X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Froles%2Fmanifests%2Frtc.pp;h=26a6e52fd6b94820b7fc642d4ff015c3fa7aaf02;hb=e71099e47c57303bb7090e404db84ad3e8d3b75b;hp=728f2337515d7317c0c3c34441413afff5b116d8;hpb=8d823f910dbb7eb041f71af90c653d7dee04cf41;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp index 728f23375..26a6e52fd 100644 --- a/modules/roles/manifests/rtc.pp +++ b/modules/roles/manifests/rtc.pp @@ -18,73 +18,73 @@ class roles::rtc { hostname => $::fqdn, } - @ferm::rule { 'dsa-xmpp-client-ip4': + ferm::rule { 'dsa-xmpp-client-ip4': domain => 'ip', description => 'XMPP connections (client to server)', rule => 'proto tcp dport (5222) ACCEPT' } - @ferm::rule { 'dsa-xmpp-client-ip6': + ferm::rule { 'dsa-xmpp-client-ip6': domain => 'ip6', description => 'XMPP connections (client to server)', rule => 'proto tcp dport (5222) ACCEPT' } - @ferm::rule { 'dsa-xmpp-server-ip4': + ferm::rule { 'dsa-xmpp-server-ip4': domain => 'ip', description => 'XMPP connections (server to server)', rule => 'proto tcp dport (5269) ACCEPT' } - @ferm::rule { 'dsa-xmpp-server-ip6': + ferm::rule { 'dsa-xmpp-server-ip6': domain => 'ip6', description => 'XMPP connections (server to server)', rule => 'proto tcp dport (5269) ACCEPT' } - @ferm::rule { 'dsa-sip-ws-ip4': + ferm::rule { 'dsa-sip-ws-ip4': domain => 'ip', description => 'SIP connections (WebSocket; for WebRTC)', rule => 'proto tcp dport (443) ACCEPT' } - @ferm::rule { 'dsa-sip-ws-ip6': + ferm::rule { 'dsa-sip-ws-ip6': domain => 'ip6', description => 'SIP connections (WebSocket; for WebRTC)', rule => 'proto tcp dport (443) ACCEPT' } - @ferm::rule { 'dsa-sip-tls-ip4': + ferm::rule { 'dsa-sip-tls-ip4': domain => 'ip', description => 'SIP connections (TLS)', rule => 'proto tcp dport (5061) ACCEPT' } - @ferm::rule { 'dsa-sip-tls-ip6': + ferm::rule { 'dsa-sip-tls-ip6': domain => 'ip6', description => 'SIP connections (TLS)', rule => 'proto tcp dport (5061) ACCEPT' } - @ferm::rule { 'dsa-turn-ip4': + ferm::rule { 'dsa-turn-ip4': domain => 'ip', description => 'TURN connections', rule => 'proto udp dport (3478) ACCEPT' } - @ferm::rule { 'dsa-turn-ip6': + ferm::rule { 'dsa-turn-ip6': domain => 'ip6', description => 'TURN connections', rule => 'proto udp dport (3478) ACCEPT' } - @ferm::rule { 'dsa-turn-tls-ip4': + ferm::rule { 'dsa-turn-tls-ip4': domain => 'ip', description => 'TURN connections (TLS)', rule => 'proto tcp dport (5349) ACCEPT' } - @ferm::rule { 'dsa-turn-tls-ip6': + ferm::rule { 'dsa-turn-tls-ip6': domain => 'ip6', description => 'TURN connections (TLS)', rule => 'proto tcp dport (5349) ACCEPT' } - @ferm::rule { 'dsa-rtp-ip4': + ferm::rule { 'dsa-rtp-ip4': domain => 'ip', description => 'RTP streams', rule => 'proto udp dport (49152:65535) ACCEPT' } - @ferm::rule { 'dsa-rtp-ip6': + ferm::rule { 'dsa-rtp-ip6': domain => 'ip6', description => 'RTP streams', rule => 'proto udp dport (49152:65535) ACCEPT' @@ -97,6 +97,12 @@ class roles::rtc { service { 'repro': ensure => running, } + dsa_systemd::override { 'repro': + content => @("EOF"), + [Unit] + After=network-online.target + | EOF + } package { 'freeradius': ensure => installed, @@ -106,7 +112,7 @@ class roles::rtc { } $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': - content => template('modules/roles/rtc/freeradius-rtc.erb'), + content => template('roles/rtc/freeradius-rtc.erb'), mode => '0440', group => freerad, } @@ -115,7 +121,7 @@ class roles::rtc { target => '../sites-available/rtc.debian.org', } file { '/etc/freeradius/3.0/mods-available/passwd_rtc': - source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd', + source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc', mode => '0440', group => freerad, } @@ -124,9 +130,7 @@ class roles::rtc { target => '../mods-available/passwd_rtc', } file { '/etc/repro/radius-servers': - content => @(EOF), - localhost/localhost ${radius_password} - | EOF + content => inline_template('localhost/localhost <%= @radius_password %>'), mode => '0440', group => repro, notify => Service['repro'],