From: Bastian Blank Date: Tue, 11 Apr 2017 12:39:47 +0000 (+0200) Subject: Rename rsync::site_systemd to rsync::site X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=46efb1d7284108553bc312019338f574a940030e;p=mirror%2Fdsa-puppet.git Rename rsync::site_systemd to rsync::site --- diff --git a/modules/roles/manifests/bugs_mirror.pp b/modules/roles/manifests/bugs_mirror.pp index a5c938814..bbd8eaf76 100644 --- a/modules/roles/manifests/bugs_mirror.pp +++ b/modules/roles/manifests/bugs_mirror.pp @@ -1,6 +1,6 @@ class roles::bugs_mirror { - rsync::site_systemd { 'bugs_mirror': + rsync::site { 'bugs_mirror': source => 'puppet:///modules/roles/bugs_mirror/rsyncd.conf', max_clients => 100, } diff --git a/modules/roles/manifests/ftp_master.pp b/modules/roles/manifests/ftp_master.pp index 2a15a9b3e..987bc8080 100644 --- a/modules/roles/manifests/ftp_master.pp +++ b/modules/roles/manifests/ftp_master.pp @@ -1,5 +1,5 @@ class roles::ftp_master { - rsync::site_systemd { 'dakmaster': + rsync::site { 'dakmaster': source => 'puppet:///modules/roles/dakmaster/rsyncd.conf', max_clients => 100, sslname => 'ftp-master.debian.org', diff --git a/modules/roles/manifests/historical_mirror.pp b/modules/roles/manifests/historical_mirror.pp index 5036e8fbc..ccf34dbce 100644 --- a/modules/roles/manifests/historical_mirror.pp +++ b/modules/roles/manifests/historical_mirror.pp @@ -32,7 +32,7 @@ class roles::historical_mirror { $sslname = undef } - rsync::site_systemd { 'archive': + rsync::site { 'archive': source => 'puppet:///modules/roles/historical_mirror/rsyncd.conf', max_clients => 100, sslname => $sslname, diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp index 74b3c1fdf..f6935e180 100644 --- a/modules/roles/manifests/keyring.pp +++ b/modules/roles/manifests/keyring.pp @@ -1,5 +1,5 @@ class roles::keyring { - rsync::site_systemd { 'keyring': + rsync::site { 'keyring': source => 'puppet:///modules/roles/keyring/rsyncd.conf', sslname => 'keyring.debian.org', } diff --git a/modules/roles/manifests/ports_master.pp b/modules/roles/manifests/ports_master.pp index 3a51f698f..15fd5e4c0 100644 --- a/modules/roles/manifests/ports_master.pp +++ b/modules/roles/manifests/ports_master.pp @@ -1,5 +1,5 @@ class roles::ports_master { - rsync::site_systemd { 'ports-master': + rsync::site { 'ports-master': source => 'puppet:///modules/roles/ports_master/rsyncd.conf', max_clients => 100, sslname => 'ports-master.debian.org', diff --git a/modules/roles/manifests/security_master.pp b/modules/roles/manifests/security_master.pp index a31db9fe3..6349f3f86 100644 --- a/modules/roles/manifests/security_master.pp +++ b/modules/roles/manifests/security_master.pp @@ -13,7 +13,7 @@ class roles::security_master { root => '/srv/ftp.root/', } - rsync::site_systemd { 'security_master': + rsync::site { 'security_master': source => 'puppet:///modules/roles/security_master/rsyncd.conf', max_clients => 100, sslname => 'security-master.debian.org', diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp index 92cd6263e..1a8f5a219 100644 --- a/modules/roles/manifests/security_mirror.pp +++ b/modules/roles/manifests/security_mirror.pp @@ -51,7 +51,7 @@ class roles::security_mirror { } } - rsync::site_systemd { 'security': + rsync::site { 'security': source => 'puppet:///modules/roles/security_mirror/rsyncd.conf', max_clients => 100, binds => $binds, diff --git a/modules/roles/manifests/snapshot.pp b/modules/roles/manifests/snapshot.pp index f8cebb66d..0811bfdc9 100644 --- a/modules/roles/manifests/snapshot.pp +++ b/modules/roles/manifests/snapshot.pp @@ -1,5 +1,5 @@ class roles::snapshot { - rsync::site_systemd { 'snapshot-farm': + rsync::site { 'snapshot-farm': content => template('roles/snapshot/rsyncd.conf.erb'), } } diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp index bc0e27506..87a545100 100644 --- a/modules/roles/manifests/syncproxy.pp +++ b/modules/roles/manifests/syncproxy.pp @@ -49,13 +49,13 @@ class roles::syncproxy { content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb') } - rsync::site_systemd { 'syncproxy': + rsync::site { 'syncproxy': content => template('roles/syncproxy/rsyncd.conf.erb'), binds => $binds, sslname => "$syncproxy_name", } } else { - rsync::site_systemd { 'syncproxy': + rsync::site { 'syncproxy': content => template('roles/syncproxy/rsyncd.conf.erb'), binds => $binds, } diff --git a/modules/roles/manifests/wiki.pp b/modules/roles/manifests/wiki.pp index b989afe9a..b6fb7e866 100644 --- a/modules/roles/manifests/wiki.pp +++ b/modules/roles/manifests/wiki.pp @@ -3,7 +3,7 @@ class roles::wiki { notify => Exec['service apache2 reload'], key => true, } - rsync::site_systemd { 'wiki': + rsync::site { 'wiki': source => 'puppet:///modules/roles/wiki/rsyncd.conf', } } diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp new file mode 100644 index 000000000..75496943d --- /dev/null +++ b/modules/rsync/manifests/site.pp @@ -0,0 +1,131 @@ +define rsync::site ( + $binds=['[::]'], + $source=undef, + $content=undef, + $max_clients=200, + $ensure=present, + $sslname=undef, +) { + include rsync + + $fname_real_rsync = "/etc/rsyncd-${name}.conf" + $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf" + + case $ensure { + present,absent: {} + default: { fail ( "Invald ensure `${ensure}' for ${name}" ) } + } + + $ensure_service = $ensure ? { + present => running, + absent => stopped, + } + + $ensure_enable = $ensure ? { + present => true, + absent => false, + } + + file { $fname_real_rsync: + ensure => $ensure, + content => $content, + source => $source, + owner => 'root', + group => 'root', + mode => '0444', + } + + file { "/etc/systemd/system/rsyncd-${name}@.service": + ensure => $ensure, + content => template('rsync/systemd-rsyncd.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname_real_rsync], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/rsyncd-${name}.socket": + ensure => $ensure, + content => template('rsync/systemd-rsyncd.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["rsyncd-${name}.socket"], + ], + } + + service { "rsyncd-${name}.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/rsyncd-${name}@.service"], + File["/etc/systemd/system/rsyncd-${name}.socket"], + ], + provider => systemd, + } + + if $sslname { + file { $fname_real_stunnel: + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"], + } + + file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service": + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname_real_stunnel], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket": + ensure => $ensure, + content => template('rsync/systemd-rsyncd-stunnel.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["rsyncd-${name}-stunnel.socket"] + ], + } + + service { "rsyncd-${name}-stunnel.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"], + File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"], + Service["rsyncd-${name}.socket"], + ], + provider => systemd, + } + + @ferm::rule { "rsync-${name}-ssl": + domain => '(ip ip6)', + description => 'Allow rsync access', + rule => '&SERVICE(tcp, 1873)', + } + + dnsextras::tlsa_record{ "tlsa-${sslname}-1873": + zone => 'debian.org', + certfile => [ + "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", + "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt", + ], + port => 1873, + hostname => $sslname, + } + } +} diff --git a/modules/rsync/manifests/site_systemd.pp b/modules/rsync/manifests/site_systemd.pp deleted file mode 100644 index aa3748ad2..000000000 --- a/modules/rsync/manifests/site_systemd.pp +++ /dev/null @@ -1,131 +0,0 @@ -define rsync::site_systemd ( - $binds=['[::]'], - $source=undef, - $content=undef, - $max_clients=200, - $ensure=present, - $sslname=undef, -) { - include rsync - - $fname_real_rsync = "/etc/rsyncd-${name}.conf" - $fname_real_stunnel = "/etc/rsyncd-${name}-stunnel.conf" - - case $ensure { - present,absent: {} - default: { fail ( "Invald ensure `${ensure}' for ${name}" ) } - } - - $ensure_service = $ensure ? { - present => running, - absent => stopped, - } - - $ensure_enable = $ensure ? { - present => true, - absent => false, - } - - file { $fname_real_rsync: - ensure => $ensure, - content => $content, - source => $source, - owner => 'root', - group => 'root', - mode => '0444', - } - - file { "/etc/systemd/system/rsyncd-${name}@.service": - ensure => $ensure, - content => template('rsync/systemd-rsyncd.service.erb'), - owner => 'root', - group => 'root', - mode => '0444', - require => File[$fname_real_rsync], - notify => Exec['systemctl daemon-reload'], - } - - file { "/etc/systemd/system/rsyncd-${name}.socket": - ensure => $ensure, - content => template('rsync/systemd-rsyncd.socket.erb'), - owner => 'root', - group => 'root', - mode => '0444', - notify => [ - Exec['systemctl daemon-reload'], - Service["rsyncd-${name}.socket"], - ], - } - - service { "rsyncd-${name}.socket": - ensure => $ensure_service, - enable => $ensure_enable, - require => [ - Exec['systemctl daemon-reload'], - File["/etc/systemd/system/rsyncd-${name}@.service"], - File["/etc/systemd/system/rsyncd-${name}.socket"], - ], - provider => systemd, - } - - if $sslname { - file { $fname_real_stunnel: - ensure => $ensure, - content => template('rsync/systemd-rsyncd-stunnel.conf.erb'), - owner => 'root', - group => 'root', - mode => '0444', - require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"], - } - - file { "/etc/systemd/system/rsyncd-${name}-stunnel@.service": - ensure => $ensure, - content => template('rsync/systemd-rsyncd-stunnel.service.erb'), - owner => 'root', - group => 'root', - mode => '0444', - require => File[$fname_real_stunnel], - notify => Exec['systemctl daemon-reload'], - } - - file { "/etc/systemd/system/rsyncd-${name}-stunnel.socket": - ensure => $ensure, - content => template('rsync/systemd-rsyncd-stunnel.socket.erb'), - owner => 'root', - group => 'root', - mode => '0444', - notify => [ - Exec['systemctl daemon-reload'], - Service["rsyncd-${name}-stunnel.socket"] - ], - } - - service { "rsyncd-${name}-stunnel.socket": - ensure => $ensure_service, - enable => $ensure_enable, - require => [ - Exec['systemctl daemon-reload'], - File["/etc/systemd/system/rsyncd-${name}-stunnel@.service"], - File["/etc/systemd/system/rsyncd-${name}-stunnel.socket"], - Service["rsyncd-${name}.socket"], - ], - provider => systemd, - } - - @ferm::rule { "rsync-${name}-ssl": - domain => '(ip ip6)', - description => 'Allow rsync access', - rule => '&SERVICE(tcp, 1873)', - } - - dnsextras::tlsa_record{ "tlsa-${sslname}-1873": - zone => 'debian.org', - certfile => [ - "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", - "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt", - ], - port => 1873, - hostname => $sslname, - } - } -}