class roles::rtc {
- ssl::service { 'www.debian.org':
+ ssl::service { 'debian.org':
+ tlsaport => [],
+ notify => Service['repro'],
+ key => true,
}
ssl::service { 'sip-ws.debian.org':
+ notify => Service['repro'],
+ key => true,
}
- concat { '/etc/repro/www.debian.org-chained.crt':
- }
- concat::fragment { '/etc/ssl/debian/certs/www.debian.org.crt':
- target => '/etc/repro/www.debian.org-chained.crt',
- source => 'file:///etc/ssl/debian/certs/www.debian.org.crt',
- order => 00,
- require => File['/etc/ssl/debian/certs/www.debian.org.crt'],
- }
- concat::fragment { '/etc/ssl/debian/certs/www.debian.org.crt-chain':
- target => '/etc/repro/www.debian.org-chained.crt',
- source => 'file:///etc/ssl/debian/certs/www.debian.org.crt-chain',
- order => 99,
- require => File['/etc/ssl/debian/certs/www.debian.org.crt-chain'],
- }
-
- concat { '/etc/repro/sip-ws.debian.org-chained.crt':
- }
- concat::fragment { '/etc/ssl/debian/certs/sip-ws.debian.org.crt':
- target => '/etc/repro/sip-ws.debian.org-chained.crt',
- source => 'file:///etc/ssl/debian/certs/sip-ws.debian.org.crt',
- order => 00,
- require => File['/etc/ssl/debian/certs/sip-ws.debian.org.crt'],
- }
- concat::fragment { '/etc/ssl/debian/certs/sip-ws.debian.org.crt-chain':
- target => '/etc/repro/sip-ws.debian.org-chained.crt',
- source => 'file:///etc/ssl/debian/certs/sip-ws.debian.org.crt-chain',
- order => 99,
- require => File['/etc/ssl/debian/certs/sip-ws.debian.org.crt-chain'],
+ dnsextras::tlsa_record{ 'tlsa-xmpp':
+ zone => 'debian.org',
+ certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
+ port => [5061, 5222, 5269],
+ hostname => $::fqdn,
}
@ferm::rule { 'dsa-xmpp-client-ip4':
}
file { '/etc/monit/monit.d/50rtc':
- source => 'puppet:///modules/roles/rtc/monit',
- mode => '0440'
+ ensure => absent,
+ }
+
+ service { 'repro':
+ ensure => running,
+ }
+ systemd::override { 'repro':
+ content => @("EOF"),
+ [Unit]
+ After=network-online.target
+ | EOF
+ }
+
+ package { 'freeradius':
+ ensure => installed,
+ }
+ service { 'freeradius':
+ ensure => running,
+ }
+ $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
+ file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
+ content => template('roles/rtc/freeradius-rtc.erb'),
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
+ ensure => link,
+ target => '../sites-available/rtc.debian.org',
+ }
+ file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
+ source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
+ ensure => link,
+ target => '../mods-available/passwd_rtc',
+ }
+ file { '/etc/repro/radius-servers':
+ content => inline_template('localhost/localhost <%= @radius_password %>'),
+ mode => '0440',
+ group => repro,
+ notify => Service['repro'],
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/default':
+ ensure => absent,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
+ ensure => absent,
}
}
projects / mirror / dsa-puppet.git / blobdiff