+        options =       NO_SSLv3
+        options =       SINGLE_DH_USE
+        options =       SINGLE_ECDH_USE
+        options =       CIPHER_SERVER_PREFERENCE
+        syslog  =       yes
+        debug   =       5
+        setuid  =       nobody
+        setgid  =       nobody
+        chroot  =       /var/stunnel/chroot
+
+        service =       stunnel-mariadb-nsa
+        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+        ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+        ; chcon -t stunnel_etc_t hosts.deny
+
+        curve   =       secp521r1
+        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+        verify  =       2
+        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
+        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
+        cert    =       /etc/pki/tls/certs/{{ ansible_hostname }}.dbjabber.crt
+        key     =       /etc/pki/tls/private/{{ ansible_hostname }}.dbjabber.key
+
+#ROLE#########################################################
+
+        client  =       yes
+        connect =       jabber1.{{ maindomain }}:29392