modules/roles/manifests/rtc.pp

   1 class roles::rtc {
   2
   3         ssl::service { 'debian.org':
   4                 tlsaport => [],
   5                 notify  => Service['repro'],
   6                 key => true,
   7         }
   8
   9         ssl::service { 'sip-ws.debian.org':
  10                 notify  => Service['repro'],
  11                 key => true,
  12         }
  13
  14         dnsextras::tlsa_record{ 'tlsa-xmpp':
  15                 zone     => 'debian.org',
  16                 certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
  17                 port     => [5061, 5222, 5269],
  18                 hostname => $::fqdn,
  19         }
  20
  21         ferm::rule { 'dsa-xmpp-client-ip4':
  22                 domain      => 'ip',
  23                 description => 'XMPP connections (client to server)',
  24                 rule        => 'proto tcp dport (5222) ACCEPT'
  25         }
  26         ferm::rule { 'dsa-xmpp-client-ip6':
  27                 domain      => 'ip6',
  28                 description => 'XMPP connections (client to server)',
  29                 rule        => 'proto tcp dport (5222) ACCEPT'
  30         }
  31         ferm::rule { 'dsa-xmpp-server-ip4':
  32                 domain      => 'ip',
  33                 description => 'XMPP connections (server to server)',
  34                 rule        => 'proto tcp dport (5269) ACCEPT'
  35         }
  36         ferm::rule { 'dsa-xmpp-server-ip6':
  37                 domain      => 'ip6',
  38                 description => 'XMPP connections (server to server)',
  39                 rule        => 'proto tcp dport (5269) ACCEPT'
  40         }
  41
  42         ferm::rule { 'dsa-sip-ws-ip4':
  43                 domain      => 'ip',
  44                 description => 'SIP connections (WebSocket; for WebRTC)',
  45                 rule        => 'proto tcp dport (443) ACCEPT'
  46         }
  47         ferm::rule { 'dsa-sip-ws-ip6':
  48                 domain      => 'ip6',
  49                 description => 'SIP connections (WebSocket; for WebRTC)',
  50                 rule        => 'proto tcp dport (443) ACCEPT'
  51         }
  52         ferm::rule { 'dsa-sip-tls-ip4':
  53                 domain      => 'ip',
  54                 description => 'SIP connections (TLS)',
  55                 rule        => 'proto tcp dport (5061) ACCEPT'
  56         }
  57         ferm::rule { 'dsa-sip-tls-ip6':
  58                 domain      => 'ip6',
  59                 description => 'SIP connections (TLS)',
  60                 rule        => 'proto tcp dport (5061) ACCEPT'
  61         }
  62         ferm::rule { 'dsa-turn-ip4':
  63                 domain      => 'ip',
  64                 description => 'TURN connections',
  65                 rule        => 'proto udp dport (3478) ACCEPT'
  66         }
  67         ferm::rule { 'dsa-turn-ip6':
  68                 domain      => 'ip6',
  69                 description => 'TURN connections',
  70                 rule        => 'proto udp dport (3478) ACCEPT'
  71         }
  72         ferm::rule { 'dsa-turn-tls-ip4':
  73                 domain      => 'ip',
  74                 description => 'TURN connections (TLS)',
  75                 rule        => 'proto tcp dport (5349) ACCEPT'
  76         }
  77         ferm::rule { 'dsa-turn-tls-ip6':
  78                 domain      => 'ip6',
  79                 description => 'TURN connections (TLS)',
  80                 rule        => 'proto tcp dport (5349) ACCEPT'
  81         }
  82         ferm::rule { 'dsa-rtp-ip4':
  83                 domain      => 'ip',
  84                 description => 'RTP streams',
  85                 rule        => 'proto udp dport (49152:65535) ACCEPT'
  86         }
  87         ferm::rule { 'dsa-rtp-ip6':
  88                 domain      => 'ip6',
  89                 description => 'RTP streams',
  90                 rule        => 'proto udp dport (49152:65535) ACCEPT'
  91         }
  92
  93         file { '/etc/monit/monit.d/50rtc':
  94                 ensure  => absent,
  95         }
  96
  97         service { 'repro':
  98                 ensure  => running,
  99         }
 100         dsa_systemd::override { 'repro':
 101                 content  => @("EOF"),
 102                         [Unit]
 103                         After=network-online.target
 104                         | EOF
 105         }
 106
 107         package { 'freeradius':
 108                 ensure  => installed,
 109         }
 110         service { 'freeradius':
 111                 ensure  => running,
 112         }
 113         $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
 114         file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
 115                 content => template('roles/rtc/freeradius-rtc.erb'),
 116                 mode    => '0440',
 117                 group   => freerad,
 118         }
 119         file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
 120                 ensure  => link,
 121                 target  => '../sites-available/rtc.debian.org',
 122         }
 123         file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
 124                 source  => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
 125                 mode    => '0440',
 126                 group   => freerad,
 127         }
 128         file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
 129                 ensure  => link,
 130                 target  => '../mods-available/passwd_rtc',
 131         }
 132         file { '/etc/repro/radius-servers':
 133                 content => inline_template('localhost/localhost <%= @radius_password %>'),
 134                 mode    => '0440',
 135                 group   => repro,
 136                 notify  => Service['repro'],
 137         }
 138         file { '/etc/freeradius/3.0/sites-enabled/default':
 139                 ensure  => absent,
 140         }
 141         file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
 142                 ensure  => absent,
 143         }
 144 }