onion for security

author Peter Palfrader <peter@palfrader.org>

Fri, 29 Jul 2016 23:09:44 +0000 (23:09 +0000)

committer Peter Palfrader <peter@palfrader.org>

Fri, 29 Jul 2016 23:09:44 +0000 (23:09 +0000)
author Peter Palfrader <peter@palfrader.org>
Fri, 29 Jul 2016 23:09:44 +0000 (23:09 +0000)
committer Peter Palfrader <peter@palfrader.org>
Fri, 29 Jul 2016 23:09:44 +0000 (23:09 +0000)
diff --git a/hieradata/common.yaml b/hieradata/common.yaml

index 5c7f1a8..deaf099 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -120,6 +120,11 @@ roles:
      - steffani.debian.org
      - villa.debian.org
      - wieck.debian.org
+  security_mirror_onion:
+    - mirror-isc.debian.org
+    - mirror-umn.debian.org
+    - lobos.debian.org
+    - villa.debian.org
    security_tracker:
      - soriano.debian.org
    ssh.upload.d.o:
diff --git a/modules/roles/manifests/onionbalance.pp b/modules/roles/manifests/onionbalance.pp

index 12fbc63..8935211 100644 (file)
--- a/modules/roles/manifests/onionbalance.pp
+++ b/modules/roles/manifests/onionbalance.pp
@@ -41,4 +41,8 @@ class roles::onionbalance {
         onion::balance_service { 'metadata.ftp-master.debian.org': }
         onion::balance_service { 'mozilla.debian.net': }
         onion::balance_service { 'planet.debian.org': }
+
+
+       # non-static.d.o
+       onion::balance_service { 'security.debian.org': }
  }
diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp

index 7ae7500..986b5ae 100644 (file)
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -32,4 +32,25 @@ class roles::security_mirror {
                 bind        => $rsync_bind,
                 bind6       => $rsync_bind6,
         }
+
+
+       $onion_v4_addr = $::hostname ? {
+               mirror-anu => '150.203.164.61',
+               mirror-isc => '149.20.20.19',
+               mirror-umn => '128.101.240.215',
+               villa      => '212.211.132.32',
+               lobos      => '212.211.132.250',
+               default   => undef,
+       }
+       if has_role('security_mirror_onion') {
+               if ! $onion_v4_addr {
+                       fail("Do not have an onion_v4_addr set for $::hostname.")
+               }
+
+               onion::service { 'security.debian.org':
+                       port => 80,
+                       target_port => 80,
+                       target_address => $onion_v4_addr,
+               }
+       }
  }
diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb

index 66c5d9c..c5961ea 100644 (file)
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -25,6 +25,10 @@
     ServerAlias security-cdn1.debian.org
     ServerAlias security-cdn2.debian.org
     ServerAlias security-nagios.debian.org
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   ServerAlias <%= scope.function_onion_global_service_hostname(['security.debian.org']) %>
+   <% end %>
+
  
     ExpiresActive On
     ExpiresDefault "access plus 2 minutes"
author	Peter Palfrader <peter@palfrader.org>
	Fri, 29 Jul 2016 23:09:44 +0000 (23:09 +0000)
committer	Peter Palfrader <peter@palfrader.org>
	Fri, 29 Jul 2016 23:09:44 +0000 (23:09 +0000)
hieradata/common.yaml		patch \| blob \| history
modules/roles/manifests/onionbalance.pp		patch \| blob \| history
modules/roles/manifests/security_mirror.pp		patch \| blob \| history
modules/roles/templates/security_mirror/security.debian.org.erb		patch \| blob \| history