modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $binds=['[::]'],
   3         $source=undef,
   4         $content=undef,
   5         $max_clients=200,
   6         $ensure=present,
   7         $sslname=undef,
   8 ) {
   9         include rsync
  10
  11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
  12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
  13
  14         case $ensure {
  15                 present,absent: {}
  16                 default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
  17         }
  18
  19         $ensure_service = $ensure ? {
  20                 present => running,
  21                 absent  => stopped,
  22         }
  23
  24         $ensure_enable = $ensure ? {
  25                 present => true,
  26                 absent  => false,
  27         }
  28
  29         file { $fname_real_rsync:
  30                 ensure  => $ensure,
  31                 content => $content,
  32                 source  => $source,
  33                 owner   => 'root',
  34                 group   => 'root',
  35                 mode    => '0444',
  36         }
  37
  38         file { "/etc/systemd/system/rsyncd-${name}@.service":
  39                 ensure  => $ensure,
  40                 content => template('rsync/systemd-rsyncd.service.erb'),
  41                 owner   => 'root',
  42                 group   => 'root',
  43                 mode    => '0444',
  44                 require => File[$fname_real_rsync],
  45                 notify  => Exec['systemctl daemon-reload'],
  46         }
  47
  48         file { "/etc/systemd/system/rsyncd-${name}.socket":
  49                 ensure  => $ensure,
  50                 content => template('rsync/systemd-rsyncd.socket.erb'),
  51                 owner   => 'root',
  52                 group   => 'root',
  53                 mode    => '0444',
  54                 notify  => [
  55                         Exec['systemctl daemon-reload'],
  56                         Service["rsyncd-${name}.socket"],
  57                 ],
  58         }
  59
  60         service { "rsyncd-${name}.socket":
  61                 ensure   => $ensure_service,
  62                 enable   => $ensure_enable,
  63                 require  => [
  64                         Exec['systemctl daemon-reload'],
  65                         File["/etc/systemd/system/rsyncd-${name}@.service"],
  66                         File["/etc/systemd/system/rsyncd-${name}.socket"],
  67                 ],
  68                 provider => systemd,
  69         }
  70
  71         if $sslname {
  72                 file { $fname_real_stunnel:
  73                         ensure  => $ensure,
  74                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
  75                         owner   => 'root',
  76                         group   => 'root',
  77                         mode    => '0444',
  78                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  79                 }
  80
  81                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
  82                         ensure  => $ensure,
  83                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
  84                         owner   => 'root',
  85                         group   => 'root',
  86                         mode    => '0444',
  87                         require => File[$fname_real_stunnel],
  88                         notify  => Exec['systemctl daemon-reload'],
  89                 }
  90
  91                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
  92                         ensure  => $ensure,
  93                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
  94                         owner   => 'root',
  95                         group   => 'root',
  96                         mode    => '0444',
  97                         notify  => [
  98                                 Exec['systemctl daemon-reload'],
  99                                 Service["rsyncd-${name}-stunnel.socket"]
 100                         ],
 101                 }
 102
 103                 service { "rsyncd-${name}-stunnel.socket":
 104                         ensure   => $ensure_service,
 105                         enable   => $ensure_enable,
 106                         require  => [
 107                                 Exec['systemctl daemon-reload'],
 108                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
 109                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
 110                                 Service["rsyncd-${name}.socket"],
 111                         ],
 112                         provider => systemd,
 113                 }
 114
 115                 @ferm::rule { "rsync-${name}-ssl":
 116                         domain      => '(ip ip6)',
 117                         description => 'Allow rsync access',
 118                         rule        => '&SERVICE(tcp, 1873)',
 119                 }
 120
 121                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
 122                         zone     => 'debian.org',
 123                         certfile => [
 124                                 "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt",
 125                                 "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt",
 126                         ],
 127                         port     => 1873,
 128                         hostname => $sslname,
 129                 }
 130         }
 131 }