exim blacklist: update based on recent observations

[mirror/dsa-puppet.git] / modules / roles / manifests / syncproxy.pp

diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp
index 20c3320..aa452f0 100644 (file)
--- a/modules/roles/manifests/syncproxy.pp
+++ b/modules/roles/manifests/syncproxy.pp
@@ -1,23 +1,76 @@
-class roles::syncproxy {
-       rsync::site { 'syncproxy':
-               source => 'puppet:///modules/roles/syncproxy/rsyncd.conf',
-               bind   => $::hostname ? {
-                       'milanollo' => '5.153.231.9',
-                       default => ''
-               }
-               bind6   => $::hostname ? {
-                       'milanollo' => '2001:41c8:1000:21::21:9',
-                       default => ''
-               }
-       }
-
-       file { '/etc/rsyncd':
-               ensure => 'directory'
-       }
-
-       file { '/etc/rsyncd/debian.secrets':
-               owner => 'root',
-               group => 'mirroradm',
-               mode => 0664,
-       }
+# a syncproxy
+# @param syncproxy_name  the service name of this syncproxy
+# @param listen_addr IP addresses to have rsync and apache listen on, and ssh to trigger from
+class roles::syncproxy(
+  String $syncproxy_name,
+  Array[Stdlib::IP::Address] $listen_addr = [],
+) {
+  include roles::archvsync_base
+
+  $enclosed_addresses_rsync = empty($listen_addr) ? {
+    true    => ['[::]'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $enclosed_addresses_apache = empty($listen_addr) ? {
+    true    => ['*'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $ssh_source_addresses = empty($listen_addr) ? {
+    true    => $base::public_addresses,
+    default => $listen_addr,
+  }
+
+  $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix')
+
+  file { '/etc/rsyncd':
+    ensure => 'directory'
+  }
+
+  file { '/etc/rsyncd/debian.secrets':
+    owner => 'root',
+    group => 'mirroradm',
+    mode  => '0660',
+  }
+
+  include apache2
+  include apache2::ssl
+  ssl::service { $syncproxy_name:
+    notify => Exec['service apache2 reload'],
+    key    => true,
+  }
+  apache2::site { '010-syncproxy.debian.org':
+    site    => 'syncproxy.debian.org',
+    content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
+  }
+
+  file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
+    content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
+  }
+
+  rsync::site { 'syncproxy':
+    content => template('roles/syncproxy/rsyncd.conf.erb'),
+    binds   => $enclosed_addresses_rsync,
+    sslname => $syncproxy_name,
+  }
+
+
+  # ssh firewalling setup
+  ###
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::from::syncproxy',
+    description => 'Allow ssh access from a syncproxy',
+    chain       => 'ssh',
+    saddr       => $ssh_source_addresses,
+  }
+  # syncproxies should be accessible from various role hosts
+  Ferm::Rule::Simple <<|
+    tag == 'ssh::server::from::syncproxy' or
+    tag == 'ssh::server::from::ftp_master' or
+    tag == 'ssh::server::from::ports_master' or
+    tag == 'ssh::server::from::security_master'
+    |>>
 }