X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsecurity_mirror.pp;h=30f0ea0421efb20e764bfa04404b8e8715c2b2e1;hb=4fbf65ed9df4af4b96dd2ef63bdef21f10f01a49;hp=92cd6263e6c040a378d56ba292241a7e8fde8988;hpb=08d03e5feeda48ea91899723368e88e24a9b4708;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 92cd6263e..30f0ea042 100644
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -1,79 +1,55 @@
 class roles::security_mirror {
-	include roles::archvsync_base
-
-	$binds = $::hostname ? {
-		mirror-anu      => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
-		mirror-bytemark => [ '5.153.231.46', '[2001:41c8:1000:21::21:46]' ],
-		mirror-conova   => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
-		mirror-isc      => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
-		mirror-umn      => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
-		default         => [ '[::]' ],
-	}
-
-	file { '/srv/mirrors/debian-security':
-		ensure => link,
-		target => '../ftp.root/debian-security',
-	}
-	file { '/srv/ftp.root':
-		ensure  => directory,
-	}
-	file { '/srv/ftp.root/.nobackup':
-		ensure  => present,
-		content => '',
-	}
-	file { '/srv/ftp.root/debian-security':
-		ensure => directory,
-		owner  => 1176, # archvsync
-		group  => 1176, # archvsync
-		mode   => '0755',
-	}
-
-	include apache2::expires
-	include apache2::rewrite
-
-	apache2::site { '010-security.debian.org':
-		site   => 'security.debian.org',
-		content => template('roles/security_mirror/security.debian.org.erb')
-	}
-
-	if has_role('security_mirror_no_ftp') {
-		vsftpd::site_systemd { 'security':
-			ensure => absent,
-			root   => '/nonexistent',
-		}
-	} else {
-		vsftpd::site_systemd { 'security':
-			banner       => 'security.debian.org FTP server (vsftpd)',
-			logfile      => '/var/log/ftp/vsftpd-security.debian.org.log',
-			max_clients  => 200,
-			root         => '/srv/ftp.root/',
-			binds        => $binds,
-		}
-	}
-
-	rsync::site_systemd { 'security':
-		source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
-		max_clients => 100,
-		binds       => $binds,
-	}
-
-	$onion_v4_addr = $::hostname ? {
-		mirror-anu => '150.203.164.61',
-		mirror-isc => '149.20.4.14',
-		mirror-umn => '128.101.240.215',
-		villa      => '212.211.132.32',
-		lobos      => '212.211.132.250',
-		default   => undef,
-	}
-	if has_role('security_mirror_onion') {
-		if ! $onion_v4_addr {
-			fail("Do not have an onion_v4_addr set for $::hostname.")
-		}
-
-		onion::service { 'security.debian.org':
-			port => 80,
-			target_port => 80,
-			target_address => $onion_v4_addr,
-		}
-	}
+  include roles::archvsync_base
+
+  # security abusers
+  #  198.108.67.48 DoS against our rsync service
+  ferm::rule { 'dsa-security-abusers':
+    prio => '005',
+    rule => 'saddr ( 198.108.67.48/32 ) DROP',
+  }
+
+  $binds = $::hostname ? {
+    mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
+    mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
+    mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
+    schmelzer  => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
+    default    => [ '[::]' ],
+  }
+
+  include apache2::expires
+  include apache2::rewrite
+
+  apache2::site { '010-security.debian.org':
+    site    => 'security.debian.org',
+    content => template('roles/security_mirror/security.debian.org.erb')
+  }
+
+  $mirrors = hiera('roles.security_mirror', {})
+  $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
+  $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
+
+  roles::mirror_health { 'security':
+    check_hosts   => $hosts_to_check,
+    check_service => 'security',
+    url           => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
+    health_url    => 'http://security.backend.mirrors.debian.org/_health',
+        }
+
+  rsync::site { 'security':
+    source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
+    max_clients => 100,
+    binds       => $binds,
+  }
+
+  $onion_v4_addr = hiera('roles.security_mirror', {})
+    .dig($::fqdn, 'onion_v4_address')
+  if $onion_v4_addr {
+    onion::service { 'security.debian.org':
+      port           => 80,
+      target_port    => 80,
+      target_address => $onion_v4_addr,
+    }
+  }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
 }