projects / mirror / dsa-puppet.git / blob
? search:


f063ccb719f13ac9546d6f7436d6d153dccb848a
[mirror/dsa-puppet.git] / modules / rsync / manifests / site_systemd.pp
1 define rsync::site_systemd (
2         $binds=['[::]'],
3         $source=undef,
4         $content=undef,
5         $max_clients=200,
6         $ensure=present,
7         $sslname=undef,
8 ) {
9         include rsync
10
11         $fname_real_rsync = "/etc/rsyncd-${name}.conf"
12         $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
13
14         case $ensure {
15                 present,absent: {}
16                 default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
17         }
18
19         $ensure_service = $ensure ? {
20                 present => running,
21                 absent  => stopped,
22         }
23
24         $ensure_enable = $ensure ? {
25                 present => true,
26                 absent  => false,
27         }
28
29         file { $fname_real_rsync:
30                 ensure  => $ensure,
31                 content => $content,
32                 source  => $source,
33                 owner   => 'root',
34                 group   => 'root',
35                 mode    => '0444',
36         }
37
38         file { "/etc/systemd/system/rsyncd-${name}@.service":
39                 ensure  => $ensure,
40                 content => template('rsync/systemd-rsyncd.service.erb'),
41                 owner   => 'root',
42                 group   => 'root',
43                 mode    => '0444',
44                 require => File[$fname_real_rsync],
45                 notify  => Exec['systemctl daemon-reload'],
46         }
47
48         file { "/etc/systemd/system/rsyncd-${name}.socket":
49                 ensure  => $ensure,
50                 content => template('rsync/systemd-rsyncd.socket.erb'),
51                 owner   => 'root',
52                 group   => 'root',
53                 mode    => '0444',
54                 notify  => [
55                         Exec['systemctl daemon-reload'],
56                         Service["rsyncd-${name}.socket"],
57                 ],
58         }
59
60         service { "rsyncd-${name}.socket":
61                 ensure   => $ensure_service,
62                 enable   => $ensure_enable,
63                 require  => [
64                         Exec['systemctl daemon-reload'],
65                         File["/etc/systemd/system/rsyncd-${name}@.service"],
66                         File["/etc/systemd/system/rsyncd-${name}.socket"],
67                         Service['xinetd'],
68                 ],
69                 provider => systemd,
70         }
71
72         if $sslname {
73                 file { $fname_real_stunnel:
74                         ensure  => $ensure,
75                         content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
76                         owner   => 'root',
77                         group   => 'root',
78                         mode    => '0444',
79                         require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
80                 }
81
82                 file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
83                         ensure  => $ensure,
84                         content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
85                         owner   => 'root',
86                         group   => 'root',
87                         mode    => '0444',
88                         require => File[$fname_real_stunnel],
89                         notify  => Exec['systemctl daemon-reload'],
90                 }
91
92                 file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
93                         ensure  => $ensure,
94                         content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
95                         owner   => 'root',
96                         group   => 'root',
97                         mode    => '0444',
98                         notify  => [
99                                 Exec['systemctl daemon-reload'],
100                                 Service["rsyncd-${name}-stunnel.socket"]
101                         ],
102                 }
103
104                 service { "rsyncd-${name}-stunnel.socket":
105                         ensure   => $ensure_service,
106                         enable   => $ensure_enable,
107                         require  => [
108                                 Exec['systemctl daemon-reload'],
109                                 File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
110                                 File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
111                                 Service["rsyncd-${name}.socket"],
112                                 Service['xinetd'],
113                         ],
114                         provider => systemd,
115                 }
116
117                 @ferm::rule { "rsync-${name}-ssl":
118                         domain      => '(ip ip6)',
119                         description => 'Allow rsync access',
120                         rule        => '&SERVICE(tcp, 1873)',
121                 }
122
123                 dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
124                         zone     => 'debian.org',
125                         certfile => [
126                                 "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt",
127                                 "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt",
128                         ],
129                         port     => 1873,
130                         hostname => $sslname,
131                 }
132         }
133
134         xinetd::service { [ "rsync-${name}", "rsync-${name}6", "rsync-${name}-ssl", "rsync-${name}-ssl6" ]:
135                 ensure  => absent,
136                 id      => 'unused',
137                 server  => 'unused',
138                 service => 'unused',
139                 ferm    => false,
140                 before  => Service["rsyncd-${name}.socket"],
141         }
142 }
Unnamed repository; edit this file 'description' to name the repository.