3 ssl::service { 'www.debian.org':
5 notify => Service['repro'],
8 ssl::service { 'sip-ws.debian.org':
12 dnsextras::tlsa_record{ 'tlsa-xmpp':
14 certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
15 port => [5061, 5222, 5269],
19 @ferm::rule { 'dsa-xmpp-client-ip4':
21 description => 'XMPP connections (client to server)',
22 rule => 'proto tcp dport (5222) ACCEPT'
24 @ferm::rule { 'dsa-xmpp-client-ip6':
26 description => 'XMPP connections (client to server)',
27 rule => 'proto tcp dport (5222) ACCEPT'
29 @ferm::rule { 'dsa-xmpp-server-ip4':
31 description => 'XMPP connections (server to server)',
32 rule => 'proto tcp dport (5269) ACCEPT'
34 @ferm::rule { 'dsa-xmpp-server-ip6':
36 description => 'XMPP connections (server to server)',
37 rule => 'proto tcp dport (5269) ACCEPT'
40 @ferm::rule { 'dsa-sip-ws-ip4':
42 description => 'SIP connections (WebSocket; for WebRTC)',
43 rule => 'proto tcp dport (443) ACCEPT'
45 @ferm::rule { 'dsa-sip-ws-ip6':
47 description => 'SIP connections (WebSocket; for WebRTC)',
48 rule => 'proto tcp dport (443) ACCEPT'
50 @ferm::rule { 'dsa-sip-tls-ip4':
52 description => 'SIP connections (TLS)',
53 rule => 'proto tcp dport (5061) ACCEPT'
55 @ferm::rule { 'dsa-sip-tls-ip6':
57 description => 'SIP connections (TLS)',
58 rule => 'proto tcp dport (5061) ACCEPT'
60 @ferm::rule { 'dsa-turn-ip4':
62 description => 'TURN connections',
63 rule => 'proto udp dport (3478) ACCEPT'
65 @ferm::rule { 'dsa-turn-ip6':
67 description => 'TURN connections',
68 rule => 'proto udp dport (3478) ACCEPT'
70 @ferm::rule { 'dsa-turn-tls-ip4':
72 description => 'TURN connections (TLS)',
73 rule => 'proto tcp dport (5349) ACCEPT'
75 @ferm::rule { 'dsa-turn-tls-ip6':
77 description => 'TURN connections (TLS)',
78 rule => 'proto tcp dport (5349) ACCEPT'
80 @ferm::rule { 'dsa-rtp-ip4':
82 description => 'RTP streams',
83 rule => 'proto udp dport (49152:65535) ACCEPT'
85 @ferm::rule { 'dsa-rtp-ip6':
87 description => 'RTP streams',
88 rule => 'proto udp dport (49152:65535) ACCEPT'
91 file { '/etc/monit/monit.d/50rtc':