X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsyncproxy.pp;h=cb017d529555590b23de6f56e17fda612dac0f17;hb=e223cc6541f3d038e37352a0fac74010bd7ca624;hp=26e1c5a31b566634e1e525422f07a51210ab2b72;hpb=c65c8ae856902096b3b070b3b5e5e77bce9222d6;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp
index 26e1c5a31..cb017d529 100644
--- a/modules/roles/manifests/syncproxy.pp
+++ b/modules/roles/manifests/syncproxy.pp
@@ -1,32 +1,27 @@
 # a syncproxy
-class roles::syncproxy {
+# @param syncproxy_name  the service name of this syncproxy
+# @param listen_addr IP addresses to have rsync and apache listen on, and ssh to trigger from
+class roles::syncproxy(
+  String $syncproxy_name,
+  Array[Stdlib::IP::Address] $listen_addr = [],
+) {
   include roles::archvsync_base
 
-  $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix')
-
-  $binds = $::hostname ? {
-    'milanollo'    => [ '5.153.231.9', '[2001:41c8:1000:21::21:9]' ],
-    'mirror-anu'   => [ '150.203.164.60', '[2001:388:1034:2900::3c]' ],
-    'mirror-isc'   => [ '149.20.4.16', '[2001:4f8:1:c::16]' ],
-    'mirror-umn'   => [ '128.101.240.216', '[2607:ea00:101:3c0b::1deb:216]' ],
-    'klecker'      => [ '130.89.148.10', '[2001:67c:2564:a119::148:10]' ],
-    'gretchaninov' => [ '209.87.16.40', '[2607:f8f0:614:1::1274:40]' ],
-    'schmelzer'    => [ '217.196.149.237', '[2a02:16a8:dc41:100::237]' ],
-    'smit'         => [ '130.89.148.78', '[2001:67c:2564:a119::78]' ],
-    default        => [ '[::]' ],
+  $enclosed_addresses_rsync = empty($listen_addr) ? {
+    true    => ['[::]'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $enclosed_addresses_apache = empty($listen_addr) ? {
+    true    => ['*'],
+    default => enclose_ipv6($listen_addr),
   }
-  $syncproxy_name = $::hostname ? {
-    'milanollo'    => 'syncproxy3.eu.debian.org',
-    'mirror-anu'   => 'syncproxy.au.debian.org',
-    'schmelzer'    => 'syncproxy4.eu.debian.org',
-    'mirror-isc'   => 'syncproxy2.wna.debian.org',
-    'mirror-umn'   => 'syncproxy.cna.debian.org',
-    'klecker'      => 'syncproxy2.eu.debian.org',
-    'smit'         => 'syncproxy2.eu.debian.org',
-    'gretchaninov' => 'syncproxy3.wna.debian.org',
-    default        => 'unknown'
+  $ssh_source_addresses = empty($listen_addr) ? {
+    true    => $base::public_addresses,
+    default => $listen_addr,
   }
 
+  $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix')
+
   file { '/etc/rsyncd':
     ensure => 'directory'
   }
@@ -37,49 +32,45 @@ class roles::syncproxy {
     mode  => '0660',
   }
 
-  if $::apache2 and $syncproxy_name != 'unknown' {
-    include apache2::ssl
-    ssl::service { $syncproxy_name:
-      notify => Exec['service apache2 reload'],
-      key    => true,
-    }
-    apache2::site { '010-syncproxy.debian.org':
-      site    => 'syncproxy.debian.org',
-      content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
-    }
+  include apache2
+  include apache2::ssl
+  ssl::service { $syncproxy_name:
+    notify => Exec['service apache2 reload'],
+    key    => true,
+  }
+  apache2::site { '010-syncproxy.debian.org':
+    site    => 'syncproxy.debian.org',
+    content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')
+  }
 
-    file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
-      ensure => directory,
-      mode   => '0755',
-    }
-    file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
-      content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
-    }
+  file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]:
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
+    content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
+  }
 
-    rsync::site { 'syncproxy':
-      content => template('roles/syncproxy/rsyncd.conf.erb'),
-      binds   => $binds,
-      sslname => $syncproxy_name,
-    }
-  } else {
-    rsync::site { 'syncproxy':
-      content => template('roles/syncproxy/rsyncd.conf.erb'),
-      binds   => $binds,
-    }
+  rsync::site { 'syncproxy':
+    content => template('roles/syncproxy/rsyncd.conf.erb'),
+    binds   => $enclosed_addresses_rsync,
+    sslname => $syncproxy_name,
   }
 
+
+  # ssh firewalling setup
+  ###
   @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
-    tag         => 'ssh::server::allow::syncproxy',
+    tag         => 'ssh::server::from::syncproxy',
     description => 'Allow ssh access from a syncproxy',
     port        => '22',
-    saddr       => $base::public_addresses,
+    saddr       => $ssh_source_addresses,
   }
-
   # syncproxies should be accessible from various role hosts
   Ferm::Rule::Simple <<|
-    tag == 'ssh::server::allow::archvsync' or
-    tag == 'ssh::server::allow::ftp-master' or
-    tag == 'ssh::server::allow::ports-master' or
-    tag == 'ssh::server::allow::security-master'
+    tag == 'ssh::server::from::syncproxy' or
+    tag == 'ssh::server::from::ftp_master' or
+    tag == 'ssh::server::from::ports_master' or
+    tag == 'ssh::server::from::security_master'
     |>>
 }