# all of these should be retired in favour of including the class role
# with the host. weasel, 2019-09
roles:
- security_mirror:
- # XXX used also in ferm me.conf.erb
- mirror-anu.debian.org:
- fastly-backend: false
- mirror-csail.debian.org:
- fastly-backend: false
- mirror-isc.debian.org:
- onion_v4_address: 149.20.4.14
- mirror-umn.debian.org:
- onion_v4_address: 128.101.240.215
- mirror-accumu.debian.org:
- fastly-backend: false
- mirror-skroutz.debian.org:
- fastly-backend: false
- lobos.debian.org:
- service-hostname: lobos.security.backend.mirrors.debian.org
- fastly-backend: false
- onion_v4_address: 212.211.132.250
- santoro.debian.org:
- fastly-backend: false
- schmelzer.debian.org:
- fastly-backend: false
- schumann.debian.org:
- service-hostname: schumann.security.backend.mirrors.debian.org
- fastly-backend: true
- setoguchi.debian.org:
- fastly-backend: false
- sechter.debian.org:
- fastly-backend: false
- villa.debian.org:
- service-hostname: villa.security.backend.mirrors.debian.org
- fastly-backend: true
- onion_v4_address: 212.211.132.32
- wieck.debian.org:
- service-hostname: wieck.security.backend.mirrors.debian.org
- fastly-backend: true
postgres_backup_server:
# XXX - used by ferm templates/defs.conf.erb
- backuphost.debian.org
-class roles::security_mirror {
+# security mirror
+#
+# @param listen_addr IP addresses to have rsync listen on
+# @param onion_service provide the onion service from this host
+# @param healthcheck_name name to access this node in the health checker
+class roles::security_mirror(
+ Array[Stdlib::IP::Address] $listen_addr = [],
+ Boolean $onion_service = false,
+ Optional[String] $healthcheck_name = undef,
+){
include roles::archvsync_base
+ include apache2
+ include apache2::expires
+ include apache2::rewrite
- # security abusers
- # 198.108.67.48 DoS against our rsync service
- ferm::rule { 'dsa-security-abusers':
- prio => '005',
- rule => 'saddr ( 198.108.67.48/32 ) DROP',
+ $enclosed_addresses_rsync = empty($listen_addr) ? {
+ true => ['[::]'],
+ default => enclose_ipv6($listen_addr),
}
-
- $binds = $::hostname ? {
- mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
- mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
- mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
- schmelzer => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
- default => [ '[::]' ],
+ $_enclosed_addresses = empty($listen_addr) ? {
+ true => ['*'],
+ default => enclose_ipv6($listen_addr),
}
-
- include apache2::expires
- include apache2::rewrite
+ $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ')
apache2::site { '010-security.debian.org':
site => 'security.debian.org',
content => template('roles/security_mirror/security.debian.org.erb')
}
- $mirrors = hiera('roles.security_mirror', {})
- $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
- $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
-
- roles::mirror_health { 'security':
- check_hosts => $hosts_to_check,
- check_service => 'security',
- url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
- health_url => 'http://security.backend.mirrors.debian.org/_health',
- }
-
rsync::site { 'security':
source => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
max_clients => 100,
- binds => $binds,
+ binds => $enclosed_addresses_rsync,
}
- $onion_v4_addr = hiera('roles.security_mirror', {})
- .dig($::fqdn, 'onion_v4_address')
- if $onion_v4_addr {
+ if $onion_service {
+ $onion_addr = empty($listen_addr) ? {
+ true => $base::public_address,
+ default => filter_ipv4($listen_addr)[0]
+ }
+ if ! $onion_addr {
+ fail("Do not have a useable address for the onionservice on ${::hostname}. Is \$listen_addr empty or does it not have an IPv4 address?.")
+ }
+
onion::service { 'security.debian.org':
port => 80,
target_port => 80,
- target_address => $onion_v4_addr,
+ target_address => $onion_addr,
}
}
Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
+
+ mirror_health::service { 'security':
+ this_host_service_name => $healthcheck_name,
+ url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
+ health_url => 'http://security.backend.mirrors.debian.org/_health',
+ }
+
+ # security abusers
+ # 198.108.67.48 DoS against our rsync service
+ ferm::rule { 'dsa-security-abusers':
+ prio => '005',
+ rule => 'saddr ( 198.108.67.48/32 ) DROP',
+ }
}