X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Frsync%2Fmanifests%2Fsite.pp;h=04c1e20e915ccc5dde9fcba7644c2d46e5ab8e50;hb=4939162b3524926ead9e4a832c314b78d379b770;hp=6a4284a3ce846b2fa9819b5cc84355cf17867d20;hpb=aae8b555c902a217d68dc96ccd50ae6144e8e686;p=mirror%2Fdsa-puppet.git

diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp
index 6a4284a3c..04c1e20e9 100644
--- a/modules/rsync/manifests/site.pp
+++ b/modules/rsync/manifests/site.pp
@@ -1,20 +1,17 @@
 define rsync::site (
 	$bind='',
 	$bind6='',
-	$source='',
-	$content='',
-	$fname='',
+	$source=undef,
+	$content=undef,
 	$max_clients=200,
-	$ensure=present
+	$ensure=present,
+	$sslname=undef,
+	$sslport=1873
 ){
 
 	include rsync
 
-	if ! $fname {
-		$fname_real = "/etc/rsyncd-${name}.conf"
-	} else {
-		$fname_real = $fname
-	}
+	$fname_real = "/etc/rsyncd-${name}.conf"
 	case $ensure {
 		present,absent: {}
 		default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
@@ -40,15 +37,75 @@ define rsync::site (
 
 	xinetd::service { "rsync-${name}":
 		bind        => $bind,
-		bind6       => $bind6,
 		id          => "${name}-rsync",
 		server      => '/usr/bin/rsync',
-		port        => 'rsync',
+		service     => 'rsync',
 		server_args => "--daemon --config=${fname_real}",
 		ferm        => false,
 		instances   => $max_clients,
 		require     => File[$fname_real]
 	}
 
+	if $bind6 != '' {
+		if $bind == '' {
+			fail("Cannot listen on * and a specific ipv6 address")
+		}
+		xinetd::service { "rsync-${name}6":
+			bind        => $bind6,
+			id          => "${name}-rsync6",
+			server      => '/usr/bin/rsync',
+			service     => 'rsync',
+			server_args => "--daemon --config=${fname_real}",
+			ferm        => false,
+			instances   => $max_clients,
+			require     => File[$fname_real]
+		}
+	}
+
+	if $sslname {
+		file { "/etc/rsyncd-${name}-stunnel.conf":
+			content => template('rsync/rsyncd-stunnel.conf.erb'),
+			require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
+		}
+		@ferm::rule { "rsync-${name}-ssl":
+			domain      => '(ip ip6)',
+			description => 'Allow rsync access',
+			rule        => "&SERVICE(tcp, $sslport)",
+		}
+		xinetd::service { "rsync-${name}-ssl":
+			bind        => $bind,
+			id          => "rsync-${name}-ssl",
+			server      => '/usr/bin/stunnel4',
+			server_args => "/etc/rsyncd-${name}-stunnel.conf",
+			service     => "rsync-ssl",
+			type        => 'UNLISTED',
+			port        => "$sslport",
+			ferm        => true,
+			instances   => $max_clients,
+			require     => File["/etc/rsyncd-${name}-stunnel.conf"],
+		}
+		if $bind6 != '' {
+			xinetd::service { "rsync-${name}-ssl6":
+				bind        => $bind6,
+				id          => "rsync-${name}-ssl6",
+				server      => '/usr/bin/stunnel4',
+				server_args => "/etc/rsyncd-${name}-stunnel.conf",
+				service     => "rsync-ssl",
+				type        => 'UNLISTED',
+				port        => "$sslport",
+				ferm        => true,
+				instances   => $max_clients,
+				require     => File["/etc/rsyncd-${name}-stunnel.conf"],
+			}
+		}
+
+		dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}":
+			zone     => 'debian.org',
+			certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ],
+			port     => $sslport,
+			hostname => "$sslname",
+		}
+	}
+
 	Service['rsync']->Service['xinetd']
 }