Attempt to partition staticsync ssh setup

In the old setup, every host that is involved with staticsync can ssh to
every other host.

In this new setup:
 - sources can only reach masters (not mirrors),
 - mirrors can only reach masters (not sources), and
 - masters still can talk to all other sources and mirrors
   (but not other masters).

diff --git a/modules/roles/manifests/static/base.pp b/modules/roles/manifests/static/base.pp
index 7752f43..8c66303 100644 (file)
--- a/modules/roles/manifests/static/base.pp
+++ b/modules/roles/manifests/static/base.pp
@@ -1,18 +1,5 @@
 # the base class defining tings common for all three static classes (master, mirror, source)
 class roles::static::base {
-  ssh::keygen {'staticsync': }
-  ssh::authorized_key_add { 'staticsync':
-    target_user => 'staticsync',
-    command     => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}",
-    key         => $facts['staticsync_key'],
-    restrict    => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc',
-    collect_tag => 'staticsync',
-  }
-  ssh::authorized_key_collect { 'staticsync':
-    target_user => 'staticsync',
-    collect_tag => 'staticsync',
-  }
-
   file { '/etc/static-components.conf':
     content => template('roles/static-mirroring/static-components.conf.erb'),
   }

diff --git a/modules/roles/manifests/static/ssh.pp b/modules/roles/manifests/static/ssh.pp
new file mode 100644 (file)
index 0000000..0023543
--- /dev/null
+++ b/modules/roles/manifests/static/ssh.pp
@@ -0,0 +1,20 @@
+# wrapper for ssh setup for statichosts
+class roles::static::ssh(
+  Variant[Array[String], String] $add_tag,
+  String                         $collect_tag,
+  )
+{
+  ssh::keygen {'staticsync': }
+
+  ssh::authorized_key_add { 'staticsync':
+    target_user => 'staticsync',
+    command     => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}",
+    key         => $facts['staticsync_key'],
+    restrict    => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc',
+    collect_tag => $add_tag,
+  }
+  ssh::authorized_key_collect { 'staticsync':
+    target_user => 'staticsync',
+    collect_tag => $collect_tag,
+  }
+}

diff --git a/modules/roles/manifests/static_master.pp b/modules/roles/manifests/static_master.pp
index 60c0c15..82cd338 100644 (file)
--- a/modules/roles/manifests/static_master.pp
+++ b/modules/roles/manifests/static_master.pp
@@ -7,6 +7,12 @@ class roles::static_master {
   include roles::static::base
   include roles::static::srvdir
 
+  # masters need to talk to mirrors and sources
+  class { 'roles::static::ssh':
+    add_tag     => [ 'staticsync-mirror', 'staticsync-source' ],
+    collect_tag => 'staticsync-master',
+  }
+
   file { '/usr/local/bin/static-master-run':
     source => 'puppet:///modules/roles/static-mirroring/static-master-run',
     mode   => '0555',

diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp
index a526f07..233cbe8 100644 (file)
--- a/modules/roles/manifests/static_mirror.pp
+++ b/modules/roles/manifests/static_mirror.pp
@@ -4,6 +4,13 @@
 class roles::static_mirror {
   include roles::static::base
   include roles::static::srvdir
+
+  # mirrors talk only to masters
+  class { 'roles::static::ssh':
+    add_tag     => 'staticsync-master',
+    collect_tag => 'staticsync-mirror',
+  }
+
   include apache2::expires
   include apache2::rewrite
 

diff --git a/modules/roles/manifests/static_source.pp b/modules/roles/manifests/static_source.pp
index 5929b82..3ff15e8 100644 (file)
--- a/modules/roles/manifests/static_source.pp
+++ b/modules/roles/manifests/static_source.pp
@@ -3,4 +3,10 @@
 # origin of static content.  From here it goes to the static master before that one pushes it to the mirrors
 class roles::static_source {
   include roles::static::base
+
+  # sources talk only to masters
+  class { 'roles::static::ssh':
+    add_tag     => 'staticsync-master',
+    collect_tag => 'staticsync-source',
+  }
 }