class roles::rtc { ssl::service { 'debian.org': tlsaport => [], notify => Service['repro'], key => true, } ssl::service { 'sip-ws.debian.org': notify => Service['repro'], key => true, } dnsextras::tlsa_record{ 'tlsa-xmpp': zone => 'debian.org', certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt", port => [5061, 5222, 5269], hostname => $::fqdn, } @ferm::rule { 'dsa-xmpp-client-ip4': domain => 'ip', description => 'XMPP connections (client to server)', rule => 'proto tcp dport (5222) ACCEPT' } @ferm::rule { 'dsa-xmpp-client-ip6': domain => 'ip6', description => 'XMPP connections (client to server)', rule => 'proto tcp dport (5222) ACCEPT' } @ferm::rule { 'dsa-xmpp-server-ip4': domain => 'ip', description => 'XMPP connections (server to server)', rule => 'proto tcp dport (5269) ACCEPT' } @ferm::rule { 'dsa-xmpp-server-ip6': domain => 'ip6', description => 'XMPP connections (server to server)', rule => 'proto tcp dport (5269) ACCEPT' } @ferm::rule { 'dsa-sip-ws-ip4': domain => 'ip', description => 'SIP connections (WebSocket; for WebRTC)', rule => 'proto tcp dport (443) ACCEPT' } @ferm::rule { 'dsa-sip-ws-ip6': domain => 'ip6', description => 'SIP connections (WebSocket; for WebRTC)', rule => 'proto tcp dport (443) ACCEPT' } @ferm::rule { 'dsa-sip-tls-ip4': domain => 'ip', description => 'SIP connections (TLS)', rule => 'proto tcp dport (5061) ACCEPT' } @ferm::rule { 'dsa-sip-tls-ip6': domain => 'ip6', description => 'SIP connections (TLS)', rule => 'proto tcp dport (5061) ACCEPT' } @ferm::rule { 'dsa-turn-ip4': domain => 'ip', description => 'TURN connections', rule => 'proto udp dport (3478) ACCEPT' } @ferm::rule { 'dsa-turn-ip6': domain => 'ip6', description => 'TURN connections', rule => 'proto udp dport (3478) ACCEPT' } @ferm::rule { 'dsa-turn-tls-ip4': domain => 'ip', description => 'TURN connections (TLS)', rule => 'proto tcp dport (5349) ACCEPT' } @ferm::rule { 'dsa-turn-tls-ip6': domain => 'ip6', description => 'TURN connections (TLS)', rule => 'proto tcp dport (5349) ACCEPT' } @ferm::rule { 'dsa-rtp-ip4': domain => 'ip', description => 'RTP streams', rule => 'proto udp dport (49152:65535) ACCEPT' } @ferm::rule { 'dsa-rtp-ip6': domain => 'ip6', description => 'RTP streams', rule => 'proto udp dport (49152:65535) ACCEPT' } file { '/etc/monit/monit.d/50rtc': ensure => absent, } service { 'repro': ensure => running, } dsa_systemd::override { 'repro': content => @("EOF"), [Unit] After=network-online.target | EOF } package { 'freeradius': ensure => installed, } service { 'freeradius': ensure => running, } $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': content => template('roles/rtc/freeradius-rtc.erb'), mode => '0440', group => freerad, } file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org': ensure => link, target => '../sites-available/rtc.debian.org', } file { '/etc/freeradius/3.0/mods-available/passwd_rtc': source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc', mode => '0440', group => freerad, } file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc': ensure => link, target => '../mods-available/passwd_rtc', } file { '/etc/repro/radius-servers': content => inline_template('localhost/localhost <%= @radius_password %>'), mode => '0440', group => repro, notify => Service['repro'], } file { '/etc/freeradius/3.0/sites-enabled/default': ensure => absent, } file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel': ensure => absent, } }