X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Froles%2Fmanifests%2Fsecurity_mirror.pp;h=e87431a8614aae1fde5f6ca9de02e146897a1681;hb=067090ebb5aafec7408e2a0676b857f8235ecbfc;hp=c6019a86877bc1e96c0c64b1160f851bf1aaef8a;hpb=5a0da8586fc1784f755f36ab557d038fb922d2bb;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index c6019a868..e87431a86 100644
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -1,90 +1,67 @@
-class roles::security_mirror {
-	include roles::archvsync_base
+# security mirror
+#
+# @param listen_addr IP addresses to have rsync listen on
+# @param onion_service provide the onion service from this host
+# @param healthcheck_name name to access this node in the health checker
+class roles::security_mirror(
+  Array[Stdlib::IP::Address] $listen_addr = [],
+  Boolean $onion_service = false,
+  Optional[String] $healthcheck_name = undef,
+){
+  include roles::archvsync_base
+  include apache2
+  include apache2::expires
+  include apache2::rewrite
 
-	$rsync_bind = $::hostname ? {
-		mirror-anu => '150.203.164.61',
-		mirror-bytemark => '5.153.231.46',
-		mirror-conova => '217.196.149.233',
-		mirror-isc => '149.20.4.14',
-		mirror-umn => '128.101.240.215',
-		default    => '',
-	}
-	$rsync_bind6 = $::hostname ? {
-		mirror-anu => '2001:388:1034:2900::3d',
-		mirror-bytemark => '2001:41c8:1000:21::21:46',
-		mirror-conova => '2a02:16a8:dc41:100::233',
-		mirror-isc => '2001:4f8:1:c::14',
-		mirror-umn => '2607:ea00:101:3c0b::1deb:215',
-		default    => '',
-	}
-	$ftp_bind = $rsync_bind
-	$ftp_bind6 = $rsync_bind6
+  $enclosed_addresses_rsync = empty($listen_addr) ? {
+    true    => ['[::]'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $_enclosed_addresses = empty($listen_addr) ? {
+    true    => ['*'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ')
 
-	file { '/srv/mirrors/debian-security':
-		ensure => link,
-		target => '../ftp.root/debian-security',
-	}
-	file { '/srv/ftp.root/.nobackup':
-		ensure  => present,
-		content => '',
-	}
+  apache2::site { '010-security.debian.org':
+    site    => 'security.debian.org',
+    content => template('roles/security_mirror/security.debian.org.erb')
+  }
 
-	include apache2::expires
-	include apache2::rewrite
+  rsync::site { 'security':
+    source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
+    max_clients => 100,
+    binds       => $enclosed_addresses_rsync,
+  }
 
-	apache2::site { '010-security.debian.org':
-		site   => 'security.debian.org',
-		content => template('roles/security_mirror/security.debian.org.erb')
-	}
+  if $onion_service {
+    $onion_addr = empty($listen_addr) ? {
+      true    => $base::public_address,
+      default => filter_ipv4($listen_addr)[0]
+    }
+    if ! $onion_addr {
+      fail("Do not have a useable address for the onionservice on ${::hostname}.  Is \$listen_addr empty or does it not have an IPv4 address?.")
+    }
 
-	if has_role('security_mirror_no_ftp') {
-		vsftpd::site { [ 'security', 'security6' ]:
-			ensure => absent,
-		}
-	} else {
-		include ferm::ftp_conntrack
-		vsftpd::site { 'security':
-			banner       => 'security.debian.org FTP server (vsftpd)',
-			logfile      => '/var/log/ftp/vsftpd-security.debian.org.log',
-			max_clients  => 200,
-			root         => '/srv/ftp.root/',
-			bind         => $ftp_bind,
-		}
-		if ($ftp_bind6 != '') {
-			vsftpd::site { 'security6':
-				banner       => 'security.debian.org FTP server (vsftpd)',
-				logfile      => '/var/log/ftp/vsftpd-security6.debian.org.log',
-				max_clients  => 200,
-				root         => '/srv/ftp.root/',
-				bind         => $ftp_bind6,
-			}
-		}
-	}
+    onion::service { 'security.debian.org':
+      port           => 80,
+      target_port    => 80,
+      target_address => $onion_addr,
+    }
+  }
 
-	rsync::site { 'security':
-		source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
-		max_clients => 100,
-		bind        => $rsync_bind,
-		bind6       => $rsync_bind6,
-	}
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
 
-	$onion_v4_addr = $::hostname ? {
-		mirror-anu => '150.203.164.61',
-		mirror-isc => '149.20.4.14',
-		mirror-umn => '128.101.240.215',
-		villa      => '212.211.132.32',
-		lobos      => '212.211.132.250',
-		default   => undef,
-	}
-	if has_role('security_mirror_onion') {
-		if ! $onion_v4_addr {
-			fail("Do not have an onion_v4_addr set for $::hostname.")
-		}
+  mirror_health::service { 'security':
+    this_host_service_name => $healthcheck_name,
+    url                    => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
+    health_url             => 'http://security.backend.mirrors.debian.org/_health',
+  }
 
-		onion::service { 'security.debian.org':
-			port => 80,
-			target_port => 80,
-			target_address => $onion_v4_addr,
-		}
-	}
+  # security abusers
+  #  198.108.67.48 DoS against our rsync service
+  ferm::rule { 'dsa-security-abusers':
+    prio => '005',
+    rule => 'saddr ( 198.108.67.48/32 ) DROP',
+  }
 }