-class roles::security_mirror {
- include roles::archvsync_base
+# security mirror
+#
+# @param listen_addr IP addresses to have rsync listen on
+# @param onion_service provide the onion service from this host
+# @param healthcheck_name name to access this node in the health checker
+class roles::security_mirror(
+ Array[Stdlib::IP::Address] $listen_addr = [],
+ Boolean $onion_service = false,
+ Optional[String] $healthcheck_name = undef,
+){
+ include roles::archvsync_base
+ include apache2
+ include apache2::expires
+ include apache2::rewrite
- $rsync_bind = $::hostname ? {
- mirror-anu => '150.203.164.61',
- mirror-bytemark => '5.153.231.46',
- mirror-conova => '217.196.149.233',
- mirror-isc => '149.20.4.14',
- mirror-umn => '128.101.240.215',
- default => '',
- }
- $rsync_bind6 = $::hostname ? {
- mirror-anu => '2001:388:1034:2900::3d',
- mirror-bytemark => '2001:41c8:1000:21::21:46',
- mirror-conova => '2a02:16a8:dc41:100::233',
- mirror-isc => '2001:4f8:1:c::14',
- mirror-umn => '2607:ea00:101:3c0b::1deb:215',
- default => '',
- }
- $ftp_bind = $rsync_bind
- $ftp_bind6 = $rsync_bind6
+ $enclosed_addresses_rsync = empty($listen_addr) ? {
+ true => ['[::]'],
+ default => enclose_ipv6($listen_addr),
+ }
+ $_enclosed_addresses = empty($listen_addr) ? {
+ true => ['*'],
+ default => enclose_ipv6($listen_addr),
+ }
+ $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ')
- file { '/srv/mirrors/debian-security':
- ensure => link,
- target => '../ftp.root/debian-security',
- }
- file { '/srv/ftp.root/.nobackup':
- ensure => present,
- content => '',
- }
+ apache2::site { '010-security.debian.org':
+ site => 'security.debian.org',
+ content => template('roles/security_mirror/security.debian.org.erb')
+ }
- include apache2::expires
- include apache2::rewrite
+ rsync::site { 'security':
+ source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
+ max_clients => 100,
+ binds => $enclosed_addresses_rsync,
+ }
- apache2::site { '010-security.debian.org':
- site => 'security.debian.org',
- content => template('roles/security_mirror/security.debian.org.erb')
- }
+ if $onion_service {
+ $onion_addr = empty($listen_addr) ? {
+ true => $base::public_address,
+ default => filter_ipv4($listen_addr)[0]
+ }
+ if ! $onion_addr {
+ fail("Do not have a useable address for the onionservice on ${::hostname}. Is \$listen_addr empty or does it not have an IPv4 address?.")
+ }
- if has_role('security_mirror_no_ftp') {
- vsftpd::site { [ 'security', 'security6' ]:
- ensure => absent,
- }
- } else {
- include ferm::ftp_conntrack
- vsftpd::site { 'security':
- banner => 'security.debian.org FTP server (vsftpd)',
- logfile => '/var/log/ftp/vsftpd-security.debian.org.log',
- max_clients => 200,
- root => '/srv/ftp.root/',
- bind => $ftp_bind,
- }
- if ($ftp_bind6 != '') {
- vsftpd::site { 'security6':
- banner => 'security.debian.org FTP server (vsftpd)',
- logfile => '/var/log/ftp/vsftpd-security6.debian.org.log',
- max_clients => 200,
- root => '/srv/ftp.root/',
- bind => $ftp_bind6,
- }
- }
- }
+ onion::service { 'security.debian.org':
+ port => 80,
+ target_port => 80,
+ target_address => $onion_addr,
+ }
+ }
- rsync::site { 'security':
- source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
- max_clients => 100,
- bind => $rsync_bind,
- bind6 => $rsync_bind6,
- }
+ Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
- $onion_v4_addr = $::hostname ? {
- mirror-anu => '150.203.164.61',
- mirror-isc => '149.20.4.14',
- mirror-umn => '128.101.240.215',
- villa => '212.211.132.32',
- lobos => '212.211.132.250',
- default => undef,
- }
- if has_role('security_mirror_onion') {
- if ! $onion_v4_addr {
- fail("Do not have an onion_v4_addr set for $::hostname.")
- }
+ mirror_health::service { 'security':
+ this_host_service_name => $healthcheck_name,
+ url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
+ health_url => 'http://security.backend.mirrors.debian.org/_health',
+ }
- onion::service { 'security.debian.org':
- port => 80,
- target_port => 80,
- target_address => $onion_v4_addr,
- }
- }
+ # security abusers
+ # 198.108.67.48 DoS against our rsync service
+ ferm::rule { 'dsa-security-abusers':
+ prio => '005',
+ rule => 'saddr ( 198.108.67.48/32 ) DROP',
+ }
}