feat: stunnel on ovh1 reverse proxy (proxy1)

openfoodfacts · Jan 5, 2024 · 0864392 · 0864392
1 parent d797e7c
commit 0864392
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/confs/ovh1-reverse-proxy/stunnel/off.conf b/confs/ovh1-reverse-proxy/stunnel/off.conf
@@ -0,0 +1,20 @@
+# Stunnel configuration for off services
+# /usr/share/doc/stunnel4/examples/stunnel.conf-sample
+
+# we need this to run it smoothly with systemd
+foreground = yes
+# drop root
+setuid = stunnel4
+setgid = stunnel4
+# use an identified pid - must match systemd service RuntimeDirectory
+pid = /var/run/stunnel-off/stunnel.pid
+
+# connecting to mongodb on off1
+[MongoDB]
+client = yes
+accept = 27017
+connect = proxy2.openfoodfacts.org:27017
+ciphers = PSK
+# this file and directory are private
+PSKsecrets = /etc/stunnel/psk/mongodb-psk.txt
+
diff --git a/confs/ovh1-reverse-proxy/systemd/system/stunnel.target b/confs/ovh1-reverse-proxy/systemd/system/stunnel.target
@@ -0,0 +1,6 @@
+[Unit]
+Description=TLS tunnels for network services - per-config-file target
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/confs/ovh1-reverse-proxy/systemd/system/stunnel@.service b/confs/ovh1-reverse-proxy/systemd/system/stunnel@.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=TLS tunnel for network daemons - per-config-file service
+Documentation=man:stunnel4(8)
+PartOf=stunnel.target
+
+[Service]
+ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
+PrivateTmp=yes
+
+# we need to enable putting pit file in runtime directory, with right permissions
+# while still starting as root (needed by stunnel)
+Group=stunnel4
+RuntimeDirectory=stunnel-%i
+RuntimeDirectoryMode=0775
+
+
+[Install]
+WantedBy=multi-user.target