3 # @param listen_addr IP addresses to have rsync listen on
4 # @param onion_service provide the onion service from this host
5 # @param healthcheck_name name to access this node in the health checker
6 class roles::security_mirror(
7 Array[Stdlib::IP::Address] $listen_addr = [],
8 Boolean $onion_service = false,
9 Optional[String] $healthcheck_name = undef,
11 include roles::archvsync_base
13 include apache2::expires
14 include apache2::rewrite
16 $enclosed_addresses_rsync = empty($listen_addr) ? {
18 default => enclose_ipv6($listen_addr),
20 $_enclosed_addresses = empty($listen_addr) ? {
22 default => enclose_ipv6($listen_addr),
24 $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ')
26 apache2::site { '010-security.debian.org':
27 site => 'security.debian.org',
28 content => template('roles/security_mirror/security.debian.org.erb')
31 rsync::site { 'security':
32 source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
34 binds => $enclosed_addresses_rsync,
38 $onion_addr = empty($listen_addr) ? {
39 true => $base::public_address,
40 default => filter_ipv4($listen_addr)[0]
43 fail("Do not have a useable address for the onionservice on ${::hostname}. Is \$listen_addr empty or does it not have an IPv4 address?.")
46 onion::service { 'security.debian.org':
49 target_address => $onion_addr,
53 Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
55 mirror_health::service { 'security':
56 this_host_service_name => $healthcheck_name,
57 url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
58 health_url => 'http://security.backend.mirrors.debian.org/_health',
62 # 198.108.67.48 DoS against our rsync service
63 ferm::rule { 'dsa-security-abusers':
65 rule => 'saddr ( 198.108.67.48/32 ) DROP',