From: Bastian Blank Date: Sun, 29 Jan 2017 10:26:15 +0000 (+0100) Subject: Add systemd backed rsync service X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=1f09d4909b96729c3fd513c043de9b4e1ce89552;p=mirror%2Fdsa-puppet.git Add systemd backed rsync service --- diff --git a/modules/rsync/manifests/site_systemd.pp b/modules/rsync/manifests/site_systemd.pp new file mode 100644 index 000000000..6b51b0b4f --- /dev/null +++ b/modules/rsync/manifests/site_systemd.pp @@ -0,0 +1,139 @@ +define rsync::site_systemd ( + $binds=['[::]'], + $source=undef, + $content=undef, + $max_clients=200, + $ensure=present, + $sslname=undef, +) { + include rsync + + $fname_real_rsync = "/etc/rsyncd-${name}.conf" + $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf" + + case $ensure { + present,absent: {} + default: { fail ( "Invald ensure `${ensure}' for ${name}" ) } + } + + $ensure_service = $ensure ? { + present => running, + absent => stopped, + } + + $ensure_enable = $ensure ? { + present => true, + absent => false, + } + + file { $fname_real_rsync: + ensure => $ensure, + content => $content, + source => $source, + owner => 'root', + group => 'root', + mode => '0444', + } + + file { "/etc/systemd/system/rsyncd-${name}@.service": + ensure => $ensure, + content => template('rsync/systemd-rsyncd.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname_real_rsync], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/rsyncd-${name}.socket": + ensure => $ensure, + content => template('rsync/systemd-rsyncd.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["rsyncd-${name}.socket"], + ], + } + + service { "rsyncd-${name}.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/rsyncd-${name}@.service"], + File["/etc/systemd/system/rsyncd-${name}.socket"], + ], + provider => systemd, + } + + if $sslname { + file { $fname_real_stunnel: + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"], + } + + file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service": + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname_real_stunnel], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket": + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["rsyncd-${name}-stunnel.socket"] + ], + } + + service { "rsyncd-${name}-stunnel.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"], + File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"], + Service["rsyncd-${name}.socket"], + ], + provider => systemd, + } + + @ferm::rule { "rsync-${name}-ssl": + domain => '(ip ip6)', + description => 'Allow rsync access', + rule => '&SERVICE(tcp, 1873)', + } + + dnsextras::tlsa_record{ "tlsa-${sslname}-1873": + zone => 'debian.org', + certfile => [ + "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", + "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt", + ], + port => 1873, + hostname => $sslname, + } + } + + xinetd::service { [ "rsync-${name}", "rsync-${name}6", "rsync-${name}-ssl", "rsync-${name}-ssl6" ]: + ensure => absent, + id => 'unused', + server => 'unused', + service => 'unused', + ferm => false, + } +} diff --git a/modules/rsync/templates/systemd-rsyncd-stunnel.conf.erb b/modules/rsync/templates/systemd-rsyncd-stunnel.conf.erb new file mode 100644 index 000000000..950a5840d --- /dev/null +++ b/modules/rsync/templates/systemd-rsyncd-stunnel.conf.erb @@ -0,0 +1,9 @@ +cert = /etc/ssl/debian/certs/<%= @sslname %>.crt-chained +key = /etc/ssl/private/<%= @sslname %>.key + +debug = notice + +socket = a:SO_LINGER=1:60 +socket = a:SO_KEEPALIVE=1 + +connect = /run/rsyncd/<%= @name %>.socket diff --git a/modules/rsync/templates/systemd-rsyncd-stunnel.service.erb b/modules/rsync/templates/systemd-rsyncd-stunnel.service.erb new file mode 100644 index 000000000..5aaf72435 --- /dev/null +++ b/modules/rsync/templates/systemd-rsyncd-stunnel.service.erb @@ -0,0 +1,14 @@ +[Unit] +Description=stunnel for rsync daemon <%= @name %> +After=network-online.target + +[Service] +ExecStart=/usr/bin/stunnel4 <%= @fname_real_stunnel %> +StandardInput=socket +StandardError=journal +User=stunnel4 +SupplementaryGroups=ssl-cert +NoNewPrivileges=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=full diff --git a/modules/rsync/templates/systemd-rsyncd-stunnel.socket.erb b/modules/rsync/templates/systemd-rsyncd-stunnel.socket.erb new file mode 100644 index 000000000..017705c2e --- /dev/null +++ b/modules/rsync/templates/systemd-rsyncd-stunnel.socket.erb @@ -0,0 +1,13 @@ +[Unit] +Description=stunnel for rsync daemon <%= @name %> (socket) + +[Socket] +<% @binds.each do |bind| -%> +ListenStream=<%= bind %>:1873 +<% end -%> +Accept=true +FreeBind=true +MaxConnections=<%= @max_clients %> + +[Install] +WantedBy=sockets.target diff --git a/modules/rsync/templates/systemd-rsyncd.service.erb b/modules/rsync/templates/systemd-rsyncd.service.erb new file mode 100644 index 000000000..7a5b82840 --- /dev/null +++ b/modules/rsync/templates/systemd-rsyncd.service.erb @@ -0,0 +1,12 @@ +[Unit] +Description=rsync daemon <%= @name %> + +[Service] +ExecStart=-/usr/bin/rsync --daemon --config=<%= @fname_real_rsync %> +StandardInput=socket +StandardError=journal +CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID +PrivateDevices=true +PrivateNetwork=true +ProtectHome=true +ProtectSystem=full diff --git a/modules/rsync/templates/systemd-rsyncd.socket.erb b/modules/rsync/templates/systemd-rsyncd.socket.erb new file mode 100644 index 000000000..5acf4d2fc --- /dev/null +++ b/modules/rsync/templates/systemd-rsyncd.socket.erb @@ -0,0 +1,14 @@ +[Unit] +Description=rsync daemon <%= @name %> (socket) + +[Socket] +<% @binds.each do |bind| -%> +ListenStream=<%= bind %>:873 +<% end -%> +ListenStream=/run/rsyncd/<%= @name %>.socket +Accept=true +FreeBind=true +MaxConnections=<%= @max_clients %> + +[Install] +WantedBy=sockets.target