From 8446320393d891e105b790352ae0c7f17514c204 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sun, 6 Aug 2017 15:16:27 -0400
Subject: [PATCH] Keep a list of fastly IPs

---
 .../puppetmaster/files/update-fastly-ips.cron   |  2 ++
 modules/puppetmaster/files/update-fastly-ips.sh | 17 +++++++++++++++++
 modules/puppetmaster/manifests/init.pp          |  8 ++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 modules/puppetmaster/files/update-fastly-ips.cron
 create mode 100644 modules/puppetmaster/files/update-fastly-ips.sh

diff --git a/modules/puppetmaster/files/update-fastly-ips.cron b/modules/puppetmaster/files/update-fastly-ips.cron
new file mode 100644
index 000000000..21bfb4542
--- /dev/null
+++ b/modules/puppetmaster/files/update-fastly-ips.cron
@@ -0,0 +1,2 @@
+MAILTO=root
+@daily	puppet update-fastly-ips /srv/puppet.debian.org/puppet-facts/fastly_ranges.yaml
diff --git a/modules/puppetmaster/files/update-fastly-ips.sh b/modules/puppetmaster/files/update-fastly-ips.sh
new file mode 100644
index 000000000..ab0871ccb
--- /dev/null
+++ b/modules/puppetmaster/files/update-fastly-ips.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+dest="$1"
+tmp=$(mktemp -d)
+
+cd $tmp
+if [ -d /etc/ssl/ca-global ]; then
+	wgetopts=--ca-directory=/etc/ssl/ca-global
+fi
+wget $wgetopts -q https://api.fastly.com/public-ip-list
+if cmp public-ip-list "$dest" >/dev/null; then
+	exit 0
+fi
+chmod --reference="$dest" public-ip-list
+mv public-ip-list "$dest"
diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp
index 99684ba75..a5faeba59 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -26,4 +26,12 @@ class puppetmaster {
 	concat { '/srv/puppet.debian.org/puppet-facts/onionbalance-services.yaml':
 	}
 	Concat::Fragment <<| tag == "onionbalance-services.yaml" |>>
+
+	file { '/etc/cron.d/update-fastly-ips':
+		source => 'puppet:///modules/puppetmaster/update-fastly-ips.cron'
+	}
+	file { '/usr/local/bin/update-fastly-ips':
+		source => 'puppet:///modules/puppetmaster/update-fastly-ips.sh',
+		mode   => '0555',
+	}
 }
-- 
2.20.1