From bdb64a9e7ea0e35c4f356c07310e238adb9c0a74 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 31 Jan 2016 22:52:15 +0100
Subject: [PATCH] rsync ssl on syncproxies

---
 modules/roles/manifests/syncproxy.pp | 36 ++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp
index eefb8dc56..e61752707 100644
--- a/modules/roles/manifests/syncproxy.pp
+++ b/modules/roles/manifests/syncproxy.pp
@@ -55,5 +55,41 @@ class roles::syncproxy {
 		file { '/srv/www/syncproxy.debian.org/htdocs/index.html':
 			content => template('roles/syncproxy/syncproxy.debian.org-index.html.erb')
 		}
+
+		file { '/etc/rsyncd-syncproxy-stunnel.conf':
+			content => template('roles/syncproxy/rsyncd-syncproxy-stunnel.conf.erb')
+		}
+		xinetd::service { "rsync-${name}-ssl":
+			bind        => $bind,
+			id          => "${name}-rsync-ssl",
+			server      => '/usr/bin/stunnel4',
+			service     => 'rsync-ssl',
+			type        => 'UNLISTED',
+			port        => '1873',
+			server_args => "/etc/rsyncd-syncproxy-stunnel.conf",
+			ferm        => false,
+			instances   => $max_clients,
+			require     => File[/etc/rsyncd-syncproxy-stunnel.conf]
+		}
+
+		if $bind6 != '' {
+			xinetd::service { "rsync-${name}-ssl6":
+				bind        => $bind6,
+				id          => "${name}-rsync-ssl",
+				server      => '/usr/bin/stunnel4',
+				service     => 'rsync-ssl',
+				type        => 'UNLISTED',
+				port        => '1873',
+				server_args => "/etc/rsyncd-syncproxy-stunnel.conf",
+				ferm        => false,
+				instances   => $max_clients,
+				require     => File[/etc/rsyncd-syncproxy-stunnel.conf]
+			}
+		}
+
+		@ferm::rule { "dsa-rsync-ssl":
+			description => "Allow traffic to rsync ssl",
+			rule        => "&SERVICE(${protocol}, 1873)"
+		}
 	}
 }
-- 
2.20.1