X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsyncproxy.pp;h=3bdadcd3bffa86775c2a85305ee319f1917b9b2a;hb=7bfdedf3e3de81310dcbd7d50c3f9b290b105279;hp=7bd8fa04b426cce4bf52fd8867a0c5f24d0ad591;hpb=fbced29861da3702938214cb41db5aa30c45a65e;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp
index 7bd8fa04b..3bdadcd3b 100644
--- a/modules/roles/manifests/syncproxy.pp
+++ b/modules/roles/manifests/syncproxy.pp
@@ -1,10 +1,33 @@
 class roles::syncproxy {
+	$bind = $::hostname ? {
+		'milanollo' => '5.153.231.9',
+		'mirror-anu' => '150.203.164.60',
+		'mirror-isc' => '149.20.20.21',
+		'mirror-umn' => '128.101.240.216',
+		'klecker' => '130.89.148.10',
+		default => ''
+	}
+	$bind6 = $::hostname ? {
+		'milanollo' => '2001:41c8:1000:21::21:9',
+		'mirror-anu' => '2001:388:1034:2900::3c',
+		'mirror-isc' => '2001:4f8:8:36::1deb:21',
+		'mirror-umn' => '2607:ea00:101:3c0b::1deb:216',
+		'klecker' => '2001:610:1908:b000::148:10',
+		default => ''
+	}
+	$syncproxy_name = $::hostname ? {
+		'milanollo' => 'syncproxy3.eu.debian.org',
+		'mirror-anu' => 'syncproxy.au.debian.org',
+		'mirror-isc' => 'syncproxy2.wna.debian.org',
+		'mirror-umn' => 'syncproxy.cna.debian.org',
+		'klecker' => 'syncproxy2.eu.debian.org',
+		default => 'unknown'
+	}
+
 	rsync::site { 'syncproxy':
-		source => 'puppet:///modules/roles/syncproxy/rsyncd.conf',
-		bind   => $::hostname ? {
-			'milanollo' => '5.153.231.9',
-			default => ''
-		}
+		content => template('roles/syncproxy/rsyncd.conf.erb'),
+		bind    => $bind,
+		bind6   => $bind6,
 	}
 
 	file { '/etc/rsyncd':
@@ -14,6 +37,59 @@ class roles::syncproxy {
 	file { '/etc/rsyncd/debian.secrets':
 		owner => 'root',
 		group => 'mirroradm',
-		mode => 0664,
+		mode => 0660,
+	}
+
+	if $::apache2 and $syncproxy_name != 'unknown' {
+		include apache2::ssl
+		ssl::service { "$syncproxy_name": notify => Service['apache2'], key => true, }
+		apache2::site { '010-syncproxy.debian.org':
+			site   => 'syncproxy.debian.org',
+			content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
+		}
+
+		file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
+			ensure  => directory,
+			mode    => '0755',
+		}
+		file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
+			content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
+		}
+
+		file { '/etc/rsyncd-syncproxy-stunnel.conf':
+			content => template('roles/syncproxy/rsyncd-syncproxy-stunnel.conf.erb')
+		}
+		xinetd::service { "rsync-syncproxy-ssl":
+			bind        => $bind,
+			id          => "syncproxy-rsync-ssl",
+			server      => '/usr/bin/stunnel4',
+			service     => 'rsync-ssl',
+			type        => 'UNLISTED',
+			port        => '1873',
+			server_args => "/etc/rsyncd-syncproxy-stunnel.conf",
+			ferm        => false,
+			instances   => 50,
+			require     => File[/etc/rsyncd-syncproxy-stunnel.conf],
+		}
+
+		if $bind6 != '' {
+			xinetd::service { "rsync-syncproxy-ssl6":
+				bind        => $bind6,
+				id          => "syncproxy-rsync-ssl",
+				server      => '/usr/bin/stunnel4',
+				service     => 'rsync-ssl',
+				type        => 'UNLISTED',
+				port        => '1873',
+				server_args => "/etc/rsyncd-syncproxy-stunnel.conf",
+				ferm        => false,
+				instances   => 50,
+				require     => File[/etc/rsyncd-syncproxy-stunnel.conf],
+			}
+		}
+
+		@ferm::rule { "dsa-rsync-ssl":
+			description => "Allow traffic to rsync ssl",
+			rule        => "&SERVICE(${protocol}, 1873)"
+		}
 	}
 }