summaryrefslogtreecommitdiffstats
path: root/roles/clients/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/clients/files')
-rw-r--r--roles/clients/files/nfs-nfs1.conf42
-rw-r--r--roles/clients/files/nfs-nfs2.conf42
-rw-r--r--roles/clients/files/nfs-nfs3.conf42
-rw-r--r--roles/clients/files/stunnel-nfs-nfs1.socket13
-rw-r--r--roles/clients/files/stunnel-nfs-nfs1@.service9
-rw-r--r--roles/clients/files/stunnel-nfs-nfs2.socket13
-rw-r--r--roles/clients/files/stunnel-nfs-nfs2@.service9
-rw-r--r--roles/clients/files/stunnel-nfs-nfs3.socket13
-rw-r--r--roles/clients/files/stunnel-nfs-nfs3@.service9
9 files changed, 192 insertions, 0 deletions
diff --git a/roles/clients/files/nfs-nfs1.conf b/roles/clients/files/nfs-nfs1.conf
new file mode 100644
index 0000000..eac5443
--- /dev/null
+++ b/roles/clients/files/nfs-nfs1.conf
@@ -0,0 +1,42 @@
+#
+# Ansible managed.
+#
+#GLOBAL#######################################################
+
+sslVersion = TLSv1.3
+TIMEOUTidle = 600
+TIMEOUTconnect = 5
+renegotiation = no
+ FIPS = no
+ options = NO_SSLv2
+ options = NO_SSLv3
+ options = SINGLE_DH_USE
+ options = SINGLE_ECDH_USE
+ options = CIPHER_SERVER_PREFERENCE
+ syslog = yes
+ debug = 5
+ setuid = nobody
+ setgid = nobody
+ chroot = /var/stunnel/chroot
+
+ service = stunnel-nfs1
+ ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+ ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+ ; chcon -t stunnel_etc_t hosts.deny
+
+ curve = secp521r1
+ ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+ verify = 2
+ CAfile = /etc/pki/tls/certs/mon-ca.crt
+ CRLfile = /etc/pki/tls/certs/crt-crl.pem
+ cert = /etc/pki/tls/certs/matthieu.3.crt
+ key = /etc/pki/tls/private/matthieu.3.key
+
+#ROLE#########################################################
+
+ client = yes
+ connect = nfs1-freeway.casperlefantom.net:443
diff --git a/roles/clients/files/nfs-nfs2.conf b/roles/clients/files/nfs-nfs2.conf
new file mode 100644
index 0000000..61c037d
--- /dev/null
+++ b/roles/clients/files/nfs-nfs2.conf
@@ -0,0 +1,42 @@
+#
+# Ansible managed.
+#
+#GLOBAL#######################################################
+
+sslVersion = TLSv1.3
+TIMEOUTidle = 600
+TIMEOUTconnect = 5
+renegotiation = no
+ FIPS = no
+ options = NO_SSLv2
+ options = NO_SSLv3
+ options = SINGLE_DH_USE
+ options = SINGLE_ECDH_USE
+ options = CIPHER_SERVER_PREFERENCE
+ syslog = yes
+ debug = 5
+ setuid = nobody
+ setgid = nobody
+ chroot = /var/stunnel/chroot
+
+ service = stunnel-nfs-nsb
+ ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+ ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+ ; chcon -t stunnel_etc_t hosts.deny
+
+ curve = secp521r1
+ ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+ verify = 2
+ CAfile = /etc/pki/tls/certs/mon-ca.crt
+ CRLfile = /etc/pki/tls/certs/crt-crl.pem
+ cert = /etc/pki/tls/certs/matthieu.3.crt
+ key = /etc/pki/tls/private/matthieu.3.key
+
+#ROLE#########################################################
+
+ client = yes
+ connect = nfs2-freeway.casperlefantom.net:443
diff --git a/roles/clients/files/nfs-nfs3.conf b/roles/clients/files/nfs-nfs3.conf
new file mode 100644
index 0000000..03437b0
--- /dev/null
+++ b/roles/clients/files/nfs-nfs3.conf
@@ -0,0 +1,42 @@
+#
+# Ansible managed.
+#
+#GLOBAL#######################################################
+
+sslVersion = TLSv1.3
+TIMEOUTidle = 600
+TIMEOUTconnect = 5
+renegotiation = no
+ FIPS = no
+ options = NO_SSLv2
+ options = NO_SSLv3
+ options = SINGLE_DH_USE
+ options = SINGLE_ECDH_USE
+ options = CIPHER_SERVER_PREFERENCE
+ syslog = yes
+ debug = 5
+ setuid = nobody
+ setgid = nobody
+ chroot = /var/stunnel/chroot
+
+ service = stunnel-nfs3
+ ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+ ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
+ ; chcon -t stunnel_etc_t hosts.deny
+
+ curve = secp521r1
+ ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+ verify = 2
+ CAfile = /etc/pki/tls/certs/mon-ca.crt
+ CRLfile = /etc/pki/tls/certs/crt-crl.pem
+ cert = /etc/pki/tls/certs/matthieu.3.crt
+ key = /etc/pki/tls/private/matthieu.3.key
+
+#ROLE#########################################################
+
+ client = yes
+ connect = nfs3-freeway.casperlefantom.net:443
diff --git a/roles/clients/files/stunnel-nfs-nfs1.socket b/roles/clients/files/stunnel-nfs-nfs1.socket
new file mode 100644
index 0000000..ebb5a52
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs1.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Socket]
+ListenStream=9060
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/clients/files/stunnel-nfs-nfs1@.service b/roles/clients/files/stunnel-nfs-nfs1@.service
new file mode 100644
index 0000000..c2789f7
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs1@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs1.conf
+StandardInput=socket
diff --git a/roles/clients/files/stunnel-nfs-nfs2.socket b/roles/clients/files/stunnel-nfs-nfs2.socket
new file mode 100644
index 0000000..8666a3e
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs2.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Socket]
+ListenStream=9061
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/clients/files/stunnel-nfs-nfs2@.service b/roles/clients/files/stunnel-nfs-nfs2@.service
new file mode 100644
index 0000000..c82ae04
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs2@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs2.conf
+StandardInput=socket
diff --git a/roles/clients/files/stunnel-nfs-nfs3.socket b/roles/clients/files/stunnel-nfs-nfs3.socket
new file mode 100644
index 0000000..9adee58
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs3.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Socket]
+ListenStream=9062
+Accept=yes
+TimeoutSec=300
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/clients/files/stunnel-nfs-nfs3@.service b/roles/clients/files/stunnel-nfs-nfs3@.service
new file mode 100644
index 0000000..7e69fe1
--- /dev/null
+++ b/roles/clients/files/stunnel-nfs-nfs3@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS client
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs3.conf
+StandardInput=socket
generated by cgit (git 2.34.1) at 2024-06-25 01:29:10 +0000