From 4da5b456728c54fda714146477fb4d1e948725b4 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 21 Sep 2019 13:15:51 +0200 Subject: [PATCH] move syncproxy config into hiera also, syncproxies ssh from their configured IP address. Further, drop klecker from syncproxy role (that job is moving to smit). --- hieradata/nodes/gretchaninov.debian.org.yaml | 6 ++ hieradata/nodes/milanollo.debian.org.yaml | 6 ++ hieradata/nodes/mirror-anu.debian.org.yaml | 4 + hieradata/nodes/mirror-isc.debian.org.yaml | 4 + hieradata/nodes/mirror-umn.debian.org.yaml | 6 ++ hieradata/nodes/schmelzer.debian.org.yaml | 7 ++ hieradata/nodes/smit.debian.org.yaml | 6 ++ modules/roles/manifests/init.pp | 4 - modules/roles/manifests/syncproxy.pp | 95 +++++++++---------- .../syncproxy/syncproxy.debian.org-apache.erb | 4 +- 10 files changed, 84 insertions(+), 58 deletions(-) create mode 100644 hieradata/nodes/gretchaninov.debian.org.yaml create mode 100644 hieradata/nodes/milanollo.debian.org.yaml create mode 100644 hieradata/nodes/mirror-umn.debian.org.yaml create mode 100644 hieradata/nodes/smit.debian.org.yaml diff --git a/hieradata/nodes/gretchaninov.debian.org.yaml b/hieradata/nodes/gretchaninov.debian.org.yaml new file mode 100644 index 000000000..1ce3bde85 --- /dev/null +++ b/hieradata/nodes/gretchaninov.debian.org.yaml @@ -0,0 +1,6 @@ +--- +classes: + - roles::syncproxy + +roles::syncproxy::syncproxy_name: syncproxy3.wna.debian.org +roles::syncproxy::listen_addr: ['209.87.16.40', '2607:f8f0:614:1::1274:40'] diff --git a/hieradata/nodes/milanollo.debian.org.yaml b/hieradata/nodes/milanollo.debian.org.yaml new file mode 100644 index 000000000..7eee259c1 --- /dev/null +++ b/hieradata/nodes/milanollo.debian.org.yaml @@ -0,0 +1,6 @@ +--- +classes: + - roles::syncproxy + +roles::syncproxy::syncproxy_name: syncproxy3.eu.debian.org +roles::syncproxy::listen_addr: ['5.153.231.9', '2001:41c8:1000:21::21:9'] diff --git a/hieradata/nodes/mirror-anu.debian.org.yaml b/hieradata/nodes/mirror-anu.debian.org.yaml index 068253be3..837125530 100644 --- a/hieradata/nodes/mirror-anu.debian.org.yaml +++ b/hieradata/nodes/mirror-anu.debian.org.yaml @@ -1,4 +1,8 @@ classes: - roles::static_mirror_web + - roles::syncproxy roles::static_mirror_web::listen_addr: ['150.203.164.62', '2001:388:1034:2900::3e'] + +roles::syncproxy::syncproxy_name: syncproxy.au.debian.org +roles::syncproxy::listen_addr: ['150.203.164.60', '2001:388:1034:2900::3c'] diff --git a/hieradata/nodes/mirror-isc.debian.org.yaml b/hieradata/nodes/mirror-isc.debian.org.yaml index b93336c49..fd21f64d4 100644 --- a/hieradata/nodes/mirror-isc.debian.org.yaml +++ b/hieradata/nodes/mirror-isc.debian.org.yaml @@ -2,9 +2,13 @@ classes: - roles::ports_mirror - roles::static_mirror_web + - roles::syncproxy roles::ports_mirror::listen_addr: ['149.20.4.15', '2001:4f8:1:c::15'] roles::ports_mirror::onion_service: true roles::static_mirror_web::listen_addr: ['149.20.4.15', '2001:4f8:1:c::15'] roles::static_mirror_web::onion_service: true + +roles::syncproxy::syncproxy_name: syncproxy2.wna.debian.org +roles::syncproxy::listen_addr: ['149.20.4.16', '2001:4f8:1:c::16'] diff --git a/hieradata/nodes/mirror-umn.debian.org.yaml b/hieradata/nodes/mirror-umn.debian.org.yaml new file mode 100644 index 000000000..f65560b42 --- /dev/null +++ b/hieradata/nodes/mirror-umn.debian.org.yaml @@ -0,0 +1,6 @@ +--- +classes: + - roles::syncproxy + +roles::syncproxy::syncproxy_name: syncproxy.cna.debian.org +roles::syncproxy::listen_addr: ['128.101.240.216', '2607:ea00:101:3c0b::1deb:216'] diff --git a/hieradata/nodes/schmelzer.debian.org.yaml b/hieradata/nodes/schmelzer.debian.org.yaml index 992f744ae..a7f099a01 100644 --- a/hieradata/nodes/schmelzer.debian.org.yaml +++ b/hieradata/nodes/schmelzer.debian.org.yaml @@ -1,2 +1,9 @@ +--- +classes: + - roles::syncproxy + +roles::syncproxy::syncproxy_name: syncproxy4.eu.debian.org +roles::syncproxy::listen_addr: ['217.196.149.237', '2a02:16a8:dc41:100::237'] + role_config__mirrors: mirror_basedir_prefix: '/srv/mirrors/public-' diff --git a/hieradata/nodes/smit.debian.org.yaml b/hieradata/nodes/smit.debian.org.yaml new file mode 100644 index 000000000..858da15d3 --- /dev/null +++ b/hieradata/nodes/smit.debian.org.yaml @@ -0,0 +1,6 @@ +--- +classes: + - roles::syncproxy + +roles::syncproxy::syncproxy_name: syncproxy2.eu.debian.org +# roles::syncproxy::listen_addr: diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 3088d1e5c..a4445ee9b 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -45,10 +45,6 @@ class roles { include roles::security_mirror } - if has_role('syncproxy') { - include roles::syncproxy - } - if has_role('postgres_backup_server') { include postgres::backup_server } diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp index e81bf8eda..cb017d529 100644 --- a/modules/roles/manifests/syncproxy.pp +++ b/modules/roles/manifests/syncproxy.pp @@ -1,32 +1,27 @@ # a syncproxy -class roles::syncproxy { +# @param syncproxy_name the service name of this syncproxy +# @param listen_addr IP addresses to have rsync and apache listen on, and ssh to trigger from +class roles::syncproxy( + String $syncproxy_name, + Array[Stdlib::IP::Address] $listen_addr = [], +) { include roles::archvsync_base - $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix') - - $binds = $::hostname ? { - 'milanollo' => [ '5.153.231.9', '[2001:41c8:1000:21::21:9]' ], - 'mirror-anu' => [ '150.203.164.60', '[2001:388:1034:2900::3c]' ], - 'mirror-isc' => [ '149.20.4.16', '[2001:4f8:1:c::16]' ], - 'mirror-umn' => [ '128.101.240.216', '[2607:ea00:101:3c0b::1deb:216]' ], - 'klecker' => [ '130.89.148.10', '[2001:67c:2564:a119::148:10]' ], - 'gretchaninov' => [ '209.87.16.40', '[2607:f8f0:614:1::1274:40]' ], - 'schmelzer' => [ '217.196.149.237', '[2a02:16a8:dc41:100::237]' ], - 'smit' => [ '130.89.148.78', '[2001:67c:2564:a119::78]' ], - default => [ '[::]' ], + $enclosed_addresses_rsync = empty($listen_addr) ? { + true => ['[::]'], + default => enclose_ipv6($listen_addr), + } + $enclosed_addresses_apache = empty($listen_addr) ? { + true => ['*'], + default => enclose_ipv6($listen_addr), } - $syncproxy_name = $::hostname ? { - 'milanollo' => 'syncproxy3.eu.debian.org', - 'mirror-anu' => 'syncproxy.au.debian.org', - 'schmelzer' => 'syncproxy4.eu.debian.org', - 'mirror-isc' => 'syncproxy2.wna.debian.org', - 'mirror-umn' => 'syncproxy.cna.debian.org', - 'klecker' => 'syncproxy2.eu.debian.org', - 'smit' => 'syncproxy2.eu.debian.org', - 'gretchaninov' => 'syncproxy3.wna.debian.org', - default => 'unknown' + $ssh_source_addresses = empty($listen_addr) ? { + true => $base::public_addresses, + default => $listen_addr, } + $mirror_basedir_prefix = hiera('role_config__syncproxy.mirror_basedir_prefix') + file { '/etc/rsyncd': ensure => 'directory' } @@ -37,44 +32,40 @@ class roles::syncproxy { mode => '0660', } - if $::apache2 and $syncproxy_name != 'unknown' { - include apache2::ssl - ssl::service { $syncproxy_name: - notify => Exec['service apache2 reload'], - key => true, - } - apache2::site { '010-syncproxy.debian.org': - site => 'syncproxy.debian.org', - content => template('roles/syncproxy/syncproxy.debian.org-apache.erb') - } + include apache2 + include apache2::ssl + ssl::service { $syncproxy_name: + notify => Exec['service apache2 reload'], + key => true, + } + apache2::site { '010-syncproxy.debian.org': + site => 'syncproxy.debian.org', + content => template('roles/syncproxy/syncproxy.debian.org-apache.erb') + } - file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]: - ensure => directory, - mode => '0755', - } - file { '/srv/www/syncproxy.debian.org/htdocs/index.html': - content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb') - } + file { [ '/srv/www/syncproxy.debian.org', '/srv/www/syncproxy.debian.org/htdocs' ]: + ensure => directory, + mode => '0755', + } + file { '/srv/www/syncproxy.debian.org/htdocs/index.html': + content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb') + } - rsync::site { 'syncproxy': - content => template('roles/syncproxy/rsyncd.conf.erb'), - binds => $binds, - sslname => $syncproxy_name, - } - } else { - rsync::site { 'syncproxy': - content => template('roles/syncproxy/rsyncd.conf.erb'), - binds => $binds, - } + rsync::site { 'syncproxy': + content => template('roles/syncproxy/rsyncd.conf.erb'), + binds => $enclosed_addresses_rsync, + sslname => $syncproxy_name, } + + # ssh firewalling setup + ### @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}": tag => 'ssh::server::from::syncproxy', description => 'Allow ssh access from a syncproxy', port => '22', - saddr => $base::public_addresses, + saddr => $ssh_source_addresses, } - # syncproxies should be accessible from various role hosts Ferm::Rule::Simple <<| tag == 'ssh::server::from::syncproxy' or diff --git a/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb b/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb index ab4ca5987..ef5fbb7c4 100644 --- a/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb +++ b/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb @@ -3,11 +3,11 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## -<% @binds.each do |bind| -%> +<% @enclosed_addresses_apache.each do |bind| -%> Use common-debian-service-https-redirect "<%= bind %>" "<%= @syncproxy_name %>" <% end -%> - > + > ServerName <%= @syncproxy_name %> DocumentRoot /srv/www/syncproxy.debian.org/htdocs -- 2.20.1