projects
/
mirror
/
dsa-puppet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
prefix ticharich volumes with OLD-
[mirror/dsa-puppet.git]
/
modules
/
rsync
/
manifests
/
site.pp
diff --git
a/modules/rsync/manifests/site.pp
b/modules/rsync/manifests/site.pp
index
489f157
..
7d0882c
100644
(file)
--- a/
modules/rsync/manifests/site.pp
+++ b/
modules/rsync/manifests/site.pp
@@
-1,52
+1,56
@@
+# an rsync site, systemd socket activated
define rsync::site (
define rsync::site (
- $bind='',
- $source='',
- $content='',
- $fname='',
- $max_clients=200,
- $ensure=present
-){
+ Array[String] $binds = ['[::]'],
+ Optional[String] $source = undef,
+ Optional[String] $content = undef,
+ Integer $max_clients = 200,
+ Enum['present','absent'] $ensure = 'present',
+ Optional[String] $sslname = undef,
+) {
+ include rsync
- include rsync
+ $fname_real_rsync = "/etc/rsyncd-${name}.conf"
+ $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
- if ! $fname {
- $fname_real = "/etc/rsyncd-${name}.conf"
- } else {
- $fname_real = $fname
- }
- case $ensure {
- present,absent: {}
- default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
- }
+ file { $fname_real_rsync:
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ }
- if ($source and $content) {
- fail ( "Can't define both source and content for ${name}" )
- }
+ dsa_systemd::socket_service { "rsyncd-${name}":
+ ensure => $ensure,
+ service_content => template('rsync/systemd-rsyncd.service.erb'),
+ socket_content => template('rsync/systemd-rsyncd.socket.erb'),
+ require => File[$fname_real_rsync],
+ }
- if $source {
- file { $fname_real:
- ensure => $ensure,
- source => $source
- }
- } elsif $content {
- file { $fname_real:
- ensure => $ensure,
- content => $content,
- }
- } else {
- fail ( "Can't find config for ${name}" )
- }
+ if $sslname {
+ file { $fname_real_stunnel:
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
+ require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
+ }
- xinetd::service { "rsync-${name}":
- bind => $bind,
- id => "${name}-rsync",
- server => '/usr/bin/rsync',
- port => 'rsync',
- server_args => $fname_real,
- ferm => false,
- instances => $max_clients,
- require => File[$fname_real]
- }
+ dsa_systemd::socket_service { "rsyncd-${name}-stunnel":
+ ensure => $ensure,
+ service_content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
+ socket_content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
+ require => File[$fname_real_stunnel],
+ }
- Service['rsync']->Service['xinetd']
+ ferm::rule { "rsync-${name}-ssl":
+ domain => '(ip ip6)',
+ description => 'Allow rsync access',
+ rule => '&SERVICE(tcp, 1873)',
+ }
+
+ $certdir = hiera('paths.letsencrypt_dir')
+ dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
+ zone => 'debian.org',
+ certfile => [ "${certdir}/${sslname}.crt" ],
+ port => 1873,
+ hostname => $sslname,
+ }
+ }
}
}