Getting started

debops.stunnel does not create any tunnels by default, they need to be defined by the user. A natural place for them is usually a host group in Ansible inventory.

Example inventory

As an example, let's create an encrypted tunnel between two hosts, one of which acts as a MySQL server, and other is a client which connects through the tunnel to the server.

This is an example Ansible hosts file, located in inventory/hosts. It defines two host groups:

[mysql_encrypted_tunnel]
dbserver
dbclient

[debops_mysql]
dbserver

[debops_stunnel:children]
mysql_encrypted_tunnel

in inventory/group_vars/mysql_encrypted_tunnel/stunnel.yml you should define your MySQL tunnel connection:

---
stunnel_services:
  - name: 'mysql-ssl-tunnel'

    server_accept:  '3307'
    server_connect: '3306'

    client_accept:  '3306'
    client_connect: 'dbserver:3307'

debops.stunnel will try and select the correct host as a server/client automatically, using a number of factors. By default all hosts are treated as clients; if automatic detection of a server fails, you will be able to override it.

This configuration sets up only stunnel4 service, configuration of the firewall and TCP wrappers can be performed using additional configuration parameters. See Guides and examples for more details.

Example playbook

This is an example playbook which can be used to configure stunnel on all hosts that use it - they should be present in [debops_stunnel] group, either directly or indirectly via a child group:

---
- name: Manage stunnel connections
  hosts: debops_stunnel

  roles:
    - role: debops.stunnel
      tags: stunnel