modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $bind='',
   3         $bind6='',
   4         $source='',
   5         $content='',
   6         $max_clients=200,
   7         $ensure=present,
   8         $sslname='',
   9         $sslport=1873
  10 ){
  11
  12         include rsync
  13
  14         $fname_real = "/etc/rsyncd-${name}.conf"
  15         case $ensure {
  16                 present,absent: {}
  17                 default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
  18         }
  19
  20         if ($source and $content) {
  21                 fail ( "Can't define both source and content for ${name}" )
  22         }
  23
  24         if $source {
  25                 file { $fname_real:
  26                         ensure => $ensure,
  27                         source => $source
  28                 }
  29         } elsif $content {
  30                 file { $fname_real:
  31                         ensure  => $ensure,
  32                         content => $content,
  33                 }
  34         } else {
  35                 fail ( "Can't find config for ${name}" )
  36         }
  37
  38         xinetd::service { "rsync-${name}":
  39                 bind        => $bind,
  40                 id          => "${name}-rsync",
  41                 server      => '/usr/bin/rsync',
  42                 service     => 'rsync',
  43                 server_args => "--daemon --config=${fname_real}",
  44                 ferm        => false,
  45                 instances   => $max_clients,
  46                 require     => File[$fname_real]
  47         }
  48
  49         if $bind6 != '' {
  50                 if $bind == '' {
  51                         fail("Cannot listen on * and a specific ipv6 address")
  52                 }
  53                 xinetd::service { "rsync-${name}6":
  54                         bind        => $bind6,
  55                         id          => "${name}-rsync6",
  56                         server      => '/usr/bin/rsync',
  57                         service     => 'rsync',
  58                         server_args => "--daemon --config=${fname_real}",
  59                         ferm        => false,
  60                         instances   => $max_clients,
  61                         require     => File[$fname_real]
  62                 }
  63         }
  64
  65         if $sslname != '' {
  66                 file { "/etc/rsyncd-${name}-stunnel.conf":
  67                         content => template('rsync/rsyncd-stunnel.conf.erb'),
  68                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  69                 }
  70                 @ferm::rule { "rsync-${name}-ssl":
  71                         domain      => '(ip ip6)',
  72                         description => 'Allow rsync access',
  73                         rule        => "&SERVICE(tcp, $sslport)",
  74                 }
  75                 xinetd::service { "rsync-${name}-ssl":
  76                         bind        => $bind,
  77                         id          => "rsync-${name}-ssl",
  78                         server      => '/usr/bin/stunnel4',
  79                         server_args => "/etc/rsyncd-${name}-stunnel.conf",
  80                         service     => "rsync-ssl",
  81                         type        => 'UNLISTED',
  82                         port        => "$sslport",
  83                         ferm        => true,
  84                         instances   => $max_clients,
  85                         require     => File["/etc/rsyncd-${name}-stunnel.conf"],
  86                 }
  87                 if $bind6 != '' {
  88                         xinetd::service { "rsync-${name}-ssl6":
  89                                 bind        => $bind6,
  90                                 id          => "rsync-${name}-ssl6",
  91                                 server      => '/usr/bin/stunnel4',
  92                                 server_args => "/etc/rsyncd-${name}-stunnel.conf",
  93                                 service     => "rsync-ssl",
  94                                 type        => 'UNLISTED',
  95                                 port        => "$sslport",
  96                                 ferm        => true,
  97                                 instances   => $max_clients,
  98                                 require     => File["/etc/rsyncd-${name}-stunnel.conf"],
  99                         }
 100                 }
 101
 102                 dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}":
 103                         zone     => 'debian.org',
 104                         certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ],
 105                         port     => $sslport,
 106                         hostname => "$sslname",
 107                 }
 108         }
 109
 110         Service['rsync']->Service['xinetd']
 111 }