define rsync::site (
- $bind='',
- $bind6='',
- $source='',
- $content='',
+ $binds=['[::]'],
+ $source=undef,
+ $content=undef,
$max_clients=200,
$ensure=present,
- $sslname='',
- $sslport=1873
-){
-
+ $sslname=undef,
+) {
include rsync
- $fname_real = "/etc/rsyncd-${name}.conf"
+ $fname_real_rsync = "/etc/rsyncd-${name}.conf"
+ $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
+
case $ensure {
present,absent: {}
default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
}
- if ($source and $content) {
- fail ( "Can't define both source and content for ${name}" )
+ $ensure_service = $ensure ? {
+ present => running,
+ absent => stopped,
}
- if $source {
- file { $fname_real:
- ensure => $ensure,
- source => $source
- }
- } elsif $content {
- file { $fname_real:
- ensure => $ensure,
- content => $content,
- }
- } else {
- fail ( "Can't find config for ${name}" )
+ $ensure_enable = $ensure ? {
+ present => true,
+ absent => false,
}
- xinetd::service { "rsync-${name}":
- bind => $bind,
- id => "${name}-rsync",
- server => '/usr/bin/rsync',
- service => 'rsync',
- server_args => "--daemon --config=${fname_real}",
- ferm => false,
- instances => $max_clients,
- require => File[$fname_real]
+ file { $fname_real_rsync:
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
}
- if $bind6 != '' {
- if $bind == '' {
- fail("Cannot listen on * and a specific ipv6 address")
- }
- xinetd::service { "rsync-${name}6":
- bind => $bind6,
- id => "${name}-rsync6",
- server => '/usr/bin/rsync',
- service => 'rsync',
- server_args => "--daemon --config=${fname_real}",
- ferm => false,
- instances => $max_clients,
- require => File[$fname_real]
- }
+ file { "/etc/systemd/system/rsyncd-${name}@.service":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd.service.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File[$fname_real_rsync],
+ notify => Exec['systemctl daemon-reload'],
+ }
+
+ file { "/etc/systemd/system/rsyncd-${name}.socket":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd.socket.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => [
+ Exec['systemctl daemon-reload'],
+ Service["rsyncd-${name}.socket"],
+ ],
}
- if $sslname != '' {
- file { "/etc/rsyncd-${name}-stunnel.conf":
- content => template('rsync/rsyncd-stunnel.conf.erb'),
+ service { "rsyncd-${name}.socket":
+ ensure => $ensure_service,
+ enable => $ensure_enable,
+ require => [
+ Exec['systemctl daemon-reload'],
+ File["/etc/systemd/system/rsyncd-${name}@.service"],
+ File["/etc/systemd/system/rsyncd-${name}.socket"],
+ ],
+ provider => systemd,
+ }
+
+ if $sslname {
+ file { $fname_real_stunnel:
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
}
+
+ file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File[$fname_real_stunnel],
+ notify => Exec['systemctl daemon-reload'],
+ }
+
+ file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => [
+ Exec['systemctl daemon-reload'],
+ Service["rsyncd-${name}-stunnel.socket"]
+ ],
+ }
+
+ service { "rsyncd-${name}-stunnel.socket":
+ ensure => $ensure_service,
+ enable => $ensure_enable,
+ require => [
+ Exec['systemctl daemon-reload'],
+ File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
+ File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
+ Service["rsyncd-${name}.socket"],
+ ],
+ provider => systemd,
+ }
+
@ferm::rule { "rsync-${name}-ssl":
domain => '(ip ip6)',
description => 'Allow rsync access',
- rule => "&SERVICE(tcp, $sslport)",
- }
- xinetd::service { "rsync-${name}-ssl":
- bind => $bind,
- id => "rsync-${name}-ssl",
- server => '/usr/bin/stunnel4',
- server_args => "/etc/rsyncd-${name}-stunnel.conf",
- service => "rsync-ssl",
- type => 'UNLISTED',
- port => "$sslport",
- ferm => true,
- instances => $max_clients,
- require => File["/etc/rsyncd-${name}-stunnel.conf"],
- }
- if $bind6 != '' {
- xinetd::service { "rsync-${name}-ssl6":
- bind => $bind6,
- id => "rsync-${name}-ssl6",
- server => '/usr/bin/stunnel4',
- server_args => "/etc/rsyncd-${name}-stunnel.conf",
- service => "rsync-ssl",
- type => 'UNLISTED',
- port => "$sslport",
- ferm => true,
- instances => $max_clients,
- require => File["/etc/rsyncd-${name}-stunnel.conf"],
- }
+ rule => '&SERVICE(tcp, 1873)',
}
- dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}":
+ dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
zone => 'debian.org',
- certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ],
- port => $sslport,
- hostname => "$sslname",
+ certfile => [ "/srv/puppet.debian.org/from-letsencrypt/${sslname}.crt" ],
+ port => 1873,
+ hostname => $sslname,
}
}
-
- Service['rsync']->Service['xinetd']
}