modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $binds=['[::]'],
   3         $source=undef,
   4         $content=undef,
   5         $max_clients=200,
   6         Enum['present','absent'] $ensure = 'present',
   7         $sslname=undef,
   8 ) {
   9         include rsync
  10
  11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
  12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
  13
  14         $ensure_service = $ensure ? {
  15                 present => running,
  16                 absent  => stopped,
  17         }
  18
  19         $ensure_enable = $ensure ? {
  20                 present => true,
  21                 absent  => false,
  22         }
  23
  24         file { $fname_real_rsync:
  25                 ensure  => $ensure,
  26                 content => $content,
  27                 source  => $source,
  28                 owner   => 'root',
  29                 group   => 'root',
  30                 mode    => '0444',
  31         }
  32
  33         $service_file = "/etc/systemd/system/rsyncd-${name}@.service"
  34         $socket_file = "/etc/systemd/system/rsyncd-${name}.socket"
  35         $systemd_service = "rsyncd-${name}.socket"
  36
  37         file { $service_file:
  38                 ensure  => $ensure,
  39                 content => template('rsync/systemd-rsyncd.service.erb'),
  40                 owner   => 'root',
  41                 group   => 'root',
  42                 mode    => '0444',
  43                 require => File[$fname_real_rsync],
  44                 notify  => Exec['systemctl daemon-reload'],
  45         }
  46
  47         file { $socket_file:
  48                 ensure  => $ensure,
  49                 content => template('rsync/systemd-rsyncd.socket.erb'),
  50                 owner   => 'root',
  51                 group   => 'root',
  52                 mode    => '0444',
  53                 notify  => Exec['systemctl daemon-reload'],
  54         }
  55
  56         service { $systemd_service:
  57                 ensure   => $ensure_service,
  58                 enable   => $ensure_enable,
  59                 notify   => Exec['systemctl daemon-reload'],
  60                 subscribe => [
  61                         File[$service_file],
  62                         File[$socket_file],
  63                 ],
  64                 provider => systemd,
  65         }
  66
  67         if $sslname {
  68                 file { $fname_real_stunnel:
  69                         ensure  => $ensure,
  70                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
  71                         owner   => 'root',
  72                         group   => 'root',
  73                         mode    => '0444',
  74                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  75                 }
  76
  77                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
  78                         ensure  => $ensure,
  79                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
  80                         owner   => 'root',
  81                         group   => 'root',
  82                         mode    => '0444',
  83                         require => File[$fname_real_stunnel],
  84                         notify  => Exec['systemctl daemon-reload'],
  85                 }
  86
  87                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
  88                         ensure  => $ensure,
  89                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
  90                         owner   => 'root',
  91                         group   => 'root',
  92                         mode    => '0444',
  93                         notify  => [
  94                                 Exec['systemctl daemon-reload'],
  95                                 Service["rsyncd-${name}-stunnel.socket"]
  96                         ],
  97                 }
  98
  99                 service { "rsyncd-${name}-stunnel.socket":
 100                         ensure   => $ensure_service,
 101                         enable   => $ensure_enable,
 102                         require  => [
 103                                 Exec['systemctl daemon-reload'],
 104                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
 105                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
 106                                 Service["rsyncd-${name}.socket"],
 107                         ],
 108                         provider => systemd,
 109                 }
 110
 111                 ferm::rule { "rsync-${name}-ssl":
 112                         domain      => '(ip ip6)',
 113                         description => 'Allow rsync access',
 114                         rule        => '&SERVICE(tcp, 1873)',
 115                 }
 116
 117                 $certdir = hiera('paths.letsencrypt_dir')
 118                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
 119                         zone     => 'debian.org',
 120                         certfile => [ "${certdir}/${sslname}.crt" ],
 121                         port     => 1873,
 122                         hostname => $sslname,
 123                 }
 124         }
 125 }