modules/rsync/manifests/site.pp

   1 define rsync::site (
   2         $binds=['[::]'],
   3         $source=undef,
   4         $content=undef,
   5         $max_clients=200,
   6         Enum['present','absent'] $ensure = 'present',
   7         $sslname=undef,
   8 ) {
   9         include rsync
  10
  11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
  12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
  13
  14         $ensure_service = $ensure ? {
  15                 present => running,
  16                 absent  => stopped,
  17         }
  18
  19         $ensure_enable = $ensure ? {
  20                 present => true,
  21                 absent  => false,
  22         }
  23
  24         file { $fname_real_rsync:
  25                 ensure  => $ensure,
  26                 content => $content,
  27                 source  => $source,
  28         }
  29
  30         $service_file = "/etc/systemd/system/rsyncd-${name}@.service"
  31         $socket_file = "/etc/systemd/system/rsyncd-${name}.socket"
  32         $systemd_service = "rsyncd-${name}.socket"
  33
  34         # if we enable the service, we want the files before the service.
  35         # if we remove the service, we want the service disabled before the files
  36         # go away.
  37         $service_subscribe = $ensure ? {
  38                 present => [
  39                         File[$service_file],
  40                         File[$socket_file],
  41                 ],
  42                 default => [],
  43         }
  44         $service_before = $ensure ? {
  45                 present => [],
  46                 default => [
  47                         File[$service_file],
  48                         File[$socket_file],
  49                 ],
  50         }
  51
  52         file { $service_file:
  53                 ensure  => $ensure,
  54                 content => template('rsync/systemd-rsyncd.service.erb'),
  55                 require => File[$fname_real_rsync],
  56                 notify  => Exec['systemctl daemon-reload'],
  57         }
  58
  59         file { $socket_file:
  60                 ensure  => $ensure,
  61                 content => template('rsync/systemd-rsyncd.socket.erb'),
  62                 notify  => Exec['systemctl daemon-reload'],
  63         }
  64
  65         service { $systemd_service:
  66                 ensure   => $ensure_service,
  67                 enable   => $ensure_enable,
  68                 notify   => Exec['systemctl daemon-reload'],
  69                 provider => systemd,
  70                 before    => $service_before,
  71                 subscribe => $service_subscribe,
  72         }
  73
  74         if $sslname {
  75                 file { $fname_real_stunnel:
  76                         ensure  => $ensure,
  77                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
  78                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
  79                 }
  80
  81                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
  82                         ensure  => $ensure,
  83                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
  84                         require => File[$fname_real_stunnel],
  85                         notify  => Exec['systemctl daemon-reload'],
  86                 }
  87
  88                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
  89                         ensure  => $ensure,
  90                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
  91                         notify  => [
  92                                 Exec['systemctl daemon-reload'],
  93                                 Service["rsyncd-${name}-stunnel.socket"]
  94                         ],
  95                 }
  96
  97                 service { "rsyncd-${name}-stunnel.socket":
  98                         ensure   => $ensure_service,
  99                         enable   => $ensure_enable,
 100                         require  => [
 101                                 Exec['systemctl daemon-reload'],
 102                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
 103                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
 104                                 Service["rsyncd-${name}.socket"],
 105                         ],
 106                         provider => systemd,
 107                 }
 108
 109                 ferm::rule { "rsync-${name}-ssl":
 110                         domain      => '(ip ip6)',
 111                         description => 'Allow rsync access',
 112                         rule        => '&SERVICE(tcp, 1873)',
 113                 }
 114
 115                 $certdir = hiera('paths.letsencrypt_dir')
 116                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
 117                         zone     => 'debian.org',
 118                         certfile => [ "${certdir}/${sslname}.crt" ],
 119                         port     => 1873,
 120                         hostname => $sslname,
 121                 }
 122         }
 123 }