+ service { "rsyncd-${name}-stunnel.socket":
+ ensure => $ensure_service,
+ enable => $ensure_enable,
+ require => [
+ Exec['systemctl daemon-reload'],
+ File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
+ File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
+ Service["rsyncd-${name}.socket"],
+ ],
+ provider => systemd,
+ }
+
+ ferm::rule { "rsync-${name}-ssl":
+ domain => '(ip ip6)',
+ description => 'Allow rsync access',
+ rule => '&SERVICE(tcp, 1873)',
+ }
+
+ $certdir = hiera('paths.letsencrypt_dir')
+ dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
+ zone => 'debian.org',
+ certfile => [ "${certdir}/${sslname}.crt" ],
+ port => 1873,
+ hostname => $sslname,
+ }
+ }