Default variables

Tunnel connections

stunnel_services

List of client-server tunnels configurd by debops.stunnel See stunnel_services for more details.

stunnel_services: []
stunnel_server

List of hostnames, CNAMEs or service names which indicate that this host should be configured as a stunnel server.

stunnel_server: []
stunnel_server_addresses

List of hostnames, IP addresses and FQDN domains configured on a given server. If any entries here are included in item.client_connect, a given host will be configured as the stunnel server, otherwise it will be configured as stunnel client.

stunnel_server_addresses: '{{ [ ansible_hostname, ansible_fqdn ] +
                                ansible_all_ipv4_addresses|d([]) +
                                ansible_all_ipv6_addresses|d([]) +
                                stunnel_server }}'

SSL, PKI and encryption

stunnel_ssl_ciphers

List of SSL ciphers used by stunnel

stunnel_ssl_ciphers: 'ALL:ECDHE:!SSLv3:!SSLv2:!kEDH:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!RC4:RSA:HIGH'
stunnel_ssl_curve

Elliptic Curve used by stunnel

stunnel_ssl_curve: 'prime256v1'
stunnel_ssl_verify

What level of scrutiny should stunnel use to check validity of a client/server certificate. See stunnel4(8) for more details.

stunnel_ssl_verify: '2'
stunnel_ssl_check_crl

Should stunnel use CRL to check validity of the certificate?

stunnel_ssl_check_crl: False
stunnel_pki

Enable or disable support for PKI/SSL/TLS in stunnel, managed by debops.pki role

stunnel_pki: '{{ (True if (ansible_local|d() and ansible_local.pki|d() and
                           ansible_local.pki.enabled|d()) else False) | bool }}'
stunnel_pki_path

PKI base directory

stunnel_pki_path: '{{ ansible_local.pki.base_path
                      if (ansible_local|d() and ansible_local.pki|d())
                      else "/etc/pki" }}'
stunnel_pki_realm

PKI realm to use for stunnel

stunnel_pki_realm: '{{ ansible_local.pki.realm
                       if (ansible_local|d() and ansible_local.pki|d())
                       else "system" }}'
stunnel_pki_ca

CA certificate to use, relative to stunnel_pki_realm variable

stunnel_pki_ca: 'CA.crt'
stunnel_pki_crl

Certificate Revocation List file to use, relative to stunnel_pki_realm variable

stunnel_pki_crl: 'default.crl'
stunnel_pki_crt

Certificate file to use, relative to stunnel_pki_crt variable

stunnel_pki_crt: 'default.crt'
stunnel_pki_key

Private key file to use, relative to stunnel_pki_key variable

stunnel_pki_key: 'default.key'

Other options

stunnel_options

Additional options added to all tunnel configuration files, specified as a YAML text block

stunnel_options: ''
stunnel_debug

Debug level, determines log verbosity

stunnel_debug: '4'