X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsecurity_mirror.pp;h=4534a464824fa570abc9257b0c50bd429912fa16;hb=e71099e47c57303bb7090e404db84ad3e8d3b75b;hp=92cd6263e6c040a378d56ba292241a7e8fde8988;hpb=08d03e5feeda48ea91899723368e88e24a9b4708;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp index 92cd6263e..4534a4648 100644 --- a/modules/roles/manifests/security_mirror.pp +++ b/modules/roles/manifests/security_mirror.pp @@ -1,33 +1,21 @@ class roles::security_mirror { include roles::archvsync_base + # security abusers + # 198.108.67.48 DoS against our rsync service + ferm::rule { 'dsa-security-abusers': + prio => "005", + rule => "saddr ( 198.108.67.48/32 ) DROP", + } + $binds = $::hostname ? { mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ], - mirror-bytemark => [ '5.153.231.46', '[2001:41c8:1000:21::21:46]' ], - mirror-conova => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ], mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ], mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ], + schmelzer => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ], default => [ '[::]' ], } - file { '/srv/mirrors/debian-security': - ensure => link, - target => '../ftp.root/debian-security', - } - file { '/srv/ftp.root': - ensure => directory, - } - file { '/srv/ftp.root/.nobackup': - ensure => present, - content => '', - } - file { '/srv/ftp.root/debian-security': - ensure => directory, - owner => 1176, # archvsync - group => 1176, # archvsync - mode => '0755', - } - include apache2::expires include apache2::rewrite @@ -36,40 +24,26 @@ class roles::security_mirror { content => template('roles/security_mirror/security.debian.org.erb') } - if has_role('security_mirror_no_ftp') { - vsftpd::site_systemd { 'security': - ensure => absent, - root => '/nonexistent', - } - } else { - vsftpd::site_systemd { 'security': - banner => 'security.debian.org FTP server (vsftpd)', - logfile => '/var/log/ftp/vsftpd-security.debian.org.log', - max_clients => 200, - root => '/srv/ftp.root/', - binds => $binds, - } - } + $mirrors = hiera('roles.security_mirror', {}) + $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] } + $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] } + + roles::mirror_health { 'security': + check_hosts => $hosts_to_check, + check_service => 'security', + url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release', + health_url => 'http://security.backend.mirrors.debian.org/_health', + } - rsync::site_systemd { 'security': + rsync::site { 'security': source => 'puppet:///modules/roles/security_mirror/rsyncd.conf', max_clients => 100, binds => $binds, } - $onion_v4_addr = $::hostname ? { - mirror-anu => '150.203.164.61', - mirror-isc => '149.20.4.14', - mirror-umn => '128.101.240.215', - villa => '212.211.132.32', - lobos => '212.211.132.250', - default => undef, - } - if has_role('security_mirror_onion') { - if ! $onion_v4_addr { - fail("Do not have an onion_v4_addr set for $::hostname.") - } - + $onion_v4_addr = hiera("roles.security_mirror", {}) + .dig($::fqdn, 'onion_v4_address') + if $onion_v4_addr { onion::service { 'security.debian.org': port => 80, target_port => 80,