X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Finit.pp;h=51f9be53d03a0857c420438e09b5fab419fae895;hb=e4818dbab72dc4aaeb120b3dbae082f99f8b83d7;hp=e11d1aee510b0b3b490388ed3d09d275bbb02d7f;hpb=4db424dc544717746db426b3e3428e7fa4ebb785;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index e11d1aee5..51f9be53d 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -17,10 +17,7 @@ class roles { } if has_role('nagiosmaster') { - # include nagios::server - ssl::service { 'nagios.debian.org': - notify => Service['apache2'], - } + include nagios::server } # XXX: turn this into a real role @@ -33,69 +30,85 @@ class roles { include porterbox } - if has_role('archive_master') { - include archive_master - } - if has_role('bugs_mirror') { include roles::bugs_mirror } if has_role('bugs_base') { ssl::service { 'bugs.debian.org': - notify => Service['apache2'], + notify => Exec['service apache2 reload'], + key => true, + } + @ferm::rule { 'dsa-bugs-abusers': + prio => "005", + rule => "saddr (220.243.135/24 220.243.136/24) DROP", } } if has_role('bugs_master') { - ssl::service { 'bugs-master.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'bugs-devel.debian.org': notify => Exec['service apache2 reload'], key => true, } + ssl::service { 'bugs-master.debian.org': notify => Exec['service apache2 reload'], key => true, } } - if has_role('ftp_master') { - include roles::ftp_master - include roles::dakmaster + if has_role('manpages-dyn') { + include roles::manpages_dyn } - if has_role('api.ftp-master') { - ssl::service { 'api.ftp-master.debian.org': - notify => Service['apache2'], - } + if has_role('archvsync_base_additional') { + include archvsync_base } - if has_role('manpages') { - ssl::service { 'manpages.debian.org': notify => Service['apache2'], key => true, } + # archive.debian.org + if has_role('historical_mirror') { + include roles::historical_mirror } - if has_role('security_mirror') { - include roles::security_mirror - } + # debug archive if has_role('debug_mirror') { include roles::debug_mirror } - if has_role('ftp.d.o') { - include roles::ftp + # ftp.debian.org and its ecosystem + if has_role('debian_mirror') { + include roles::debian_mirror + } + if has_role('ftp_master') { + include roles::ftp_master + include roles::dakmaster + include roles::signing } - if has_role('ftp.upload.d.o') { include roles::ftp_upload } - if has_role('ssh.upload.d.o') { include roles::ssh_upload } + if has_role('security_upload') { + include roles::security_upload + } + if has_role('api.ftp-master') { + ssl::service { 'api.ftp-master.debian.org': + notify => Exec['service apache2 reload'], + key => true, + } + } + # + # security.debian.org + if has_role('security_master') { + include roles::security_master + include roles::dakmaster + } + + if has_role('security_mirror') { + include roles::security_mirror + } if has_role('git_master') { include roles::git_master } if has_role('people') { - ssl::service { 'people.debian.org': notify => Service['apache2'], key => true, } - onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, } - } - - if has_role('security_master') { - include roles::security_master - include roles::dakmaster + ssl::service { 'people.debian.org': notify => Exec['service apache2 reload'], key => true, } + onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true } } if has_role('www_master') { @@ -103,7 +116,7 @@ class roles { } if has_role('cgi.d.o') { - ssl::service { 'cgi.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'cgi.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('keyring') { @@ -148,6 +161,10 @@ class roles { include named::primary } + if has_role('dns_geo') { + include named::geodns + } + if has_role('weblog_destination') { include roles::weblog_destination } @@ -164,10 +181,6 @@ class roles { include roles::lists } - if has_role('list_search') { - include roles::listsearch - } - if has_role('rtmaster') { include roles::rtmaster } @@ -195,6 +208,9 @@ class roles { if has_role('piuparts') { include roles::piuparts } + if has_role('piuparts_slave') { + include roles::piuparts_slave + } if has_role('contributors') { include roles::contributors @@ -204,10 +220,6 @@ class roles { include roles::nm } - if has_role('release') { - include roles::release - } - if has_role('rtc') { include roles::rtc } @@ -216,99 +228,171 @@ class roles { include roles::jenkins } - if has_role('keystone') { - include roles::keystone - } - if has_role('keystone_rabbitmq') { - include roles::keystone::rabbitmq - } - - if has_role('memcached') { - include roles::memcached - } - if has_role('postgres_backup_server') { include postgres::backup_server } if has_role('packages') { - ssl::service { 'packages.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'packages.debian.org': notify => Exec['service apache2 reload'], key => true, } + } + + if has_role('historicalpackages') { + ssl::service { 'historical.packages.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('qamaster') { - ssl::service { 'qa.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'qa.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('packagesqamaster') { - ssl::service { 'packages.qa.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'packages.qa.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('gobby_debian_org') { - ssl::service { 'gobby.debian.org': notify => Service['apache2'], key => true, tlsaport => [443, 6523], } + ssl::service { 'gobby.debian.org': + notify => [ Exec['service apache2 reload'], Exec['reload gobby'] ], + key => true, + tlsaport => [443, 6523], + } + file { '/etc/ssl/debian-local/other-keys/gobby.debian.org.key': + ensure => present, + mode => '0440', + group => 'gobby', + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.letsencrypt_dir"]) + "/gobby.debian.org.key") %>'), + links => follow, + notify => Exec['reload gobby'], + } + exec { 'reload gobby': + command => 'pkill -u gobby -HUP -x infinoted', + refreshonly => true, + } } if has_role('search_backend') { - include search_backend + include roles::search_backend } if has_role('search_frontend') { - include search_frontend + include roles::search_frontend } if has_role('dgit_browse') { - include dgit_browse + include roles::dgit_browse } if has_role('dgit_git') { - include dgit_git + include roles::dgit_git } - if $::hostname in [lw01, lw02, lw03, lw04] { - include snapshot + if $::hostname in [lw01, lw02, lw03, lw04, lw09, lw10] { + include roles::snapshot } - if has_role('veyepar.debian.org') { - ssl::service { 'veyepar.debian.org': notify => Service['apache2'], key => true, } + if has_role('snapshot_web') { + include roles::snapshot_web + } + + if has_role('snapshot_shell') { + include roles::snapshot_shell } - if has_role('httpredir') { - include roles::httpredir + if has_role('veyepar.debian.org') { + ssl::service { 'veyepar.debian.org': notify => Exec['service apache2 reload'], key => true, } + } + if has_role('sreview.debian.org') { + ssl::service { 'sreview.debian.net': notify => Exec['service apache2 reload'], key => true, } } if has_role('debtags') { include roles::debtags } + if has_role('planet_master') { + include roles::planet_master + } if has_role('planet_search') { - ssl::service { 'planet-search.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'planet-search.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('i18n.d.o') { - ssl::service { 'i18n.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'i18n.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('l10n.d.o') { - ssl::service { 'l10n.debian.org': notify => Service['apache2'], key => true, } + ssl::service { 'l10n.debian.org': notify => Exec['service apache2 reload'], key => true, } } if has_role('dedup.d.n') { - ssl::service { 'dedup.debian.net': notify => Service['apache2'], key => true, } + ssl::service { 'dedup.debian.net': notify => Exec['service apache2 reload'], key => true, } } if has_role('pet.d.n') { - ssl::service { 'pet.debian.net': notify => Service['apache2'], key => true, } - ssl::service { 'pet-devel.debian.net': notify => Service['apache2'], key => true, } + ssl::service { 'pet.debian.net': notify => Exec['service apache2 reload'], key => true, } + ssl::service { 'pet-devel.debian.net': notify => Exec['service apache2 reload'], key => true, } } - if has_role('ports-master') { - include roles::ports-master + if has_role('ports_master') { + include roles::ports_master } if has_role('ports_mirror') { include roles::ports_mirror } - if $::hostname in [klecker] { - onion::service { 'ftp.debian.org': port => 80, target_address => '130.89.148.12', target_port => 81, } - } if has_role('onionbalance') { include onion::balance } + if has_role('bgp') { + include roles::bgp + } + if has_role('cdimage-search') { + include roles::cdimage_search + } + + if has_role('postgresql_server') { + include postgres::backup_source + } + + if has_role('bacula_director') { + include bacula::director + } else { + package { 'bacula-console': ensure => purged; } + file { '/etc/bacula/bconsole.conf': ensure => absent; } + } + if has_role('bacula_storage') { + include bacula::storage + } + + if has_role('salsa.debian.org') { + include salsa + } + + if $::keyring_debian_org_mirror { + include roles::keyring_debian_org_mirror + } + + if has_role('popcon') { + include roles::popcon + } + + if has_role('debsources') { + include roles::debsources + } + + if has_role('ipsec') { + include ipsec + } + + if has_role('debconf_wafer') { + include roles::debconf_wafer + } + + if has_role('cdbuilder_local_mirror') { + include roles::cdbuilder_local_mirror + } + + if has_role('alioth_archive') { + include roles::alioth_archive + } + if has_role('anonscm') { + include roles::anonscm + } + }