TLSA for rsync sites

author Peter Palfrader <peter@palfrader.org>

Sun, 7 Feb 2016 10:03:29 +0000 (10:03 +0000)

committer Peter Palfrader <peter@palfrader.org>

Sun, 7 Feb 2016 10:03:29 +0000 (10:03 +0000)
author Peter Palfrader <peter@palfrader.org>
Sun, 7 Feb 2016 10:03:29 +0000 (10:03 +0000)
committer Peter Palfrader <peter@palfrader.org>
Sun, 7 Feb 2016 10:03:29 +0000 (10:03 +0000)
diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp

index 97dbb05..ec4a09e 100644 (file)
--- a/modules/rsync/manifests/site.pp
+++ b/modules/rsync/manifests/site.pp
@@ -69,7 +69,8 @@ define rsync::site (
  
         if $sslname != '' {
                 file { "/etc/rsyncd-${name}-stunnel.conf":
-                       content => template('rsync/rsyncd-stunnel.conf.erb')
+                       content => template('rsync/rsyncd-stunnel.conf.erb'),
+                       require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
                 }
                 @ferm::rule { "rsync-${name}-ssl":
                         domain      => '(ip ip6)',
@@ -102,6 +103,13 @@ define rsync::site (
                                 require     => File["/etc/rsyncd-${name}-stunnel.conf"],
                         }
                 }
+
+               dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}":
+                       zone     => 'debian.org',
+                       certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ],
+                       port     => $sslport,
+                       hostname => "$sslname",
+               }
         }
  
         Service['rsync']->Service['xinetd']
author	Peter Palfrader <peter@palfrader.org>
	Sun, 7 Feb 2016 10:03:29 +0000 (10:03 +0000)
committer	Peter Palfrader <peter@palfrader.org>
	Sun, 7 Feb 2016 10:03:29 +0000 (10:03 +0000)