X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Frsync%2Fmanifests%2Fsite.pp;h=c1e15c27b2ba86e921ad6c50ede25caf21be22a7;hb=9c6009e74b04f540b46b17f6a4f1558baf426c99;hp=6a4284a3ce846b2fa9819b5cc84355cf17867d20;hpb=aae8b555c902a217d68dc96ccd50ae6144e8e686;p=mirror%2Fdsa-puppet.git

diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp
index 6a4284a3c..c1e15c27b 100644
--- a/modules/rsync/manifests/site.pp
+++ b/modules/rsync/manifests/site.pp
@@ -1,54 +1,123 @@
 define rsync::site (
-	$bind='',
-	$bind6='',
-	$source='',
-	$content='',
-	$fname='',
+	$binds=['[::]'],
+	$source=undef,
+	$content=undef,
 	$max_clients=200,
-	$ensure=present
-){
-
+	Enum['present','absent'] $ensure = 'present',
+	$sslname=undef,
+) {
 	include rsync
 
-	if ! $fname {
-		$fname_real = "/etc/rsyncd-${name}.conf"
-	} else {
-		$fname_real = $fname
+	$fname_real_rsync = "/etc/rsyncd-${name}.conf"
+	$fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
+
+	$ensure_service = $ensure ? {
+		present => running,
+		absent  => stopped,
+	}
+
+	$ensure_enable = $ensure ? {
+		present => true,
+		absent  => false,
 	}
-	case $ensure {
-		present,absent: {}
-		default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
+
+	file { $fname_real_rsync:
+		ensure  => $ensure,
+		content => $content,
+		source  => $source,
+	}
+
+	$service_file = "/etc/systemd/system/rsyncd-${name}@.service"
+	$socket_file = "/etc/systemd/system/rsyncd-${name}.socket"
+	$systemd_service = "rsyncd-${name}.socket"
+
+	# if we enable the service, we want the files before the service.
+	# if we remove the service, we want the service disabled before the files
+	# go away.
+	$service_subscribe = $ensure ? {
+		present => [
+			File[$service_file],
+			File[$socket_file],
+		],
+		default => [],
+	}
+	$service_before = $ensure ? {
+		present => [],
+		default => [
+			File[$service_file],
+			File[$socket_file],
+		],
+	}
+
+	file { $service_file:
+		ensure  => $ensure,
+		content => template('rsync/systemd-rsyncd.service.erb'),
+		require => File[$fname_real_rsync],
+		notify  => Exec['systemctl daemon-reload'],
+	}
+
+	file { $socket_file:
+		ensure  => $ensure,
+		content => template('rsync/systemd-rsyncd.socket.erb'),
+		notify  => Exec['systemctl daemon-reload'],
 	}
 
-	if ($source and $content) {
-		fail ( "Can't define both source and content for ${name}" )
+	service { $systemd_service:
+		ensure   => $ensure_service,
+		enable   => $ensure_enable,
+		notify   => Exec['systemctl daemon-reload'],
+		provider => systemd,
+		before    => $service_before,
+		subscribe => $service_subscribe,
 	}
 
-	if $source {
-		file { $fname_real:
-			ensure => $ensure,
-			source => $source
+	if $sslname {
+		file { $fname_real_stunnel:
+			ensure  => $ensure,
+			content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
+			require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
 		}
-	} elsif $content {
-		file { $fname_real:
+
+		file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
 			ensure  => $ensure,
-			content => $content,
+			content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
+			require => File[$fname_real_stunnel],
+			notify  => Exec['systemctl daemon-reload'],
 		}
-	} else {
-		fail ( "Can't find config for ${name}" )
-	}
 
-	xinetd::service { "rsync-${name}":
-		bind        => $bind,
-		bind6       => $bind6,
-		id          => "${name}-rsync",
-		server      => '/usr/bin/rsync',
-		port        => 'rsync',
-		server_args => "--daemon --config=${fname_real}",
-		ferm        => false,
-		instances   => $max_clients,
-		require     => File[$fname_real]
-	}
+		file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
+			ensure  => $ensure,
+			content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
+			notify  => [
+				Exec['systemctl daemon-reload'],
+				Service["rsyncd-${name}-stunnel.socket"]
+			],
+		}
 
-	Service['rsync']->Service['xinetd']
+		service { "rsyncd-${name}-stunnel.socket":
+			ensure   => $ensure_service,
+			enable   => $ensure_enable,
+			require  => [
+				Exec['systemctl daemon-reload'],
+				File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
+				File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
+				Service["rsyncd-${name}.socket"],
+			],
+			provider => systemd,
+		}
+
+		ferm::rule { "rsync-${name}-ssl":
+			domain      => '(ip ip6)',
+			description => 'Allow rsync access',
+			rule        => '&SERVICE(tcp, 1873)',
+		}
+
+		$certdir = hiera('paths.letsencrypt_dir')
+		dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
+			zone     => 'debian.org',
+			certfile => [ "${certdir}/${sslname}.crt" ],
+			port     => 1873,
+			hostname => $sslname,
+		}
+	}
 }