dsa-rsync-ssl ferm on v6 also
[mirror/dsa-puppet.git] / modules / roles / manifests / syncproxy.pp
1 class roles::syncproxy {
2         $bind = $::hostname ? {
3                 'milanollo' => '5.153.231.9',
4                 'mirror-anu' => '150.203.164.60',
5                 'mirror-isc' => '149.20.20.21',
6                 'mirror-umn' => '128.101.240.216',
7                 'klecker' => '130.89.148.10',
8                 default => ''
9         }
10         $bind6 = $::hostname ? {
11                 'milanollo' => '2001:41c8:1000:21::21:9',
12                 'mirror-anu' => '2001:388:1034:2900::3c',
13                 'mirror-isc' => '2001:4f8:8:36::1deb:21',
14                 'mirror-umn' => '2607:ea00:101:3c0b::1deb:216',
15                 'klecker' => '2001:610:1908:b000::148:10',
16                 default => ''
17         }
18         $syncproxy_name = $::hostname ? {
19                 'milanollo' => 'syncproxy3.eu.debian.org',
20                 'mirror-anu' => 'syncproxy.au.debian.org',
21                 'mirror-isc' => 'syncproxy2.wna.debian.org',
22                 'mirror-umn' => 'syncproxy.cna.debian.org',
23                 'klecker' => 'syncproxy2.eu.debian.org',
24                 default => 'unknown'
25         }
26
27         rsync::site { 'syncproxy':
28                 content => template('roles/syncproxy/rsyncd.conf.erb'),
29                 bind    => $bind,
30                 bind6   => $bind6,
31         }
32
33         file { '/etc/rsyncd':
34                 ensure => 'directory'
35         }
36
37         file { '/etc/rsyncd/debian.secrets':
38                 owner => 'root',
39                 group => 'mirroradm',
40                 mode => 0660,
41         }
42
43         if $::apache2 and $syncproxy_name != 'unknown' {
44                 include apache2::ssl
45                 ssl::service { "$syncproxy_name": notify => Service['apache2'], key => true, }
46                 apache2::site { '010-syncproxy.debian.org':
47                         site   => 'syncproxy.debian.org',
48                         content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
49                 }
50
51                 file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
52                         ensure  => directory,
53                         mode    => '0755',
54                 }
55                 file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
56                         content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
57                 }
58
59                 file { '/etc/rsyncd-syncproxy-stunnel.conf':
60                         content => template('roles/syncproxy/rsyncd-syncproxy-stunnel.conf.erb')
61                 }
62                 xinetd::service { "rsync-syncproxy-ssl":
63                         bind        => $bind,
64                         id          => "syncproxy-rsync-ssl",
65                         server      => '/usr/bin/stunnel4',
66                         service     => 'rsync-ssl',
67                         type        => 'UNLISTED',
68                         port        => '1873',
69                         server_args => "/etc/rsyncd-syncproxy-stunnel.conf",
70                         ferm        => false,
71                         instances   => 50,
72                         require     => File["/etc/rsyncd-syncproxy-stunnel.conf"],
73                 }
74
75                 if $bind6 != '' {
76                         xinetd::service { "rsync-syncproxy-ssl6":
77                                 bind        => $bind6,
78                                 id          => "syncproxy-rsync-ssl",
79                                 server      => '/usr/bin/stunnel4',
80                                 service     => 'rsync-ssl',
81                                 type        => 'UNLISTED',
82                                 port        => '1873',
83                                 server_args => "/etc/rsyncd-syncproxy-stunnel.conf",
84                                 ferm        => false,
85                                 instances   => 50,
86                                 require     => File["/etc/rsyncd-syncproxy-stunnel.conf"],
87                         }
88                 }
89
90                 @ferm::rule { "dsa-rsync-ssl":
91                         domain      => '(ip ip6)',
92                         description => "Allow traffic to rsync ssl",
93                         rule        => "&SERVICE(tcp, 1873)"
94                 }
95         }
96 }