diff options
Diffstat (limited to 'roles/clients')
-rw-r--r-- | roles/clients/files/nfs-nfs1.conf | 42 | ||||
-rw-r--r-- | roles/clients/files/nfs-nfs2.conf | 42 | ||||
-rw-r--r-- | roles/clients/files/nfs-nfs3.conf | 42 | ||||
-rw-r--r-- | roles/clients/files/stunnel-nfs-nfs1.socket | 13 | ||||
-rw-r--r-- | roles/clients/files/stunnel-nfs-nfs1@.service | 9 | ||||
-rw-r--r-- | roles/clients/files/stunnel-nfs-nfs2.socket | 13 | ||||
-rw-r--r-- | roles/clients/files/stunnel-nfs-nfs2@.service | 9 | ||||
-rw-r--r-- | roles/clients/files/stunnel-nfs-nfs3.socket | 13 | ||||
-rw-r--r-- | roles/clients/files/stunnel-nfs-nfs3@.service | 9 | ||||
-rw-r--r-- | roles/clients/tasks/main.yml | 3 | ||||
-rw-r--r-- | roles/clients/tasks/stunnel.yml | 48 |
11 files changed, 243 insertions, 0 deletions
diff --git a/roles/clients/files/nfs-nfs1.conf b/roles/clients/files/nfs-nfs1.conf new file mode 100644 index 0000000..eac5443 --- /dev/null +++ b/roles/clients/files/nfs-nfs1.conf @@ -0,0 +1,42 @@ +# +# Ansible managed. +# +#GLOBAL####################################################### + +sslVersion = TLSv1.3 +TIMEOUTidle = 600 +TIMEOUTconnect = 5 +renegotiation = no + FIPS = no + options = NO_SSLv2 + options = NO_SSLv3 + options = SINGLE_DH_USE + options = SINGLE_ECDH_USE + options = CIPHER_SERVER_PREFERENCE + syslog = yes + debug = 5 + setuid = nobody + setgid = nobody + chroot = /var/stunnel/chroot + + service = stunnel-nfs1 + ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc; + ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny; + ; chcon -t stunnel_etc_t hosts.deny + + curve = secp521r1 + ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + +#CREDENTIALS################################################## + + verify = 2 + CAfile = /etc/pki/tls/certs/mon-ca.crt + CRLfile = /etc/pki/tls/certs/crt-crl.pem + cert = /etc/pki/tls/certs/matthieu.3.crt + key = /etc/pki/tls/private/matthieu.3.key + +#ROLE######################################################### + + client = yes + connect = nfs1-freeway.casperlefantom.net:443 diff --git a/roles/clients/files/nfs-nfs2.conf b/roles/clients/files/nfs-nfs2.conf new file mode 100644 index 0000000..61c037d --- /dev/null +++ b/roles/clients/files/nfs-nfs2.conf @@ -0,0 +1,42 @@ +# +# Ansible managed. +# +#GLOBAL####################################################### + +sslVersion = TLSv1.3 +TIMEOUTidle = 600 +TIMEOUTconnect = 5 +renegotiation = no + FIPS = no + options = NO_SSLv2 + options = NO_SSLv3 + options = SINGLE_DH_USE + options = SINGLE_ECDH_USE + options = CIPHER_SERVER_PREFERENCE + syslog = yes + debug = 5 + setuid = nobody + setgid = nobody + chroot = /var/stunnel/chroot + + service = stunnel-nfs-nsb + ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc; + ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny; + ; chcon -t stunnel_etc_t hosts.deny + + curve = secp521r1 + ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + +#CREDENTIALS################################################## + + verify = 2 + CAfile = /etc/pki/tls/certs/mon-ca.crt + CRLfile = /etc/pki/tls/certs/crt-crl.pem + cert = /etc/pki/tls/certs/matthieu.3.crt + key = /etc/pki/tls/private/matthieu.3.key + +#ROLE######################################################### + + client = yes + connect = nfs2-freeway.casperlefantom.net:443 diff --git a/roles/clients/files/nfs-nfs3.conf b/roles/clients/files/nfs-nfs3.conf new file mode 100644 index 0000000..03437b0 --- /dev/null +++ b/roles/clients/files/nfs-nfs3.conf @@ -0,0 +1,42 @@ +# +# Ansible managed. +# +#GLOBAL####################################################### + +sslVersion = TLSv1.3 +TIMEOUTidle = 600 +TIMEOUTconnect = 5 +renegotiation = no + FIPS = no + options = NO_SSLv2 + options = NO_SSLv3 + options = SINGLE_DH_USE + options = SINGLE_ECDH_USE + options = CIPHER_SERVER_PREFERENCE + syslog = yes + debug = 5 + setuid = nobody + setgid = nobody + chroot = /var/stunnel/chroot + + service = stunnel-nfs3 + ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc; + ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny; + ; chcon -t stunnel_etc_t hosts.deny + + curve = secp521r1 + ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + +#CREDENTIALS################################################## + + verify = 2 + CAfile = /etc/pki/tls/certs/mon-ca.crt + CRLfile = /etc/pki/tls/certs/crt-crl.pem + cert = /etc/pki/tls/certs/matthieu.3.crt + key = /etc/pki/tls/private/matthieu.3.key + +#ROLE######################################################### + + client = yes + connect = nfs3-freeway.casperlefantom.net:443 diff --git a/roles/clients/files/stunnel-nfs-nfs1.socket b/roles/clients/files/stunnel-nfs-nfs1.socket new file mode 100644 index 0000000..ebb5a52 --- /dev/null +++ b/roles/clients/files/stunnel-nfs-nfs1.socket @@ -0,0 +1,13 @@ +# +# Ansible managed. +# +[Unit] +Description=NFS over stunnel/TLS client + +[Socket] +ListenStream=9060 +Accept=yes +TimeoutSec=300 + +[Install] +WantedBy=sockets.target diff --git a/roles/clients/files/stunnel-nfs-nfs1@.service b/roles/clients/files/stunnel-nfs-nfs1@.service new file mode 100644 index 0000000..c2789f7 --- /dev/null +++ b/roles/clients/files/stunnel-nfs-nfs1@.service @@ -0,0 +1,9 @@ +# +# Ansible managed. +# +[Unit] +Description=NFS over stunnel/TLS client + +[Service] +ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs1.conf +StandardInput=socket diff --git a/roles/clients/files/stunnel-nfs-nfs2.socket b/roles/clients/files/stunnel-nfs-nfs2.socket new file mode 100644 index 0000000..8666a3e --- /dev/null +++ b/roles/clients/files/stunnel-nfs-nfs2.socket @@ -0,0 +1,13 @@ +# +# Ansible managed. +# +[Unit] +Description=NFS over stunnel/TLS client + +[Socket] +ListenStream=9061 +Accept=yes +TimeoutSec=300 + +[Install] +WantedBy=sockets.target diff --git a/roles/clients/files/stunnel-nfs-nfs2@.service b/roles/clients/files/stunnel-nfs-nfs2@.service new file mode 100644 index 0000000..c82ae04 --- /dev/null +++ b/roles/clients/files/stunnel-nfs-nfs2@.service @@ -0,0 +1,9 @@ +# +# Ansible managed. +# +[Unit] +Description=NFS over stunnel/TLS client + +[Service] +ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs2.conf +StandardInput=socket diff --git a/roles/clients/files/stunnel-nfs-nfs3.socket b/roles/clients/files/stunnel-nfs-nfs3.socket new file mode 100644 index 0000000..9adee58 --- /dev/null +++ b/roles/clients/files/stunnel-nfs-nfs3.socket @@ -0,0 +1,13 @@ +# +# Ansible managed. +# +[Unit] +Description=NFS over stunnel/TLS client + +[Socket] +ListenStream=9062 +Accept=yes +TimeoutSec=300 + +[Install] +WantedBy=sockets.target diff --git a/roles/clients/files/stunnel-nfs-nfs3@.service b/roles/clients/files/stunnel-nfs-nfs3@.service new file mode 100644 index 0000000..7e69fe1 --- /dev/null +++ b/roles/clients/files/stunnel-nfs-nfs3@.service @@ -0,0 +1,9 @@ +# +# Ansible managed. +# +[Unit] +Description=NFS over stunnel/TLS client + +[Service] +ExecStart=-/usr/bin/stunnel /etc/stunnel/nfs-nfs3.conf +StandardInput=socket diff --git a/roles/clients/tasks/main.yml b/roles/clients/tasks/main.yml index af417e2..7e2e341 100644 --- a/roles/clients/tasks/main.yml +++ b/roles/clients/tasks/main.yml @@ -25,6 +25,9 @@ - name: Configuration du serveur XMPP onion import_tasks: prosody.yml +- name: Configuration stunnel pour nfs + import_tasks: stunnel.yml + - name: Configuration démon Cron import_tasks: cron.yml diff --git a/roles/clients/tasks/stunnel.yml b/roles/clients/tasks/stunnel.yml new file mode 100644 index 0000000..6a918c6 --- /dev/null +++ b/roles/clients/tasks/stunnel.yml @@ -0,0 +1,48 @@ +- name: Installation config stunnel + copy: + src: "nfs-{{ item }}.conf" + dest: "/etc/stunnel/" + mode: 0644 + loop: + - nfs1 + - nfs2 + - nfs3 + +- name: Installation du service systemd + copy: + src: "stunnel-nfs-{{ item }}@.service" + dest: "/etc/systemd/system/" + owner: root + group: root + mode: 0644 + loop: + - nfs1 + - nfs2 + - nfs3 + notify: reload systemd + +- name: Installation du socket systemd + copy: + src: "stunnel-nfs-{{ item }}.socket" + dest: "/etc/systemd/system/" + owner: root + group: root + mode: 0644 + loop: + - nfs1 + - nfs2 + - nfs3 + notify: reload systemd + +- name: Création du répertoire du chroot + file: + path: /var/stunnel/chroot/etc + state: directory + +- name: Création des fichiers du chroot + file: + path: "/var/stunnel/chroot/etc/{{ item }}" + state: touch + loop: + - hosts.allow + - hosts.deny |