2 # @param syncproxy_name the service name of this syncproxy
3 # @param listen_addr IP addresses to have rsync and apache listen on, and ssh to trigger from
4 class roles::syncproxy(
5 String $syncproxy_name,
6 Array[Stdlib::IP::Address] $listen_addr = [],
8 include roles::archvsync_base
10 $enclosed_addresses_rsync = empty($listen_addr) ? {
12 default => enclose_ipv6($listen_addr),
14 $enclosed_addresses_apache = empty($listen_addr) ? {
16 default => enclose_ipv6($listen_addr),
18 $ssh_source_addresses = empty($listen_addr) ? {
19 true => $base::public_addresses,
20 default => $listen_addr,
23 $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix')
29 file { '/etc/rsyncd/debian.secrets':
37 ssl::service { $syncproxy_name:
38 notify => Exec['service apache2 reload'],
41 apache2::site { '010-syncproxy.debian.org':
42 site => 'syncproxy.debian.org',
43 content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
46 file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
50 file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
51 content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
54 rsync::site { 'syncproxy':
55 content => template('roles/syncproxy/rsyncd.conf.erb'),
56 binds => $enclosed_addresses_rsync,
57 sslname => $syncproxy_name,
61 # ssh firewalling setup
63 @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
64 tag => 'ssh::server::from::syncproxy',
65 description => 'Allow ssh access from a syncproxy',
67 saddr => $ssh_source_addresses,
69 # syncproxies should be accessible from various role hosts
70 Ferm::Rule::Simple <<|
71 tag == 'ssh::server::from::syncproxy' or
72 tag == 'ssh::server::from::ftp_master' or
73 tag == 'ssh::server::from::ports_master' or
74 tag == 'ssh::server::from::security_master'