modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $binds=['[::]'],
   3         $source=undef,
   4         $content=undef,
   5         $max_clients=200,
   6         Enum['present','absent'] $ensure = 'present',
   7         $sslname=undef,
   8 ) {
   9         include rsync
  10
  11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
  12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
  13
  14         $ensure_service = $ensure ? {
  15                 present => running,
  16                 absent  => stopped,
  17         }
  18
  19         $ensure_enable = $ensure ? {
  20                 present => true,
  21                 absent  => false,
  22         }
  23
  24         file { $fname_real_rsync:
  25                 ensure  => $ensure,
  26                 content => $content,
  27                 source  => $source,
  28                 owner   => 'root',
  29                 group   => 'root',
  30                 mode    => '0444',
  31         }
  32
  33         $service_file = "/etc/systemd/system/rsyncd-${name}@.service"
  34         $socket_file = "/etc/systemd/system/rsyncd-${name}.socket"
  35         $systemd_service = "rsyncd-${name}.socket"
  36
  37         # if we enable the service, we want the files before the service.
  38         # if we remove the service, we want the service disabled before the files
  39         # go away.
  40         $service_subscribe = $ensure ? {
  41                 present => [
  42                         File[$service_file],
  43                         File[$socket_file],
  44                 ],
  45                 default => [],
  46         }
  47         $service_before = $ensure ? {
  48                 present => [],
  49                 default => [
  50                         File[$service_file],
  51                         File[$socket_file],
  52                 ],
  53         }
  54
  55         file { $service_file:
  56                 ensure  => $ensure,
  57                 content => template('rsync/systemd-rsyncd.service.erb'),
  58                 owner   => 'root',
  59                 group   => 'root',
  60                 mode    => '0444',
  61                 require => File[$fname_real_rsync],
  62                 notify  => Exec['systemctl daemon-reload'],
  63         }
  64
  65         file { $socket_file:
  66                 ensure  => $ensure,
  67                 content => template('rsync/systemd-rsyncd.socket.erb'),
  68                 owner   => 'root',
  69                 group   => 'root',
  70                 mode    => '0444',
  71                 notify  => Exec['systemctl daemon-reload'],
  72         }
  73
  74         service { $systemd_service:
  75                 ensure   => $ensure_service,
  76                 enable   => $ensure_enable,
  77                 notify   => Exec['systemctl daemon-reload'],
  78                 provider => systemd,
  79                 before    => $service_before,
  80                 subscribe => $service_subscribe,
  81         }
  82
  83         if $sslname {
  84                 file { $fname_real_stunnel:
  85                         ensure  => $ensure,
  86                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
  87                         owner   => 'root',
  88                         group   => 'root',
  89                         mode    => '0444',
  90                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  91                 }
  92
  93                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
  94                         ensure  => $ensure,
  95                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
  96                         owner   => 'root',
  97                         group   => 'root',
  98                         mode    => '0444',
  99                         require => File[$fname_real_stunnel],
 100                         notify  => Exec['systemctl daemon-reload'],
 101                 }
 102
 103                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
 104                         ensure  => $ensure,
 105                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
 106                         owner   => 'root',
 107                         group   => 'root',
 108                         mode    => '0444',
 109                         notify  => [
 110                                 Exec['systemctl daemon-reload'],
 111                                 Service["rsyncd-${name}-stunnel.socket"]
 112                         ],
 113                 }
 114
 115                 service { "rsyncd-${name}-stunnel.socket":
 116                         ensure   => $ensure_service,
 117                         enable   => $ensure_enable,
 118                         require  => [
 119                                 Exec['systemctl daemon-reload'],
 120                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
 121                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
 122                                 Service["rsyncd-${name}.socket"],
 123                         ],
 124                         provider => systemd,
 125                 }
 126
 127                 ferm::rule { "rsync-${name}-ssl":
 128                         domain      => '(ip ip6)',
 129                         description => 'Allow rsync access',
 130                         rule        => '&SERVICE(tcp, 1873)',
 131                 }
 132
 133                 $certdir = hiera('paths.letsencrypt_dir')
 134                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
 135                         zone     => 'debian.org',
 136                         certfile => [ "${certdir}/${sslname}.crt" ],
 137                         port     => 1873,
 138                         hostname => $sslname,
 139                 }
 140         }
 141 }