class roles::security_master {
- ssl::service { 'security-master.debian.org':
- notify => Exec['service apache2 reload'],
- key => true,
- tlsaport => [443, 1873],
- }
+ include roles::dakmaster
- vsftpd::site { 'security':
- banner => 'security-master.debian.org FTP server (vsftpd)',
- logfile => '/var/log/ftp/vsftpd-security-master.debian.org.log',
- writable => true,
- chown_user => dak-unpriv,
- root => '/srv/ftp.root/',
- }
+ ssl::service { 'security-master.debian.org':
+ notify => Exec['service apache2 reload'],
+ key => true,
+ tlsaport => [443, 1873],
+ }
- rsync::site_systemd { 'security_master':
- source => 'puppet:///modules/roles/security_master/rsyncd.conf',
- max_clients => 100,
- sslname => 'security-master.debian.org',
- }
+ rsync::site { 'security_master':
+ source => 'puppet:///modules/roles/security_master/rsyncd.conf',
+ # Needs to be at least twice the number of direct mirrors (currently 15) plus some spare
+ max_clients => 50,
+ sslname => 'security-master.debian.org',
+ }
+
+ # export ssh allow rules for hosts that we should be able to access
+ @@ferm::rule::simple { "dsa-ssh-from-security_master-${::fqdn}":
+ tag => 'ssh::server::from::security_master',
+ description => 'Allow ssh access from security_master',
+ port => '22',
+ saddr => $base::public_addresses,
+ }
}