X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsecurity_mirror.pp;h=4534a464824fa570abc9257b0c50bd429912fa16;hb=29cbe59430d1e7d7d5575579b48513c56227e2f7;hp=097241852652d1d375fba31d4872682a425ad065;hpb=576c8a0996f50a8be73940c51c2da8140c76bf7e;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 097241852..4534a4648 100644
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -1,33 +1,21 @@
 class roles::security_mirror {
 	include roles::archvsync_base
 
+	# security abusers
+	#  198.108.67.48 DoS against our rsync service
+	ferm::rule { 'dsa-security-abusers':
+		prio  => "005",
+		rule  => "saddr ( 198.108.67.48/32 ) DROP",
+	}
+
 	$binds = $::hostname ? {
 		mirror-anu      => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
-		mirror-bytemark => [ '5.153.231.46', '[2001:41c8:1000:21::21:46]' ],
-		mirror-conova   => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
 		mirror-isc      => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
 		mirror-umn      => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
+		schmelzer       => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
 		default         => [ '[::]' ],
 	}
 
-	file { '/srv/mirrors/debian-security':
-		ensure => link,
-		target => '../ftp.root/debian-security',
-	}
-	file { '/srv/ftp.root':
-		ensure  => directory,
-	}
-	file { '/srv/ftp.root/.nobackup':
-		ensure  => present,
-		content => '',
-	}
-	file { '/srv/ftp.root/debian-security':
-		ensure => directory,
-		owner  => 1176, # archvsync
-		group  => 1176, # archvsync
-		mode   => '0755',
-	}
-
 	include apache2::expires
 	include apache2::rewrite
 
@@ -36,30 +24,25 @@ class roles::security_mirror {
 		content => template('roles/security_mirror/security.debian.org.erb')
 	}
 
-        $mirrors = hiera('roles.security_mirror', {})
-        $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
-        $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
+	$mirrors = hiera('roles.security_mirror', {})
+	$fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
+	$hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
 
-        roles::mirror_health { 'security':
+	roles::mirror_health { 'security':
 		check_hosts   => $hosts_to_check,
 		check_service => 'security',
-		url           => 'http://security.backend.mirrors.debian.org/debian/dists/sid/Release',
+		url           => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
 		health_url    => 'http://security.backend.mirrors.debian.org/_health',
         }
 
-	vsftpd::site { 'security':
-		ensure => absent,
-		root   => '/nonexistent',
-	}
-
 	rsync::site { 'security':
 		source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
 		max_clients => 100,
 		binds       => $binds,
 	}
 
-	$onion_v4_addr = hiera("roles.security_mirror.${::fqdn}.onion_v4_address", undef)
-	notify { "Onion address: ${onion_v4_address}": }
+	$onion_v4_addr = hiera("roles.security_mirror", {})
+		.dig($::fqdn, 'onion_v4_address')
 	if $onion_v4_addr {
 		onion::service { 'security.debian.org':
 			port => 80,