Note that exim contains tracker-specific configuration

[mirror/dsa-puppet.git] / modules / rsync / manifests / site.pp

diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp
index 6151e91..7d0882c 100644 (file)
--- a/modules/rsync/manifests/site.pp
+++ b/modules/rsync/manifests/site.pp
@@ -1,50 +1,56 @@
+# an rsync site, systemd socket activated
 define rsync::site (
-       $bind='',
-       $source='',
-       $content='',
-       $fname="/etc/rsyncd-${name}.conf",
-       $max_clients=200,
-       $ensure=present
-){
+  Array[String] $binds = ['[::]'],
+  Optional[String] $source = undef,
+  Optional[String] $content = undef,
+  Integer $max_clients = 200,
+  Enum['present','absent'] $ensure = 'present',
+  Optional[String] $sslname = undef,
+) {
+  include rsync
 
-       include rsync
+  $fname_real_rsync = "/etc/rsyncd-${name}.conf"
+  $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
 
-       case $ensure {
-               present,absent: {}
-               default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
-       }
+  file { $fname_real_rsync:
+    ensure  => $ensure,
+    content => $content,
+    source  => $source,
+  }
 
-       if ($source and $content) {
-               fail ( "Can't define both source and content for ${name}" )
-       }
+  dsa_systemd::socket_service { "rsyncd-${name}":
+    ensure          => $ensure,
+    service_content => template('rsync/systemd-rsyncd.service.erb'),
+    socket_content  => template('rsync/systemd-rsyncd.socket.erb'),
+    require         => File[$fname_real_rsync],
+  }
 
-       if $source {
-               file { $fname:
-                       ensure => $ensure,
-                       noop   => true,
-                       source => $source
-               }
-       } elsif $content {
-               file { $fname:
-                       ensure  => $ensure,
-                       noop    => true,
-                       content => $content,
-               }
-       } else {
-               fail ( "Can't find config for ${name}" )
-       }
+  if $sslname {
+    file { $fname_real_stunnel:
+      ensure  => $ensure,
+      content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
+      require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
+    }
 
-       xinetd::service { "rsync-${name}":
-               noop        => true,
-               bind        => $bind,
-               id          => "${name}-rsync",
-               server      => '/usr/sbin/rsyncd',
-               port        => 'rsync',
-               server_args => $fname,
-               ferm        => false,
-               instances   => $max_clients,
-               require     => File[$fname]
-       }
+    dsa_systemd::socket_service { "rsyncd-${name}-stunnel":
+      ensure          => $ensure,
+      service_content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
+      socket_content  => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
+      require         => File[$fname_real_stunnel],
+    }
 
-       Service['rsync']->Service['xinetd']
+    ferm::rule { "rsync-${name}-ssl":
+      domain      => '(ip ip6)',
+      description => 'Allow rsync access',
+      rule        => '&SERVICE(tcp, 1873)',
+    }
+
+    $certdir = hiera('paths.letsencrypt_dir')
+    dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
+      zone     => 'debian.org',
+      certfile => [ "${certdir}/${sslname}.crt" ],
+      port     => 1873,
+      hostname => $sslname,
+    }
+  }
 }