3 ssl::service { 'www.debian.org':
5 notify => Service['repro'],
8 ssl::service { 'sip-ws.debian.org':
11 dnsextras::tlsa_record{ 'tlsa-xmpp':
13 certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
14 port => [5061, 5222, 5269],
18 @ferm::rule { 'dsa-xmpp-client-ip4':
20 description => 'XMPP connections (client to server)',
21 rule => 'proto tcp dport (5222) ACCEPT'
23 @ferm::rule { 'dsa-xmpp-client-ip6':
25 description => 'XMPP connections (client to server)',
26 rule => 'proto tcp dport (5222) ACCEPT'
28 @ferm::rule { 'dsa-xmpp-server-ip4':
30 description => 'XMPP connections (server to server)',
31 rule => 'proto tcp dport (5269) ACCEPT'
33 @ferm::rule { 'dsa-xmpp-server-ip6':
35 description => 'XMPP connections (server to server)',
36 rule => 'proto tcp dport (5269) ACCEPT'
39 @ferm::rule { 'dsa-sip-ws-ip4':
41 description => 'SIP connections (WebSocket; for WebRTC)',
42 rule => 'proto tcp dport (443) ACCEPT'
44 @ferm::rule { 'dsa-sip-ws-ip6':
46 description => 'SIP connections (WebSocket; for WebRTC)',
47 rule => 'proto tcp dport (443) ACCEPT'
49 @ferm::rule { 'dsa-sip-tls-ip4':
51 description => 'SIP connections (TLS)',
52 rule => 'proto tcp dport (5061) ACCEPT'
54 @ferm::rule { 'dsa-sip-tls-ip6':
56 description => 'SIP connections (TLS)',
57 rule => 'proto tcp dport (5061) ACCEPT'
59 @ferm::rule { 'dsa-turn-ip4':
61 description => 'TURN connections',
62 rule => 'proto udp dport (3478) ACCEPT'
64 @ferm::rule { 'dsa-turn-ip6':
66 description => 'TURN connections',
67 rule => 'proto udp dport (3478) ACCEPT'
69 @ferm::rule { 'dsa-turn-tls-ip4':
71 description => 'TURN connections (TLS)',
72 rule => 'proto tcp dport (5349) ACCEPT'
74 @ferm::rule { 'dsa-turn-tls-ip6':
76 description => 'TURN connections (TLS)',
77 rule => 'proto tcp dport (5349) ACCEPT'
79 @ferm::rule { 'dsa-rtp-ip4':
81 description => 'RTP streams',
82 rule => 'proto udp dport (49152:65535) ACCEPT'
84 @ferm::rule { 'dsa-rtp-ip6':
86 description => 'RTP streams',
87 rule => 'proto udp dport (49152:65535) ACCEPT'
90 file { '/etc/monit/monit.d/50rtc':