X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Frsync%2Fmanifests%2Fsite.pp;h=7011787f3f5bb7d0dacf45e6a9259d30bd69cc80;hb=cb99d997e736f428f4f1264a0894e30b5302ef3d;hp=04c1e20e915ccc5dde9fcba7644c2d46e5ab8e50;hpb=b529b139a60ea8355089511737c8264185d8d074;p=mirror%2Fdsa-puppet.git diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp index 04c1e20e9..7011787f3 100644 --- a/modules/rsync/manifests/site.pp +++ b/modules/rsync/manifests/site.pp @@ -1,111 +1,129 @@ define rsync::site ( - $bind='', - $bind6='', + $binds=['[::]'], $source=undef, $content=undef, $max_clients=200, $ensure=present, $sslname=undef, - $sslport=1873 -){ - +) { include rsync - $fname_real = "/etc/rsyncd-${name}.conf" + $fname_real_rsync = "/etc/rsyncd-${name}.conf" + $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf" + case $ensure { present,absent: {} default: { fail ( "Invald ensure `${ensure}' for ${name}" ) } } - if ($source and $content) { - fail ( "Can't define both source and content for ${name}" ) + $ensure_service = $ensure ? { + present => running, + absent => stopped, } - if $source { - file { $fname_real: - ensure => $ensure, - source => $source - } - } elsif $content { - file { $fname_real: - ensure => $ensure, - content => $content, - } - } else { - fail ( "Can't find config for ${name}" ) + $ensure_enable = $ensure ? { + present => true, + absent => false, } - xinetd::service { "rsync-${name}": - bind => $bind, - id => "${name}-rsync", - server => '/usr/bin/rsync', - service => 'rsync', - server_args => "--daemon --config=${fname_real}", - ferm => false, - instances => $max_clients, - require => File[$fname_real] + file { $fname_real_rsync: + ensure => $ensure, + content => $content, + source => $source, + owner => 'root', + group => 'root', + mode => '0444', } - if $bind6 != '' { - if $bind == '' { - fail("Cannot listen on * and a specific ipv6 address") - } - xinetd::service { "rsync-${name}6": - bind => $bind6, - id => "${name}-rsync6", - server => '/usr/bin/rsync', - service => 'rsync', - server_args => "--daemon --config=${fname_real}", - ferm => false, - instances => $max_clients, - require => File[$fname_real] - } + file { "/etc/systemd/system/rsyncd-${name}@.service": + ensure => $ensure, + content => template('rsync/systemd-rsyncd.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname_real_rsync], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/rsyncd-${name}.socket": + ensure => $ensure, + content => template('rsync/systemd-rsyncd.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["rsyncd-${name}.socket"], + ], + } + + service { "rsyncd-${name}.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/rsyncd-${name}@.service"], + File["/etc/systemd/system/rsyncd-${name}.socket"], + ], + provider => systemd, } if $sslname { - file { "/etc/rsyncd-${name}-stunnel.conf": - content => template('rsync/rsyncd-stunnel.conf.erb'), + file { $fname_real_stunnel: + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"], } + + file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service": + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname_real_stunnel], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket": + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["rsyncd-${name}-stunnel.socket"] + ], + } + + service { "rsyncd-${name}-stunnel.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"], + File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"], + Service["rsyncd-${name}.socket"], + ], + provider => systemd, + } + @ferm::rule { "rsync-${name}-ssl": domain => '(ip ip6)', description => 'Allow rsync access', - rule => "&SERVICE(tcp, $sslport)", - } - xinetd::service { "rsync-${name}-ssl": - bind => $bind, - id => "rsync-${name}-ssl", - server => '/usr/bin/stunnel4', - server_args => "/etc/rsyncd-${name}-stunnel.conf", - service => "rsync-ssl", - type => 'UNLISTED', - port => "$sslport", - ferm => true, - instances => $max_clients, - require => File["/etc/rsyncd-${name}-stunnel.conf"], - } - if $bind6 != '' { - xinetd::service { "rsync-${name}-ssl6": - bind => $bind6, - id => "rsync-${name}-ssl6", - server => '/usr/bin/stunnel4', - server_args => "/etc/rsyncd-${name}-stunnel.conf", - service => "rsync-ssl", - type => 'UNLISTED', - port => "$sslport", - ferm => true, - instances => $max_clients, - require => File["/etc/rsyncd-${name}-stunnel.conf"], - } + rule => '&SERVICE(tcp, 1873)', } - dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}": + $certdir = hiera('paths.letsencrypt_dir') + dnsextras::tlsa_record{ "tlsa-${sslname}-1873": zone => 'debian.org', - certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ], - port => $sslport, - hostname => "$sslname", + certfile => [ "${certdir}/${sslname}.crt" ], + port => 1873, + hostname => $sslname, } } - - Service['rsync']->Service['xinetd'] }