X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Finit.pp;h=51f9be53d03a0857c420438e09b5fab419fae895;hb=e4818dbab72dc4aaeb120b3dbae082f99f8b83d7;hp=676fdef3f92cacfb3720927e36f544700115bf21;hpb=f0592778e175dd64df69a349a716fe8ca89ad66f;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 676fdef3f..51f9be53d 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -17,10 +17,7 @@ class roles { } if has_role('nagiosmaster') { - # include nagios::server - ssl::service { 'nagios.debian.org': - notify => Service['apache2'], - } + include nagios::server } # XXX: turn this into a real role @@ -33,92 +30,93 @@ class roles { include porterbox } - if has_role('archive_master') { - include archive_master - } - if has_role('bugs_mirror') { include roles::bugs_mirror } if has_role('bugs_base') { ssl::service { 'bugs.debian.org': - notify => Service['apache2'], - } - } - if has_role('bugs_master') { - ssl::service { 'bugs-master.debian.org': - notify => Service['apache2'], + notify => Exec['service apache2 reload'], key => true, } + @ferm::rule { 'dsa-bugs-abusers': + prio => "005", + rule => "saddr (220.243.135/24 220.243.136/24) DROP", + } } - - if has_role('ftp_master') { - include roles::ftp_master - include roles::dakmaster + if has_role('bugs_master') { + ssl::service { 'bugs-devel.debian.org': notify => Exec['service apache2 reload'], key => true, } + ssl::service { 'bugs-master.debian.org': notify => Exec['service apache2 reload'], key => true, } } - if has_role('api.ftp-master') { - ssl::service { 'api.ftp-master.debian.org': - notify => Service['apache2'], - } + if has_role('manpages-dyn') { + include roles::manpages_dyn } - if has_role('manpages') { - ssl::service { 'manpages.debian.org': - notify => Service['apache2'], - key => true, - } + if has_role('archvsync_base_additional') { + include archvsync_base } - # XXX: turn this into a real role - if getfromhash($site::nodeinfo, 'apache2_security_mirror') { - include roles::security_mirror + # archive.debian.org + if has_role('historical_mirror') { + include roles::historical_mirror } - if has_role('mirror_debug') { + # debug archive + if has_role('debug_mirror') { include roles::debug_mirror } - if has_role('mirror_ports') { - include roles::ports_mirror - } - if has_role('ftp.d.o') { - include roles::ftp + # ftp.debian.org and its ecosystem + if has_role('debian_mirror') { + include roles::debian_mirror + } + if has_role('ftp_master') { + include roles::ftp_master + include roles::dakmaster + include roles::signing } - if has_role('ftp.upload.d.o') { include roles::ftp_upload } - if has_role('ssh.upload.d.o') { include roles::ssh_upload } - - if has_role('git_master') { - include roles::git_master + if has_role('security_upload') { + include roles::security_upload } - - if has_role('people') { - ssl::service { 'people.debian.org': - notify => Service['apache2'], + if has_role('api.ftp-master') { + ssl::service { 'api.ftp-master.debian.org': + notify => Exec['service apache2 reload'], + key => true, } } - + # + # security.debian.org if has_role('security_master') { include roles::security_master include roles::dakmaster } + if has_role('security_mirror') { + include roles::security_mirror + } + + if has_role('git_master') { + include roles::git_master + } + + if has_role('people') { + ssl::service { 'people.debian.org': notify => Exec['service apache2 reload'], key => true, } + onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true } + } + if has_role('www_master') { include roles::www_master } if has_role('cgi.d.o') { - ssl::service { 'cgi.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'cgi.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('keyring') { @@ -163,6 +161,10 @@ class roles { include named::primary } + if has_role('dns_geo') { + include named::geodns + } + if has_role('weblog_destination') { include roles::weblog_destination } @@ -179,10 +181,6 @@ class roles { include roles::lists } - if has_role('list_search') { - include roles::listsearch - } - if has_role('rtmaster') { include roles::rtmaster } @@ -210,6 +208,9 @@ class roles { if has_role('piuparts') { include roles::piuparts } + if has_role('piuparts_slave') { + include roles::piuparts_slave + } if has_role('contributors') { include roles::contributors @@ -219,10 +220,6 @@ class roles { include roles::nm } - if has_role('release') { - include roles::release - } - if has_role('rtc') { include roles::rtc } @@ -231,122 +228,171 @@ class roles { include roles::jenkins } - if has_role('keystone') { - include roles::keystone - } - if has_role('keystone_rabbitmq') { - include roles::keystone::rabbitmq - } - - if has_role('memcached') { - include roles::memcached - } - if has_role('postgres_backup_server') { include postgres::backup_server } if has_role('packages') { - ssl::service { 'packages.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'packages.debian.org': notify => Exec['service apache2 reload'], key => true, } + } + + if has_role('historicalpackages') { + ssl::service { 'historical.packages.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('qamaster') { - ssl::service { 'qa.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'qa.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('packagesqamaster') { - ssl::service { 'packages.qa.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'packages.qa.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('gobby_debian_org') { ssl::service { 'gobby.debian.org': - notify => Service['apache2'], + notify => [ Exec['service apache2 reload'], Exec['reload gobby'] ], key => true, tlsaport => [443, 6523], } + file { '/etc/ssl/debian-local/other-keys/gobby.debian.org.key': + ensure => present, + mode => '0440', + group => 'gobby', + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.letsencrypt_dir"]) + "/gobby.debian.org.key") %>'), + links => follow, + notify => Exec['reload gobby'], + } + exec { 'reload gobby': + command => 'pkill -u gobby -HUP -x infinoted', + refreshonly => true, + } } if has_role('search_backend') { - include search_backend + include roles::search_backend } if has_role('search_frontend') { - include search_frontend + include roles::search_frontend } if has_role('dgit_browse') { - include dgit_browse + include roles::dgit_browse } if has_role('dgit_git') { - include dgit_git + include roles::dgit_git } - if $::hostname in [lw01, lw02, lw03, lw04] { - include snapshot + if $::hostname in [lw01, lw02, lw03, lw04, lw09, lw10] { + include roles::snapshot } - if has_role('veyepar.debian.org') { - ssl::service { 'veyepar.debian.org': - notify => Service['apache2'], - } + if has_role('snapshot_web') { + include roles::snapshot_web + } + + if has_role('snapshot_shell') { + include roles::snapshot_shell } - if has_role('httpredir') { - include roles::httpredir + if has_role('veyepar.debian.org') { + ssl::service { 'veyepar.debian.org': notify => Exec['service apache2 reload'], key => true, } + } + if has_role('sreview.debian.org') { + ssl::service { 'sreview.debian.net': notify => Exec['service apache2 reload'], key => true, } } if has_role('debtags') { include roles::debtags } + if has_role('planet_master') { + include roles::planet_master + } if has_role('planet_search') { - ssl::service { 'planet-search.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'planet-search.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('i18n.d.o') { - ssl::service { 'i18n.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'i18n.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('l10n.d.o') { - ssl::service { 'l10n.debian.org': - notify => Service['apache2'], - key => true, - } + ssl::service { 'l10n.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('dedup.d.n') { - ssl::service { 'dedup.debian.net': - notify => Service['apache2'], - key => true, - } + ssl::service { 'dedup.debian.net': notify => Exec['service apache2 reload'], key => true, } } if has_role('pet.d.n') { - ssl::service { 'pet.debian.net': - notify => Service['apache2'], - key => true, - } - ssl::service { 'pet-devel.debian.net': - notify => Service['apache2'], - key => true, - } + ssl::service { 'pet.debian.net': notify => Exec['service apache2 reload'], key => true, } + ssl::service { 'pet-devel.debian.net': notify => Exec['service apache2 reload'], key => true, } } - if has_role('ports-master') { - include roles::ports-master + if has_role('ports_master') { + include roles::ports_master } + if has_role('ports_mirror') { + include roles::ports_mirror + } + + if has_role('onionbalance') { + include onion::balance + } + if has_role('bgp') { + include roles::bgp + } + if has_role('cdimage-search') { + include roles::cdimage_search + } + + if has_role('postgresql_server') { + include postgres::backup_source + } + + if has_role('bacula_director') { + include bacula::director + } else { + package { 'bacula-console': ensure => purged; } + file { '/etc/bacula/bconsole.conf': ensure => absent; } + } + if has_role('bacula_storage') { + include bacula::storage + } + + if has_role('salsa.debian.org') { + include salsa + } + + if $::keyring_debian_org_mirror { + include roles::keyring_debian_org_mirror + } + + if has_role('popcon') { + include roles::popcon + } + + if has_role('debsources') { + include roles::debsources + } + + if has_role('ipsec') { + include ipsec + } + + if has_role('debconf_wafer') { + include roles::debconf_wafer + } + + if has_role('cdbuilder_local_mirror') { + include roles::cdbuilder_local_mirror + } + + if has_role('alioth_archive') { + include roles::alioth_archive + } + if has_role('anonscm') { + include roles::anonscm + } + }