X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsecurity_mirror.pp;h=e87431a8614aae1fde5f6ca9de02e146897a1681;hb=972528da88c48db95741697fc1f862f022c78c16;hp=a949cfe39dcad3b3413c7a350c5e42aa41a420e5;hpb=afe8043a8dcc9ea09763565b40d9ba061b68ba36;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp index a949cfe39..e87431a86 100644 --- a/modules/roles/manifests/security_mirror.pp +++ b/modules/roles/manifests/security_mirror.pp @@ -1,53 +1,67 @@ -class roles::security_mirror { - include roles::archvsync_base - - # security abusers - # 198.108.67.48 DoS against our rsync service - @ferm::rule { 'dsa-security-abusers': - prio => "005", - rule => "saddr ( 198.108.67.48/32 ) DROP", - } - - $binds = $::hostname ? { - mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ], - mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ], - mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ], - schmelzer => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ], - default => [ '[::]' ], - } - - include apache2::expires - include apache2::rewrite - - apache2::site { '010-security.debian.org': - site => 'security.debian.org', - content => template('roles/security_mirror/security.debian.org.erb') - } - - $mirrors = hiera('roles.security_mirror', {}) - $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] } - $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] } - - roles::mirror_health { 'security': - check_hosts => $hosts_to_check, - check_service => 'security', - url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release', - health_url => 'http://security.backend.mirrors.debian.org/_health', - } - - rsync::site { 'security': - source => 'puppet:///modules/roles/security_mirror/rsyncd.conf', - max_clients => 100, - binds => $binds, - } - - $onion_v4_addr = hiera("roles.security_mirror", {}) - .dig($::fqdn, 'onion_v4_address') - if $onion_v4_addr { - onion::service { 'security.debian.org': - port => 80, - target_port => 80, - target_address => $onion_v4_addr, - } - } +# security mirror +# +# @param listen_addr IP addresses to have rsync listen on +# @param onion_service provide the onion service from this host +# @param healthcheck_name name to access this node in the health checker +class roles::security_mirror( + Array[Stdlib::IP::Address] $listen_addr = [], + Boolean $onion_service = false, + Optional[String] $healthcheck_name = undef, +){ + include roles::archvsync_base + include apache2 + include apache2::expires + include apache2::rewrite + + $enclosed_addresses_rsync = empty($listen_addr) ? { + true => ['[::]'], + default => enclose_ipv6($listen_addr), + } + $_enclosed_addresses = empty($listen_addr) ? { + true => ['*'], + default => enclose_ipv6($listen_addr), + } + $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ') + + apache2::site { '010-security.debian.org': + site => 'security.debian.org', + content => template('roles/security_mirror/security.debian.org.erb') + } + + rsync::site { 'security': + source => 'puppet:///modules/roles/security_mirror/rsyncd.conf', + max_clients => 100, + binds => $enclosed_addresses_rsync, + } + + if $onion_service { + $onion_addr = empty($listen_addr) ? { + true => $base::public_address, + default => filter_ipv4($listen_addr)[0] + } + if ! $onion_addr { + fail("Do not have a useable address for the onionservice on ${::hostname}. Is \$listen_addr empty or does it not have an IPv4 address?.") + } + + onion::service { 'security.debian.org': + port => 80, + target_port => 80, + target_address => $onion_addr, + } + } + + Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>> + + mirror_health::service { 'security': + this_host_service_name => $healthcheck_name, + url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release', + health_url => 'http://security.backend.mirrors.debian.org/_health', + } + + # security abusers + # 198.108.67.48 DoS against our rsync service + ferm::rule { 'dsa-security-abusers': + prio => '005', + rule => 'saddr ( 198.108.67.48/32 ) DROP', + } }