From: Peter Palfrader Date: Sun, 8 Sep 2019 07:11:05 +0000 (+0200) Subject: Move the non-roles static_base and static_srvdir to static/ X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=885b1390848612043dfe4656dd447989ac7555fe;p=mirror%2Fdsa-puppet.git Move the non-roles static_base and static_srvdir to static/ --- diff --git a/modules/roles/manifests/static/base.pp b/modules/roles/manifests/static/base.pp new file mode 100644 index 000000000..7752f43ba --- /dev/null +++ b/modules/roles/manifests/static/base.pp @@ -0,0 +1,56 @@ +# the base class defining tings common for all three static classes (master, mirror, source) +class roles::static::base { + ssh::keygen {'staticsync': } + ssh::authorized_key_add { 'staticsync': + target_user => 'staticsync', + command => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}", + key => $facts['staticsync_key'], + restrict => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc', + collect_tag => 'staticsync', + } + ssh::authorized_key_collect { 'staticsync': + target_user => 'staticsync', + collect_tag => 'staticsync', + } + + file { '/etc/static-components.conf': + content => template('roles/static-mirroring/static-components.conf.erb'), + } + + file { '/usr/local/bin/staticsync-ssh-wrap': + source => 'puppet:///modules/roles/static-mirroring/staticsync-ssh-wrap', + mode => '0555', + } + + file { '/usr/local/bin/static-update-component': + source => 'puppet:///modules/roles/static-mirroring/static-update-component', + mode => '0555', + } + + file { '/usr/local/bin/static-mirror-ssh-wrap': ensure => absent; } + file { '/usr/local/bin/static-master-ssh-wrap': ensure => absent; } + + ferm::rule { 'dsa-static-bt-v4': + description => 'Allow bt between static hosts', + rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V4) ACCEPT; }', + notarule => true, + } + ferm::rule { 'dsa-static-bt-v6': + description => 'Allow bt between static hosts', + domain => 'ip6', + rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V6) ACCEPT; }', + notarule => true, + } + + file { '/etc/staticsync.conf': + content => @("EOF"), + # This file is sourced by bash + # and parsed by python + # - empty lines and lines starting with a # are ignored. + # - other lines are key=value. No extra spaces anywhere. No quoting. + base=/srv/static.debian.org + masterbase=/home/staticsync/static-master/master + staticuser=staticsync + | EOF + } +} diff --git a/modules/roles/manifests/static/static_srvdir.pp b/modules/roles/manifests/static/static_srvdir.pp new file mode 100644 index 000000000..7fef3830c --- /dev/null +++ b/modules/roles/manifests/static/static_srvdir.pp @@ -0,0 +1,13 @@ +# create the directory on static hosts and disable backups +class roles::static::srvdir { + file { '/srv/static.debian.org': + ensure => directory, + mode => '0755', + owner => 'staticsync', + group => 'staticsync', + } + + file { '/srv/static.debian.org/.nobackup': + content => '', + } +} diff --git a/modules/roles/manifests/static_base.pp b/modules/roles/manifests/static_base.pp deleted file mode 100644 index e598a6e09..000000000 --- a/modules/roles/manifests/static_base.pp +++ /dev/null @@ -1,56 +0,0 @@ -# the base class defining tings common for all three static classes (master, mirror, source) -class roles::static_base { - ssh::keygen {'staticsync': } - ssh::authorized_key_add { 'staticsync': - target_user => 'staticsync', - command => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}", - key => $facts['staticsync_key'], - restrict => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc', - collect_tag => 'staticsync', - } - ssh::authorized_key_collect { 'staticsync': - target_user => 'staticsync', - collect_tag => 'staticsync', - } - - file { '/etc/static-components.conf': - content => template('roles/static-mirroring/static-components.conf.erb'), - } - - file { '/usr/local/bin/staticsync-ssh-wrap': - source => 'puppet:///modules/roles/static-mirroring/staticsync-ssh-wrap', - mode => '0555', - } - - file { '/usr/local/bin/static-update-component': - source => 'puppet:///modules/roles/static-mirroring/static-update-component', - mode => '0555', - } - - file { '/usr/local/bin/static-mirror-ssh-wrap': ensure => absent; } - file { '/usr/local/bin/static-master-ssh-wrap': ensure => absent; } - - ferm::rule { 'dsa-static-bt-v4': - description => 'Allow bt between static hosts', - rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V4) ACCEPT; }', - notarule => true, - } - ferm::rule { 'dsa-static-bt-v6': - description => 'Allow bt between static hosts', - domain => 'ip6', - rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V6) ACCEPT; }', - notarule => true, - } - - file { '/etc/staticsync.conf': - content => @("EOF"), - # This file is sourced by bash - # and parsed by python - # - empty lines and lines starting with a # are ignored. - # - other lines are key=value. No extra spaces anywhere. No quoting. - base=/srv/static.debian.org - masterbase=/home/staticsync/static-master/master - staticuser=staticsync - | EOF - } -} diff --git a/modules/roles/manifests/static_master.pp b/modules/roles/manifests/static_master.pp index bb4875774..60c0c15ac 100644 --- a/modules/roles/manifests/static_master.pp +++ b/modules/roles/manifests/static_master.pp @@ -4,8 +4,8 @@ # to the master, and from there to all the mirrors. # class roles::static_master { - include roles::static_base - include roles::static_srvdir + include roles::static::base + include roles::static::srvdir file { '/usr/local/bin/static-master-run': source => 'puppet:///modules/roles/static-mirroring/static-master-run', diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp index 4b4c4085f..a526f07a9 100644 --- a/modules/roles/manifests/static_mirror.pp +++ b/modules/roles/manifests/static_mirror.pp @@ -2,8 +2,8 @@ # # this receives pushes from the master and then usually serves the content to the public class roles::static_mirror { - include roles::static_base - include roles::static_srvdir + include roles::static::base + include roles::static::srvdir include apache2::expires include apache2::rewrite diff --git a/modules/roles/manifests/static_source.pp b/modules/roles/manifests/static_source.pp index b34db3f3d..5929b821a 100644 --- a/modules/roles/manifests/static_source.pp +++ b/modules/roles/manifests/static_source.pp @@ -2,5 +2,5 @@ # # origin of static content. From here it goes to the static master before that one pushes it to the mirrors class roles::static_source { - include roles::static_base + include roles::static::base } diff --git a/modules/roles/manifests/static_srvdir.pp b/modules/roles/manifests/static_srvdir.pp deleted file mode 100644 index 5a87bd31a..000000000 --- a/modules/roles/manifests/static_srvdir.pp +++ /dev/null @@ -1,13 +0,0 @@ -# create the directory on static hosts and disable backups -class roles::static_srvdir { - file { '/srv/static.debian.org': - ensure => directory, - mode => '0755', - owner => 'staticsync', - group => 'staticsync', - } - - file { '/srv/static.debian.org/.nobackup': - content => '', - } -}