6 Enum['present','absent'] $ensure = 'present',
11 $fname_real_rsync = "/etc/rsyncd-${name}.conf"
12 $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
14 $ensure_service = $ensure ? {
19 $ensure_enable = $ensure ? {
24 file { $fname_real_rsync:
33 $service_file = "/etc/systemd/system/rsyncd-${name}@.service"
34 $socket_file = "/etc/systemd/system/rsyncd-${name}.socket"
35 $systemd_service = "rsyncd-${name}.socket"
37 # if we enable the service, we want the files before the service.
38 # if we remove the service, we want the service disabled before the files
40 $service_subscribe = $ensure ? {
47 $service_before = $ensure ? {
57 content => template('rsync/systemd-rsyncd.service.erb'),
61 require => File[$fname_real_rsync],
62 notify => Exec['systemctl daemon-reload'],
67 content => template('rsync/systemd-rsyncd.socket.erb'),
71 notify => Exec['systemctl daemon-reload'],
74 service { $systemd_service:
75 ensure => $ensure_service,
76 enable => $ensure_enable,
77 notify => Exec['systemctl daemon-reload'],
79 before => $service_before,
80 subscribe => $service_subscribe,
84 file { $fname_real_stunnel:
86 content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
90 require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
93 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
95 content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
99 require => File[$fname_real_stunnel],
100 notify => Exec['systemctl daemon-reload'],
103 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
105 content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
110 Exec['systemctl daemon-reload'],
111 Service["rsyncd-${name}-stunnel.socket"]
115 service { "rsyncd-${name}-stunnel.socket":
116 ensure => $ensure_service,
117 enable => $ensure_enable,
119 Exec['systemctl daemon-reload'],
120 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
121 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
122 Service["rsyncd-${name}.socket"],
127 ferm::rule { "rsync-${name}-ssl":
128 domain => '(ip ip6)',
129 description => 'Allow rsync access',
130 rule => '&SERVICE(tcp, 1873)',
133 $certdir = hiera('paths.letsencrypt_dir')
134 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
135 zone => 'debian.org',
136 certfile => [ "${certdir}/${sslname}.crt" ],
138 hostname => $sslname,