modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $binds=['[::]'],
   3         $source=undef,
   4         $content=undef,
   5         $max_clients=200,
   6         Enum['present','absent'] $ensure = 'present',
   7         $sslname=undef,
   8 ) {
   9         include rsync
  10
  11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
  12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
  13
  14         $ensure_service = $ensure ? {
  15                 present => running,
  16                 absent  => stopped,
  17         }
  18
  19         $ensure_enable = $ensure ? {
  20                 present => true,
  21                 absent  => false,
  22         }
  23
  24         file { $fname_real_rsync:
  25                 ensure  => $ensure,
  26                 content => $content,
  27                 source  => $source,
  28         }
  29
  30         dsa_systemd::socket_service { "rsyncd-${name}":
  31                 ensure          => $ensure,
  32                 service_content => template('rsync/systemd-rsyncd.service.erb'),
  33                 socket_content  => template('rsync/systemd-rsyncd.socket.erb'),
  34                 require         => File[$fname_real_rsync],
  35         }
  36
  37         if $sslname {
  38                 file { $fname_real_stunnel:
  39                         ensure  => $ensure,
  40                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
  41                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  42                 }
  43
  44                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
  45                         ensure  => $ensure,
  46                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
  47                         require => File[$fname_real_stunnel],
  48                         notify  => Exec['systemctl daemon-reload'],
  49                 }
  50
  51                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
  52                         ensure  => $ensure,
  53                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
  54                         notify  => [
  55                                 Exec['systemctl daemon-reload'],
  56                                 Service["rsyncd-${name}-stunnel.socket"]
  57                         ],
  58                 }
  59
  60                 service { "rsyncd-${name}-stunnel.socket":
  61                         ensure   => $ensure_service,
  62                         enable   => $ensure_enable,
  63                         require  => [
  64                                 Exec['systemctl daemon-reload'],
  65                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
  66                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
  67                                 Service["rsyncd-${name}.socket"],
  68                         ],
  69                         provider => systemd,
  70                 }
  71
  72                 ferm::rule { "rsync-${name}-ssl":
  73                         domain      => '(ip ip6)',
  74                         description => 'Allow rsync access',
  75                         rule        => '&SERVICE(tcp, 1873)',
  76                 }
  77
  78                 $certdir = hiera('paths.letsencrypt_dir')
  79                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
  80                         zone     => 'debian.org',
  81                         certfile => [ "${certdir}/${sslname}.crt" ],
  82                         port     => 1873,
  83                         hostname => $sslname,
  84                 }
  85         }
  86 }