X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsyncproxy.pp;h=aa452f0dc14f5ea5e5e93b3d2c8efb5168da9114;hb=421d51cedb758b5a27a89b5c458562f9c279cbc3;hp=7e3423a906286e2f610778a73e13e3222d2b4816;hpb=8f515ddb04dacc7c5ccb304639aefe6b6c7f921e;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp index 7e3423a90..aa452f0dc 100644 --- a/modules/roles/manifests/syncproxy.pp +++ b/modules/roles/manifests/syncproxy.pp @@ -1,54 +1,76 @@ -class roles::syncproxy { - $bind = $::hostname ? { - 'milanollo' => '5.153.231.9', - 'mirror-isc' => '149.20.20.21', - 'mirror-umn' => '128.101.240.216', - 'klecker' => '130.89.148.10', - default => '' - } - $bind6 = $::hostname ? { - 'milanollo' => '2001:41c8:1000:21::21:9', - 'mirror-isc' => '2001:4f8:8:36::1deb:21', - 'mirror-umn' => '2607:ea00:101:3c0b::1deb:216', - 'klecker' => '2001:610:1908:b000::148:10', - default => '' - } - $syncproxy_name = $::hostname ? { - 'milanollo' => 'syncproxy3.eu.debian.org', - 'mirror-isc' => 'syncproxy2.wna.debian.org', - 'mirror-umn' => 'syncproxy.cna.debian.org', - 'klecker' => 'syncproxy2.eu.debian.org', - default => 'unknown' - } - - rsync::site { 'syncproxy': - content => template('roles/syncproxy/rsyncd.conf.erb'), - bind => $bind, - bind6 => $bind6, - } - - file { '/etc/rsyncd': - ensure => 'directory' - } - - file { '/etc/rsyncd/debian.secrets': - owner => 'root', - group => 'mirroradm', - mode => 0660, - } - - if $::apache2 and $syncproxy_name != 'unknown' { - apache2::site { '010-syncproxy.debian.org': - site => 'security.debian.org', - content => template('roles/syncproxy/syncproxy.debian.org-apache.erb') - } - - file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]: - ensure => directory, - mode => '0755', - } - file { '/srv/www/syncproxy.debian.org/htdocs/index.html': - content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb') - } - } +# a syncproxy +# @param syncproxy_name the service name of this syncproxy +# @param listen_addr IP addresses to have rsync and apache listen on, and ssh to trigger from +class roles::syncproxy( + String $syncproxy_name, + Array[Stdlib::IP::Address] $listen_addr = [], +) { + include roles::archvsync_base + + $enclosed_addresses_rsync = empty($listen_addr) ? { + true => ['[::]'], + default => enclose_ipv6($listen_addr), + } + $enclosed_addresses_apache = empty($listen_addr) ? { + true => ['*'], + default => enclose_ipv6($listen_addr), + } + $ssh_source_addresses = empty($listen_addr) ? { + true => $base::public_addresses, + default => $listen_addr, + } + + $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix') + + file { '/etc/rsyncd': + ensure => 'directory' + } + + file { '/etc/rsyncd/debian.secrets': + owner => 'root', + group => 'mirroradm', + mode => '0660', + } + + include apache2 + include apache2::ssl + ssl::service { $syncproxy_name: + notify => Exec['service apache2 reload'], + key => true, + } + apache2::site { '010-syncproxy.debian.org': + site => 'syncproxy.debian.org', + content => template('roles/syncproxy/syncproxy.debian.org-apache.erb') + } + + file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]: + ensure => directory, + mode => '0755', + } + file { '/srv/www/syncproxy.debian.org/htdocs/index.html': + content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb') + } + + rsync::site { 'syncproxy': + content => template('roles/syncproxy/rsyncd.conf.erb'), + binds => $enclosed_addresses_rsync, + sslname => $syncproxy_name, + } + + + # ssh firewalling setup + ### + @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}": + tag => 'ssh::server::from::syncproxy', + description => 'Allow ssh access from a syncproxy', + chain => 'ssh', + saddr => $ssh_source_addresses, + } + # syncproxies should be accessible from various role hosts + Ferm::Rule::Simple <<| + tag == 'ssh::server::from::syncproxy' or + tag == 'ssh::server::from::ftp_master' or + tag == 'ssh::server::from::ports_master' or + tag == 'ssh::server::from::security_master' + |>> }