class roles::security_mirror {
include roles::archvsync_base
+ # security abusers
+ # 198.108.67.48 DoS against our rsync service
+ ferm::rule { 'dsa-security-abusers':
+ prio => "005",
+ rule => "saddr ( 198.108.67.48/32 ) DROP",
+ }
+
$binds = $::hostname ? {
mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
- mirror-bytemark => [ '5.153.231.46', '[2001:41c8:1000:21::21:46]' ],
- mirror-conova => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
+ schmelzer => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
default => [ '[::]' ],
}
- file { '/srv/mirrors/debian-security':
- ensure => link,
- target => '../ftp.root/debian-security',
- }
- file { '/srv/ftp.root':
- ensure => directory,
- }
- file { '/srv/ftp.root/.nobackup':
- ensure => present,
- content => '',
- }
- file { '/srv/ftp.root/debian-security':
- ensure => directory,
- owner => 1176, # archvsync
- group => 1176, # archvsync
- mode => '0755',
- }
-
include apache2::expires
include apache2::rewrite
content => template('roles/security_mirror/security.debian.org.erb')
}
- roles::mirror_health { 'security':
- check_hosts => hiera('roles.security_mirror'),
+ $mirrors = hiera('roles.security_mirror', {})
+ $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
+ $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
+
+ roles::mirror_health { 'security':
+ check_hosts => $hosts_to_check,
check_service => 'security',
- url => 'http://security.backend.mirrors.debian.org/debian/dists/sid/Release',
+ url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
health_url => 'http://security.backend.mirrors.debian.org/_health',
}
- vsftpd::site { 'security':
- ensure => absent,
- root => '/nonexistent',
- }
-
rsync::site { 'security':
source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
max_clients => 100,
binds => $binds,
}
- $onion_v4_addr = $::hostname ? {
- mirror-anu => '150.203.164.61',
- mirror-isc => '149.20.4.14',
- mirror-umn => '128.101.240.215',
- villa => '212.211.132.32',
- lobos => '212.211.132.250',
- default => undef,
- }
- if has_role('security_mirror_onion') {
- if ! $onion_v4_addr {
- fail("Do not have an onion_v4_addr set for $::hostname.")
- }
-
+ $onion_v4_addr = hiera("roles.security_mirror", {})
+ .dig($::fqdn, 'onion_v4_address')
+ if $onion_v4_addr {
onion::service { 'security.debian.org':
port => 80,
target_port => 80,