modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $bind='',
   3         $bind6='',
   4         $source='',
   5         $content='',
   6         $fname='',
   7         $max_clients=200,
   8         $ensure=present,
   9         $sslname='',
  10         $sslport=1873
  11 ){
  12
  13         include rsync
  14
  15         if ! $fname {
  16                 $fname_real = "/etc/rsyncd-${name}.conf"
  17         } else {
  18                 $fname_real = $fname
  19         }
  20         case $ensure {
  21                 present,absent: {}
  22                 default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
  23         }
  24
  25         if ($source and $content) {
  26                 fail ( "Can't define both source and content for ${name}" )
  27         }
  28
  29         if $source {
  30                 file { $fname_real:
  31                         ensure => $ensure,
  32                         source => $source
  33                 }
  34         } elsif $content {
  35                 file { $fname_real:
  36                         ensure  => $ensure,
  37                         content => $content,
  38                 }
  39         } else {
  40                 fail ( "Can't find config for ${name}" )
  41         }
  42
  43         xinetd::service { "rsync-${name}":
  44                 bind        => $bind,
  45                 id          => "${name}-rsync",
  46                 server      => '/usr/bin/rsync',
  47                 service     => 'rsync',
  48                 server_args => "--daemon --config=${fname_real}",
  49                 ferm        => false,
  50                 instances   => $max_clients,
  51                 require     => File[$fname_real]
  52         }
  53
  54         if $bind6 != '' {
  55                 if $bind == '' {
  56                         fail("Cannot listen on * and a specific ipv6 address")
  57                 }
  58                 xinetd::service { "rsync-${name}6":
  59                         bind        => $bind6,
  60                         id          => "${name}-rsync6",
  61                         server      => '/usr/bin/rsync',
  62                         service     => 'rsync',
  63                         server_args => "--daemon --config=${fname_real}",
  64                         ferm        => false,
  65                         instances   => $max_clients,
  66                         require     => File[$fname_real]
  67                 }
  68         }
  69
  70         if $sslname != '' {
  71                 file { "/etc/rsyncd-${name}-stunnel.conf":
  72                         content => template('rsync/rsyncd-stunnel.conf.erb'),
  73                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  74                 }
  75                 @ferm::rule { "rsync-${name}-ssl":
  76                         domain      => '(ip ip6)',
  77                         description => 'Allow rsync access',
  78                         rule        => "&SERVICE(tcp, $sslport)",
  79                 }
  80                 xinetd::service { "rsync-${name}-ssl":
  81                         bind        => $bind,
  82                         id          => "rsync-${name}-ssl",
  83                         server      => '/usr/bin/stunnel4',
  84                         server_args => "/etc/rsyncd-${name}-stunnel.conf",
  85                         service     => "rsync-ssl",
  86                         type        => 'UNLISTED',
  87                         port        => "$sslport",
  88                         ferm        => true,
  89                         instances   => $max_clients,
  90                         require     => File["/etc/rsyncd-${name}-stunnel.conf"],
  91                 }
  92                 if $bind6 != '' {
  93                         xinetd::service { "rsync-${name}-ssl6":
  94                                 bind        => $bind6,
  95                                 id          => "rsync-${name}-ssl6",
  96                                 server      => '/usr/bin/stunnel4',
  97                                 server_args => "/etc/rsyncd-${name}-stunnel.conf",
  98                                 service     => "rsync-ssl",
  99                                 type        => 'UNLISTED',
 100                                 port        => "$sslport",
 101                                 ferm        => true,
 102                                 instances   => $max_clients,
 103                                 require     => File["/etc/rsyncd-${name}-stunnel.conf"],
 104                         }
 105                 }
 106
 107                 dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}":
 108                         zone     => 'debian.org',
 109                         certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ],
 110                         port     => $sslport,
 111                         hostname => "$sslname",
 112                 }
 113         }
 114
 115         Service['rsync']->Service['xinetd']
 116 }