3 ssl::service { 'debian.org':
5 notify => Service['repro'],
9 ssl::service { 'sip-ws.debian.org':
13 dnsextras::tlsa_record{ 'tlsa-xmpp':
15 certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
16 port => [5061, 5222, 5269],
20 @ferm::rule { 'dsa-xmpp-client-ip4':
22 description => 'XMPP connections (client to server)',
23 rule => 'proto tcp dport (5222) ACCEPT'
25 @ferm::rule { 'dsa-xmpp-client-ip6':
27 description => 'XMPP connections (client to server)',
28 rule => 'proto tcp dport (5222) ACCEPT'
30 @ferm::rule { 'dsa-xmpp-server-ip4':
32 description => 'XMPP connections (server to server)',
33 rule => 'proto tcp dport (5269) ACCEPT'
35 @ferm::rule { 'dsa-xmpp-server-ip6':
37 description => 'XMPP connections (server to server)',
38 rule => 'proto tcp dport (5269) ACCEPT'
41 @ferm::rule { 'dsa-sip-ws-ip4':
43 description => 'SIP connections (WebSocket; for WebRTC)',
44 rule => 'proto tcp dport (443) ACCEPT'
46 @ferm::rule { 'dsa-sip-ws-ip6':
48 description => 'SIP connections (WebSocket; for WebRTC)',
49 rule => 'proto tcp dport (443) ACCEPT'
51 @ferm::rule { 'dsa-sip-tls-ip4':
53 description => 'SIP connections (TLS)',
54 rule => 'proto tcp dport (5061) ACCEPT'
56 @ferm::rule { 'dsa-sip-tls-ip6':
58 description => 'SIP connections (TLS)',
59 rule => 'proto tcp dport (5061) ACCEPT'
61 @ferm::rule { 'dsa-turn-ip4':
63 description => 'TURN connections',
64 rule => 'proto udp dport (3478) ACCEPT'
66 @ferm::rule { 'dsa-turn-ip6':
68 description => 'TURN connections',
69 rule => 'proto udp dport (3478) ACCEPT'
71 @ferm::rule { 'dsa-turn-tls-ip4':
73 description => 'TURN connections (TLS)',
74 rule => 'proto tcp dport (5349) ACCEPT'
76 @ferm::rule { 'dsa-turn-tls-ip6':
78 description => 'TURN connections (TLS)',
79 rule => 'proto tcp dport (5349) ACCEPT'
81 @ferm::rule { 'dsa-rtp-ip4':
83 description => 'RTP streams',
84 rule => 'proto udp dport (49152:65535) ACCEPT'
86 @ferm::rule { 'dsa-rtp-ip6':
88 description => 'RTP streams',
89 rule => 'proto udp dport (49152:65535) ACCEPT'
92 file { '/etc/monit/monit.d/50rtc':