A private mutual-TLS PKI securing the tunnels between pomelo and ansible-managed servers. Used for the SOCKS5 proxy, the notes API, and the notes MCP endpoint.
Certificates live in ~/ssl/C/ on pomelo. The current certs expire 2035-09-02. Do not confuse this with the Let's Encrypt certs used by Apache — those are separate and managed by certbot.
Each managed server runs stunnel in server mode, authenticating itself with the CA cert. Pomelo runs stunnel in client mode, presenting a client cert signed by the same CA. Both sides require mutual authentication (verify = 2).
Server setup is automated via ansible (setup_server.yml --tags stunnel). Client setup on pomelo is manual.
| Service | Pomelo listens | Server listens | Connects to |
|---|---|---|---|
| SOCKS5 proxy | localhost:1080 | server:11080 | 127.0.0.1:1080 (microsocks) |
| Notes API | localhost:8021 | server:18021 | 127.0.0.1:8020 (gdata-server) |
| Notes MCP | localhost:8023 | server:18023 | 127.0.0.1:8023 (gdata-mcp-server) |
ssl/pki — certificate hierarchy, file locations, server and client configs, new-server setup procedure.
ssl/create-certs — openssl commands to regenerate the CA and client cert (runnable).
ansible — playbooks; setup_server.yml --tags stunnel deploys the server side.
john/system-config/socks5 — how to use the SOCKS5 tunnel and s5pin local port forwarder.