class roles::bugs_mirror {
- rsync::site_systemd { 'bugs_mirror':
+ rsync::site { 'bugs_mirror':
source => 'puppet:///modules/roles/bugs_mirror/rsyncd.conf',
max_clients => 100,
}
class roles::ftp_master {
- rsync::site_systemd { 'dakmaster':
+ rsync::site { 'dakmaster':
source => 'puppet:///modules/roles/dakmaster/rsyncd.conf',
max_clients => 100,
sslname => 'ftp-master.debian.org',
$sslname = undef
}
- rsync::site_systemd { 'archive':
+ rsync::site { 'archive':
source => 'puppet:///modules/roles/historical_mirror/rsyncd.conf',
max_clients => 100,
sslname => $sslname,
class roles::keyring {
- rsync::site_systemd { 'keyring':
+ rsync::site { 'keyring':
source => 'puppet:///modules/roles/keyring/rsyncd.conf',
sslname => 'keyring.debian.org',
}
class roles::ports_master {
- rsync::site_systemd { 'ports-master':
+ rsync::site { 'ports-master':
source => 'puppet:///modules/roles/ports_master/rsyncd.conf',
max_clients => 100,
sslname => 'ports-master.debian.org',
root => '/srv/ftp.root/',
}
- rsync::site_systemd { 'security_master':
+ rsync::site { 'security_master':
source => 'puppet:///modules/roles/security_master/rsyncd.conf',
max_clients => 100,
sslname => 'security-master.debian.org',
}
}
- rsync::site_systemd { 'security':
+ rsync::site { 'security':
source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
max_clients => 100,
binds => $binds,
class roles::snapshot {
- rsync::site_systemd { 'snapshot-farm':
+ rsync::site { 'snapshot-farm':
content => template('roles/snapshot/rsyncd.conf.erb'),
}
}
content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
}
- rsync::site_systemd { 'syncproxy':
+ rsync::site { 'syncproxy':
content => template('roles/syncproxy/rsyncd.conf.erb'),
binds => $binds,
sslname => "$syncproxy_name",
}
} else {
- rsync::site_systemd { 'syncproxy':
+ rsync::site { 'syncproxy':
content => template('roles/syncproxy/rsyncd.conf.erb'),
binds => $binds,
}
notify => Exec['service apache2 reload'],
key => true,
}
- rsync::site_systemd { 'wiki':
+ rsync::site { 'wiki':
source => 'puppet:///modules/roles/wiki/rsyncd.conf',
}
}
--- /dev/null
+define rsync::site (
+ $binds=['[::]'],
+ $source=undef,
+ $content=undef,
+ $max_clients=200,
+ $ensure=present,
+ $sslname=undef,
+) {
+ include rsync
+
+ $fname_real_rsync = "/etc/rsyncd-${name}.conf"
+ $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
+
+ case $ensure {
+ present,absent: {}
+ default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
+ }
+
+ $ensure_service = $ensure ? {
+ present => running,
+ absent => stopped,
+ }
+
+ $ensure_enable = $ensure ? {
+ present => true,
+ absent => false,
+ }
+
+ file { $fname_real_rsync:
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ }
+
+ file { "/etc/systemd/system/rsyncd-${name}@.service":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd.service.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File[$fname_real_rsync],
+ notify => Exec['systemctl daemon-reload'],
+ }
+
+ file { "/etc/systemd/system/rsyncd-${name}.socket":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd.socket.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => [
+ Exec['systemctl daemon-reload'],
+ Service["rsyncd-${name}.socket"],
+ ],
+ }
+
+ service { "rsyncd-${name}.socket":
+ ensure => $ensure_service,
+ enable => $ensure_enable,
+ require => [
+ Exec['systemctl daemon-reload'],
+ File["/etc/systemd/system/rsyncd-${name}@.service"],
+ File["/etc/systemd/system/rsyncd-${name}.socket"],
+ ],
+ provider => systemd,
+ }
+
+ if $sslname {
+ file { $fname_real_stunnel:
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
+ }
+
+ file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File[$fname_real_stunnel],
+ notify => Exec['systemctl daemon-reload'],
+ }
+
+ file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
+ ensure => $ensure,
+ content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => [
+ Exec['systemctl daemon-reload'],
+ Service["rsyncd-${name}-stunnel.socket"]
+ ],
+ }
+
+ service { "rsyncd-${name}-stunnel.socket":
+ ensure => $ensure_service,
+ enable => $ensure_enable,
+ require => [
+ Exec['systemctl daemon-reload'],
+ File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
+ File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
+ Service["rsyncd-${name}.socket"],
+ ],
+ provider => systemd,
+ }
+
+ @ferm::rule { "rsync-${name}-ssl":
+ domain => '(ip ip6)',
+ description => 'Allow rsync access',
+ rule => '&SERVICE(tcp, 1873)',
+ }
+
+ dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
+ zone => 'debian.org',
+ certfile => [
+ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt",
+ "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt",
+ ],
+ port => 1873,
+ hostname => $sslname,
+ }
+ }
+}
+++ /dev/null
-define rsync::site_systemd (
- $binds=['[::]'],
- $source=undef,
- $content=undef,
- $max_clients=200,
- $ensure=present,
- $sslname=undef,
-) {
- include rsync
-
- $fname_real_rsync = "/etc/rsyncd-${name}.conf"
- $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf"
-
- case $ensure {
- present,absent: {}
- default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
- }
-
- $ensure_service = $ensure ? {
- present => running,
- absent => stopped,
- }
-
- $ensure_enable = $ensure ? {
- present => true,
- absent => false,
- }
-
- file { $fname_real_rsync:
- ensure => $ensure,
- content => $content,
- source => $source,
- owner => 'root',
- group => 'root',
- mode => '0444',
- }
-
- file { "/etc/systemd/system/rsyncd-${name}@.service":
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd.service.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File[$fname_real_rsync],
- notify => Exec['systemctl daemon-reload'],
- }
-
- file { "/etc/systemd/system/rsyncd-${name}.socket":
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd.socket.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- notify => [
- Exec['systemctl daemon-reload'],
- Service["rsyncd-${name}.socket"],
- ],
- }
-
- service { "rsyncd-${name}.socket":
- ensure => $ensure_service,
- enable => $ensure_enable,
- require => [
- Exec['systemctl daemon-reload'],
- File["/etc/systemd/system/rsyncd-${name}@.service"],
- File["/etc/systemd/system/rsyncd-${name}.socket"],
- ],
- provider => systemd,
- }
-
- if $sslname {
- file { $fname_real_stunnel:
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd-stunnel.conf.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
- }
-
- file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service":
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd-stunnel.service.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File[$fname_real_stunnel],
- notify => Exec['systemctl daemon-reload'],
- }
-
- file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket":
- ensure => $ensure,
- content => template('rsync/systemd-rsyncd-stunnel.socket.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- notify => [
- Exec['systemctl daemon-reload'],
- Service["rsyncd-${name}-stunnel.socket"]
- ],
- }
-
- service { "rsyncd-${name}-stunnel.socket":
- ensure => $ensure_service,
- enable => $ensure_enable,
- require => [
- Exec['systemctl daemon-reload'],
- File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"],
- File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"],
- Service["rsyncd-${name}.socket"],
- ],
- provider => systemd,
- }
-
- @ferm::rule { "rsync-${name}-ssl":
- domain => '(ip ip6)',
- description => 'Allow rsync access',
- rule => '&SERVICE(tcp, 1873)',
- }
-
- dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
- zone => 'debian.org',
- certfile => [
- "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt",
- "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt",
- ],
- port => 1873,
- hostname => $sslname,
- }
- }
-}
projects / mirror / dsa-puppet.git / commitdiff