From 372685900fc51ce956bddc100bc534327946bb10 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 29 Jul 2016 23:09:44 +0000
Subject: [PATCH] onion for security

---
 hieradata/common.yaml                         |  5 +++++
 modules/roles/manifests/onionbalance.pp       |  4 ++++
 modules/roles/manifests/security_mirror.pp    | 21 +++++++++++++++++++
 .../security_mirror/security.debian.org.erb   |  4 ++++
 4 files changed, 34 insertions(+)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 5c7f1a816..deaf099e9 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -120,6 +120,11 @@ roles:
     - steffani.debian.org
     - villa.debian.org
     - wieck.debian.org
+  security_mirror_onion:
+    - mirror-isc.debian.org
+    - mirror-umn.debian.org
+    - lobos.debian.org
+    - villa.debian.org
   security_tracker:
     - soriano.debian.org
   ssh.upload.d.o:
diff --git a/modules/roles/manifests/onionbalance.pp b/modules/roles/manifests/onionbalance.pp
index 12fbc63f7..89352115d 100644
--- a/modules/roles/manifests/onionbalance.pp
+++ b/modules/roles/manifests/onionbalance.pp
@@ -41,4 +41,8 @@ class roles::onionbalance {
 	onion::balance_service { 'metadata.ftp-master.debian.org': }
 	onion::balance_service { 'mozilla.debian.net': }
 	onion::balance_service { 'planet.debian.org': }
+
+
+	# non-static.d.o
+	onion::balance_service { 'security.debian.org': }
 }
diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 7ae7500e7..986b5ae29 100644
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -32,4 +32,25 @@ class roles::security_mirror {
 		bind        => $rsync_bind,
 		bind6       => $rsync_bind6,
 	}
+
+
+	$onion_v4_addr = $::hostname ? {
+		mirror-anu => '150.203.164.61',
+		mirror-isc => '149.20.20.19',
+		mirror-umn => '128.101.240.215',
+		villa      => '212.211.132.32',
+		lobos      => '212.211.132.250',
+		default   => undef,
+	}
+	if has_role('security_mirror_onion') {
+		if ! $onion_v4_addr {
+			fail("Do not have an onion_v4_addr set for $::hostname.")
+		}
+
+		onion::service { 'security.debian.org':
+			port => 80,
+			target_port => 80,
+			target_address => $onion_v4_addr,
+		}
+	}
 }
diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb
index 66c5d9c1b..c5961ead4 100644
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -25,6 +25,10 @@
    ServerAlias security-cdn1.debian.org
    ServerAlias security-cdn2.debian.org
    ServerAlias security-nagios.debian.org
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   ServerAlias <%= scope.function_onion_global_service_hostname(['security.debian.org']) %>
+   <% end %>
+
 
    ExpiresActive On
    ExpiresDefault "access plus 2 minutes"
-- 
2.20.1