+# an rsync site, systemd socket activated
define rsync::site (
- $binds=['[::]'],
- $source=undef,
- $content=undef,
- $max_clients=200,
- Enum['present','absent'] $ensure = 'present',
- $sslname=undef,
+ Array[String] $binds = ['[::]'],
+ Optional[String] $source = undef,
+ Optional[String] $content = undef,
+ Integer $max_clients = 200,
+ Enum['present','absent'] $ensure = 'present',
+ Optional[String] $sslname = undef,
) {
- include rsync
-
- $fname_real_rsync = "/etc/rsyncd-${name}.conf"
- $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
-
- $ensure_service = $ensure ? {
- present => running,
- absent => stopped,
- }
-
- $ensure_enable = $ensure ? {
- present => true,
- absent => false,
- }
-
- file { $fname_real_rsync:
- ensure => $ensure,
- content => $content,
- source => $source,
- owner => 'root',
- group => 'root',
- mode => '0444',
- }
-
- $service_file = "/etc/systemd/system/rsyncd-${name}@.service"
- $socket_file = "/etc/systemd/system/rsyncd-${name}.socket"
- $systemd_service = "rsyncd-${name}.socket"
-
- # if we enable the service, we want the files before the service.
- # if we remove the service, we want the service disabled before the files
- # go away.
- $service_subscribe = $ensure ? {
- present => [
- File[$service_file],
- File[$socket_file],
- ],
- default => [],
- }
- $service_before = $ensure ? {
- present => [],
- default => [
- File[$service_file],
- File[$socket_file],
- ],
- }
-
- file { $service_file:
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd.service.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File[$fname_real_rsync],
- notify => Exec['systemctl daemon-reload'],
- }
-
- file { $socket_file:
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd.socket.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- notify => Exec['systemctl daemon-reload'],
- }
-
- service { $systemd_service:
- ensure => $ensure_service,
- enable => $ensure_enable,
- notify => Exec['systemctl daemon-reload'],
- provider => systemd,
- before => $service_before,
- subscribe => $service_subscribe,
- }
-
- if $sslname {
- file { $fname_real_stunnel:
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
- }
-
- file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File[$fname_real_stunnel],
- notify => Exec['systemctl daemon-reload'],
- }
-
- file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- notify => [
- Exec['systemctl daemon-reload'],
- Service["rsyncd-${name}-stunnel.socket"]
- ],
- }
-
- service { "rsyncd-${name}-stunnel.socket":
- ensure => $ensure_service,
- enable => $ensure_enable,
- require => [
- Exec['systemctl daemon-reload'],
- File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
- File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
- Service["rsyncd-${name}.socket"],
- ],
- provider => systemd,
- }
-
- ferm::rule { "rsync-${name}-ssl":
- domain => '(ip ip6)',
- description => 'Allow rsync access',
- rule => '&SERVICE(tcp, 1873)',
- }
-
- $certdir = hiera('paths.letsencrypt_dir')
- dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
- zone => 'debian.org',
- certfile => [ "${certdir}/${sslname}.crt" ],
- port => 1873,
- hostname => $sslname,
- }
- }
+ include rsync
+
+ $fname_real_rsync = "/etc/rsyncd-${name}.conf"
+ $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
+
+ file { $fname_real_rsync:
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ }
+
+ dsa_systemd::socket_service { "rsyncd-${name}":
+ ensure => $ensure,
+ service_content => template('rsync/systemd-rsyncd.service.erb'),
+ socket_content => template('rsync/systemd-rsyncd.socket.erb'),
+ require => File[$fname_real_rsync],
+ }
+
+ if $sslname {
+ file { $fname_real_stunnel:
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
+ require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
+ }
+
+ dsa_systemd::socket_service { "rsyncd-${name}-stunnel":
+ ensure => $ensure,
+ service_content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
+ socket_content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
+ require => File[$fname_real_stunnel],
+ }
+
+ ferm::rule { "rsync-${name}-ssl":
+ domain => '(ip ip6)',
+ description => 'Allow rsync access',
+ rule => '&SERVICE(tcp, 1873)',
+ }
+
+ $certdir = hiera('paths.letsencrypt_dir')
+ dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
+ zone => 'debian.org',
+ certfile => [ "${certdir}/${sslname}.crt" ],
+ port => 1873,
+ hostname => $sslname,
+ }
+ }
}