-class roles::syncproxy {
- include roles::archvsync_base
+# a syncproxy
+# @param syncproxy_name the service name of this syncproxy
+# @param listen_addr IP addresses to have rsync and apache listen on, and ssh to trigger from
+class roles::syncproxy(
+ String $syncproxy_name,
+ Array[Stdlib::IP::Address] $listen_addr = [],
+) {
+ include roles::archvsync_base
- $bind = $::hostname ? {
- 'milanollo' => '5.153.231.9',
- 'mirror-anu' => '150.203.164.60',
- 'mirror-isc' => '149.20.4.16',
- 'mirror-umn' => '128.101.240.216',
- 'klecker' => '130.89.148.10',
- default => ''
- }
- $bind6 = $::hostname ? {
- 'milanollo' => '2001:41c8:1000:21::21:9',
- 'mirror-anu' => '2001:388:1034:2900::3c',
- 'mirror-isc' => '2001:4f8:1:c::16',
- 'mirror-umn' => '2607:ea00:101:3c0b::1deb:216',
- 'klecker' => '2001:610:1908:b000::148:10',
- default => ''
- }
- $syncproxy_name = $::hostname ? {
- 'milanollo' => 'syncproxy3.eu.debian.org',
- 'mirror-anu' => 'syncproxy.au.debian.org',
- 'mirror-isc' => 'syncproxy2.wna.debian.org',
- 'mirror-umn' => 'syncproxy.cna.debian.org',
- 'klecker' => 'syncproxy2.eu.debian.org',
- default => 'unknown'
- }
+ $enclosed_addresses_rsync = empty($listen_addr) ? {
+ true => ['[::]'],
+ default => enclose_ipv6($listen_addr),
+ }
+ $enclosed_addresses_apache = empty($listen_addr) ? {
+ true => ['*'],
+ default => enclose_ipv6($listen_addr),
+ }
+ $ssh_source_addresses = empty($listen_addr) ? {
+ true => $base::public_addresses,
+ default => $listen_addr,
+ }
- file { '/etc/rsyncd':
- ensure => 'directory'
- }
+ $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix')
- file { '/etc/rsyncd/debian.secrets':
- owner => 'root',
- group => 'mirroradm',
- mode => 0660,
- }
+ file { '/etc/rsyncd':
+ ensure => 'directory'
+ }
- if $::apache2 and $syncproxy_name != 'unknown' {
- include apache2::ssl
- ssl::service { "$syncproxy_name":
- notify => Exec['service apache2 reload'],
- key => true,
- }
- apache2::site { '010-syncproxy.debian.org':
- site => 'syncproxy.debian.org',
- content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
- }
+ file { '/etc/rsyncd/debian.secrets':
+ owner => 'root',
+ group => 'mirroradm',
+ mode => '0660',
+ }
- file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
- ensure => directory,
- mode => '0755',
- }
- file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
- content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
- }
+ include apache2
+ include apache2::ssl
+ ssl::service { $syncproxy_name:
+ notify => Exec['service apache2 reload'],
+ key => true,
+ }
+ apache2::site { '010-syncproxy.debian.org':
+ site => 'syncproxy.debian.org',
+ content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
+ }
- rsync::site { 'syncproxy':
- content => template('roles/syncproxy/rsyncd.conf.erb'),
- bind => $bind,
- bind6 => $bind6,
- sslname => "$syncproxy_name",
- }
- } else {
- rsync::site { 'syncproxy':
- content => template('roles/syncproxy/rsyncd.conf.erb'),
- bind => $bind,
- bind6 => $bind6,
- }
- }
+ file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
+ content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
+ }
+
+ rsync::site { 'syncproxy':
+ content => template('roles/syncproxy/rsyncd.conf.erb'),
+ binds => $enclosed_addresses_rsync,
+ sslname => $syncproxy_name,
+ }
+
+
+ # ssh firewalling setup
+ ###
+ @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+ tag => 'ssh::server::from::syncproxy',
+ description => 'Allow ssh access from a syncproxy',
+ chain => 'ssh',
+ saddr => $ssh_source_addresses,
+ }
+ # syncproxies should be accessible from various role hosts
+ Ferm::Rule::Simple <<|
+ tag == 'ssh::server::from::syncproxy' or
+ tag == 'ssh::server::from::ftp_master' or
+ tag == 'ssh::server::from::ports_master' or
+ tag == 'ssh::server::from::security_master'
+ |>>
}