Blacklist MAILER-DAEMON@healthtorpedo.com
[mirror/dsa-puppet.git] / modules / rsync / manifests / site.pp
1 define rsync::site (
2         $binds=['[::]'],
3         $source=undef,
4         $content=undef,
5         $max_clients=200,
6         $ensure=present,
7         $sslname=undef,
8 ) {
9         include rsync
10
11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
13
14         case $ensure {
15                 present,absent: {}
16                 default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
17         }
18
19         $ensure_service = $ensure ? {
20                 present => running,
21                 absent  => stopped,
22         }
23
24         $ensure_enable = $ensure ? {
25                 present => true,
26                 absent  => false,
27         }
28
29         file { $fname_real_rsync:
30                 ensure  => $ensure,
31                 content => $content,
32                 source  => $source,
33                 owner   => 'root',
34                 group   => 'root',
35                 mode    => '0444',
36         }
37
38         file { "/etc/systemd/system/rsyncd-${name}@.service":
39                 ensure  => $ensure,
40                 content => template('rsync/systemd-rsyncd.service.erb'),
41                 owner   => 'root',
42                 group   => 'root',
43                 mode    => '0444',
44                 require => File[$fname_real_rsync],
45                 notify  => Exec['systemctl daemon-reload'],
46         }
47
48         file { "/etc/systemd/system/rsyncd-${name}.socket":
49                 ensure  => $ensure,
50                 content => template('rsync/systemd-rsyncd.socket.erb'),
51                 owner   => 'root',
52                 group   => 'root',
53                 mode    => '0444',
54                 notify  => [
55                         Exec['systemctl daemon-reload'],
56                         Service["rsyncd-${name}.socket"],
57                 ],
58         }
59
60         service { "rsyncd-${name}.socket":
61                 ensure   => $ensure_service,
62                 enable   => $ensure_enable,
63                 require  => [
64                         Exec['systemctl daemon-reload'],
65                         File["/etc/systemd/system/rsyncd-${name}@.service"],
66                         File["/etc/systemd/system/rsyncd-${name}.socket"],
67                 ],
68                 provider => systemd,
69         }
70
71         if $sslname {
72                 file { $fname_real_stunnel:
73                         ensure  => $ensure,
74                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
75                         owner   => 'root',
76                         group   => 'root',
77                         mode    => '0444',
78                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
79                 }
80
81                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
82                         ensure  => $ensure,
83                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
84                         owner   => 'root',
85                         group   => 'root',
86                         mode    => '0444',
87                         require => File[$fname_real_stunnel],
88                         notify  => Exec['systemctl daemon-reload'],
89                 }
90
91                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
92                         ensure  => $ensure,
93                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
94                         owner   => 'root',
95                         group   => 'root',
96                         mode    => '0444',
97                         notify  => [
98                                 Exec['systemctl daemon-reload'],
99                                 Service["rsyncd-${name}-stunnel.socket"]
100                         ],
101                 }
102
103                 service { "rsyncd-${name}-stunnel.socket":
104                         ensure   => $ensure_service,
105                         enable   => $ensure_enable,
106                         require  => [
107                                 Exec['systemctl daemon-reload'],
108                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
109                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
110                                 Service["rsyncd-${name}.socket"],
111                         ],
112                         provider => systemd,
113                 }
114
115                 @ferm::rule { "rsync-${name}-ssl":
116                         domain      => '(ip ip6)',
117                         description => 'Allow rsync access',
118                         rule        => '&SERVICE(tcp, 1873)',
119                 }
120
121                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
122                         zone     => 'debian.org',
123                         certfile => [
124                                 "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt",
125                                 "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt",
126                         ],
127                         port     => 1873,
128                         hostname => $sslname,
129                 }
130         }
131 }