forked from opdude/stunnel-formula
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathpillar.example
66 lines (61 loc) · 2.04 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
stunnel:
# These have defaults set by grains filtering in map.jinja
lookup:
package: stunnel4
service: stunnel4
user: stunnel4
group: stunnel4
home: /var/lib/stunnel4
conf_dir: /etc/stunnel
log_dir: /var/log/stunnel
pid: /var/run/stunnel.pid
debug: notice
# Set certificates_auto_config to false if you do not want to use
# the automated certificates configuration from this formula.
# Also, this will unset verifyChain and verifyPeer.
# You will then be able to manage those settings manually in the service
# section
certificates_auto_config: true
service_defaults:
# Use this to override service_defaults.yaml
# The presence of these files per service is MANDATORY unless
# you have set certificates_auto_config to false.
# Managing these files is currently out of scope of this formula.
# (Have a look at map.jinja to get your OS'es paths.)
cert: /etc/stunnel/tls/${service_name}.crt
key: /etc/stunnel/tls/${service_name}.key
CAfile: /etc/stunnel/tls/${service_name}.ca
# in example:
# `true` and `false` work too
# verifyChain: 'yes'
# verifyPeer: true
# for old versions of stunnel: set to None to get rid
# of those settings (or use the default)
# verifyChain: null
# verifyPeer: null
# verify: 2
# The idea is to provide a secure default which you can later
# adjust by selectively altering or deactivating certain settings.
# (See below.)
config:
services:
graphite-server:
client: 'no'
accept: '12003'
connect: '127.0.0.1:2003'
# These two strongly depend on your security model
verifyChain: 'yes'
verifyPeer: 'yes'
debug: notice
checkHost: myhostname
checkIP: 192.168.0.1
graphite-client:
client: 'yes'
accept: '127.0.0.1:2003'
connect: 'example.com:12003'
# to deactivate
verifyChain: 'no'
verifyPeer: 'no'