From 94eb0fe06f5deafe086b3f6f18bfd5aab2a6e069 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 1 Feb 2016 21:31:42 +0000 Subject: [PATCH] Move rsync ssl setup into the rsync module --- modules/roles/manifests/syncproxy.pp | 50 ++++--------------- .../rsyncd-syncproxy-stunnel.conf.erb | 11 ---- modules/rsync/manifests/site.pp | 41 ++++++++++++++- .../rsync/templates/rsyncd-stunnel.conf.erb | 11 ++++ 4 files changed, 61 insertions(+), 52 deletions(-) delete mode 100644 modules/roles/templates/syncproxy/rsyncd-syncproxy-stunnel.conf.erb create mode 100644 modules/rsync/templates/rsyncd-stunnel.conf.erb diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp index 10430c1b2..ea9e24e78 100644 --- a/modules/roles/manifests/syncproxy.pp +++ b/modules/roles/manifests/syncproxy.pp @@ -24,12 +24,6 @@ class roles::syncproxy { default => 'unknown' } - rsync::site { 'syncproxy': - content => template('roles/syncproxy/rsyncd.conf.erb'), - bind => $bind, - bind6 => $bind6, - } - file { '/etc/rsyncd': ensure => 'directory' } @@ -56,41 +50,17 @@ class roles::syncproxy { content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb') } - file { '/etc/rsyncd-syncproxy-stunnel.conf': - content => template('roles/syncproxy/rsyncd-syncproxy-stunnel.conf.erb') - } - xinetd::service { "rsync-syncproxy-ssl": - bind => $bind, - id => "syncproxy-rsync-ssl", - server => '/usr/bin/stunnel4', - service => 'rsync-ssl', - type => 'UNLISTED', - port => '1873', - server_args => "/etc/rsyncd-syncproxy-stunnel.conf", - ferm => false, - instances => 50, - require => File["/etc/rsyncd-syncproxy-stunnel.conf"], - } - - if $bind6 != '' { - xinetd::service { "rsync-syncproxy-ssl6": - bind => $bind6, - id => "syncproxy-rsync-ssl", - server => '/usr/bin/stunnel4', - service => 'rsync-ssl', - type => 'UNLISTED', - port => '1873', - server_args => "/etc/rsyncd-syncproxy-stunnel.conf", - ferm => false, - instances => 50, - require => File["/etc/rsyncd-syncproxy-stunnel.conf"], - } + rsync::site { 'syncproxy': + content => template('roles/syncproxy/rsyncd.conf.erb'), + bind => $bind, + bind6 => $bind6, + sslname => "$syncproxy_name", } - - @ferm::rule { "dsa-rsync-ssl": - domain => '(ip ip6)', - description => "Allow traffic to rsync ssl", - rule => "&SERVICE(tcp, 1873)" + } else { + rsync::site { 'syncproxy': + content => template('roles/syncproxy/rsyncd.conf.erb'), + bind => $bind, + bind6 => $bind6, } } } diff --git a/modules/roles/templates/syncproxy/rsyncd-syncproxy-stunnel.conf.erb b/modules/roles/templates/syncproxy/rsyncd-syncproxy-stunnel.conf.erb deleted file mode 100644 index 4f00885f4..000000000 --- a/modules/roles/templates/syncproxy/rsyncd-syncproxy-stunnel.conf.erb +++ /dev/null @@ -1,11 +0,0 @@ -cert = /etc/ssl/debian/certs/<%= syncproxy_name %>.crt-chained -key = /etc/ssl/private/<%= syncproxy_name %>.key - -debug = notice - -client = no -socket = a:SO_LINGER=1:60 -socket = a:SO_KEEPALIVE=1 - -exec = /usr/bin/rsync -execargs = rsync --daemon --config=/etc/rsyncd-syncproxy.conf diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp index 8b23255af..97dbb05d8 100644 --- a/modules/rsync/manifests/site.pp +++ b/modules/rsync/manifests/site.pp @@ -5,7 +5,9 @@ define rsync::site ( $content='', $fname='', $max_clients=200, - $ensure=present + $ensure=present, + $sslname='', + $sslport=1873 ){ include rsync @@ -65,5 +67,42 @@ define rsync::site ( } } + if $sslname != '' { + file { "/etc/rsyncd-${name}-stunnel.conf": + content => template('rsync/rsyncd-stunnel.conf.erb') + } + @ferm::rule { "rsync-${name}-ssl": + domain => '(ip ip6)', + description => 'Allow rsync access', + rule => "&SERVICE(tcp, $sslport)", + } + xinetd::service { "rsync-${name}-ssl": + bind => $bind, + id => "rsync-${name}-ssl", + server => '/usr/bin/stunnel4', + server_args => "/etc/rsyncd-${name}-stunnel.conf", + service => "rsync-ssl", + type => 'UNLISTED', + port => "$sslport", + ferm => true, + instances => $max_clients, + require => File["/etc/rsyncd-${name}-stunnel.conf"], + } + if $bind6 != '' { + xinetd::service { "rsync-${name}-ssl6": + bind => $bind6, + id => "rsync-${name}-ssl6", + server => '/usr/bin/stunnel4', + server_args => "/etc/rsyncd-${name}-stunnel.conf", + service => "rsync-ssl", + type => 'UNLISTED', + port => "$sslport", + ferm => true, + instances => $max_clients, + require => File["/etc/rsyncd-${name}-stunnel.conf"], + } + } + } + Service['rsync']->Service['xinetd'] } diff --git a/modules/rsync/templates/rsyncd-stunnel.conf.erb b/modules/rsync/templates/rsyncd-stunnel.conf.erb new file mode 100644 index 000000000..f57d67aff --- /dev/null +++ b/modules/rsync/templates/rsyncd-stunnel.conf.erb @@ -0,0 +1,11 @@ +cert = /etc/ssl/debian/certs/<%= sslname %>.crt-chained +key = /etc/ssl/private/<%= sslname %>.key + +debug = notice + +client = no +socket = a:SO_LINGER=1:60 +socket = a:SO_KEEPALIVE=1 + +exec = /usr/bin/rsync +execargs = rsync --daemon --config=/etc/rsyncd-<%= name %>.conf -- 2.20.1