From: Peter Palfrader Date: Sun, 8 Sep 2019 07:17:15 +0000 (+0200) Subject: Attempt to partition staticsync ssh setup X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=712cd877cbd2f5edfd6448384253d2c7c591220a;p=mirror%2Fdsa-puppet.git Attempt to partition staticsync ssh setup In the old setup, every host that is involved with staticsync can ssh to every other host. In this new setup: - sources can only reach masters (not mirrors), - mirrors can only reach masters (not sources), and - masters still can talk to all other sources and mirrors (but not other masters). --- diff --git a/modules/roles/manifests/static/base.pp b/modules/roles/manifests/static/base.pp index 7752f43ba..8c66303ee 100644 --- a/modules/roles/manifests/static/base.pp +++ b/modules/roles/manifests/static/base.pp @@ -1,18 +1,5 @@ # the base class defining tings common for all three static classes (master, mirror, source) class roles::static::base { - ssh::keygen {'staticsync': } - ssh::authorized_key_add { 'staticsync': - target_user => 'staticsync', - command => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}", - key => $facts['staticsync_key'], - restrict => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc', - collect_tag => 'staticsync', - } - ssh::authorized_key_collect { 'staticsync': - target_user => 'staticsync', - collect_tag => 'staticsync', - } - file { '/etc/static-components.conf': content => template('roles/static-mirroring/static-components.conf.erb'), } diff --git a/modules/roles/manifests/static/ssh.pp b/modules/roles/manifests/static/ssh.pp new file mode 100644 index 000000000..0023543a6 --- /dev/null +++ b/modules/roles/manifests/static/ssh.pp @@ -0,0 +1,20 @@ +# wrapper for ssh setup for statichosts +class roles::static::ssh( + Variant[Array[String], String] $add_tag, + String $collect_tag, + ) +{ + ssh::keygen {'staticsync': } + + ssh::authorized_key_add { 'staticsync': + target_user => 'staticsync', + command => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}", + key => $facts['staticsync_key'], + restrict => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc', + collect_tag => $add_tag, + } + ssh::authorized_key_collect { 'staticsync': + target_user => 'staticsync', + collect_tag => $collect_tag, + } +} diff --git a/modules/roles/manifests/static_master.pp b/modules/roles/manifests/static_master.pp index 60c0c15ac..82cd33856 100644 --- a/modules/roles/manifests/static_master.pp +++ b/modules/roles/manifests/static_master.pp @@ -7,6 +7,12 @@ class roles::static_master { include roles::static::base include roles::static::srvdir + # masters need to talk to mirrors and sources + class { 'roles::static::ssh': + add_tag => [ 'staticsync-mirror', 'staticsync-source' ], + collect_tag => 'staticsync-master', + } + file { '/usr/local/bin/static-master-run': source => 'puppet:///modules/roles/static-mirroring/static-master-run', mode => '0555', diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp index a526f07a9..233cbe8fd 100644 --- a/modules/roles/manifests/static_mirror.pp +++ b/modules/roles/manifests/static_mirror.pp @@ -4,6 +4,13 @@ class roles::static_mirror { include roles::static::base include roles::static::srvdir + + # mirrors talk only to masters + class { 'roles::static::ssh': + add_tag => 'staticsync-master', + collect_tag => 'staticsync-mirror', + } + include apache2::expires include apache2::rewrite diff --git a/modules/roles/manifests/static_source.pp b/modules/roles/manifests/static_source.pp index 5929b821a..3ff15e89f 100644 --- a/modules/roles/manifests/static_source.pp +++ b/modules/roles/manifests/static_source.pp @@ -3,4 +3,10 @@ # origin of static content. From here it goes to the static master before that one pushes it to the mirrors class roles::static_source { include roles::static::base + + # sources talk only to masters + class { 'roles::static::ssh': + add_tag => 'staticsync-master', + collect_tag => 'staticsync-source', + } }