1 class roles::security_mirror {
2 include roles::archvsync_base
5 # 198.108.67.48 DoS against our rsync service
6 @ferm::rule { 'dsa-security-abusers':
8 rule => "saddr ( 198.108.67.48/32 ) DROP",
11 $binds = $::hostname ? {
12 mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
13 mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
14 mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
15 schmelzer => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
16 default => [ '[::]' ],
19 include apache2::expires
20 include apache2::rewrite
22 apache2::site { '010-security.debian.org':
23 site => 'security.debian.org',
24 content => template('roles/security_mirror/security.debian.org.erb')
27 $mirrors = hiera('roles.security_mirror', {})
28 $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
29 $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
31 roles::mirror_health { 'security':
32 check_hosts => $hosts_to_check,
33 check_service => 'security',
34 url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
35 health_url => 'http://security.backend.mirrors.debian.org/_health',
38 rsync::site { 'security':
39 source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
44 $onion_v4_addr = hiera("roles.security_mirror", {})
45 .dig($::fqdn, 'onion_v4_address')
47 onion::service { 'security.debian.org':
50 target_address => $onion_v4_addr,