modules/roles/manifests/security_mirror.pp

   1 class roles::security_mirror {
   2         include roles::archvsync_base
   3
   4         # security abusers
   5         #  198.108.67.48 DoS against our rsync service
   6         @ferm::rule { 'dsa-security-abusers':
   7                 prio  => "005",
   8                 rule  => "saddr ( 198.108.67.48/32 ) DROP",
   9         }
  10
  11         $binds = $::hostname ? {
  12                 mirror-anu      => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
  13                 mirror-isc      => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
  14                 mirror-umn      => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
  15                 schmelzer       => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
  16                 default         => [ '[::]' ],
  17         }
  18
  19         include apache2::expires
  20         include apache2::rewrite
  21
  22         apache2::site { '010-security.debian.org':
  23                 site   => 'security.debian.org',
  24                 content => template('roles/security_mirror/security.debian.org.erb')
  25         }
  26
  27         $mirrors = hiera('roles.security_mirror', {})
  28         $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
  29         $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
  30
  31         roles::mirror_health { 'security':
  32                 check_hosts   => $hosts_to_check,
  33                 check_service => 'security',
  34                 url           => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
  35                 health_url    => 'http://security.backend.mirrors.debian.org/_health',
  36         }
  37
  38         rsync::site { 'security':
  39                 source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
  40                 max_clients => 100,
  41                 binds       => $binds,
  42         }
  43
  44         $onion_v4_addr = hiera("roles.security_mirror", {})
  45                 .dig($::fqdn, 'onion_v4_address')
  46         if $onion_v4_addr {
  47                 onion::service { 'security.debian.org':
  48                         port => 80,
  49                         target_port => 80,
  50                         target_address => $onion_v4_addr,
  51                 }
  52         }
  53 }