From f35cf27e2783bfee55b247d56f32e90750dd5d32 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 7 Feb 2016 10:03:29 +0000
Subject: [PATCH] TLSA for rsync sites

---
 modules/rsync/manifests/site.pp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp
index 97dbb05d8..ec4a09ecc 100644
--- a/modules/rsync/manifests/site.pp
+++ b/modules/rsync/manifests/site.pp
@@ -69,7 +69,8 @@ define rsync::site (
 
 	if $sslname != '' {
 		file { "/etc/rsyncd-${name}-stunnel.conf":
-			content => template('rsync/rsyncd-stunnel.conf.erb')
+			content => template('rsync/rsyncd-stunnel.conf.erb'),
+			require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
 		}
 		@ferm::rule { "rsync-${name}-ssl":
 			domain      => '(ip ip6)',
@@ -102,6 +103,13 @@ define rsync::site (
 				require     => File["/etc/rsyncd-${name}-stunnel.conf"],
 			}
 		}
+
+		dnsextras::tlsa_record{ "tlsa-${sslname}-${sslport}":
+			zone     => 'debian.org',
+			certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt" ],
+			port     => $sslport,
+			hostname => "$sslname",
+		}
 	}
 
 	Service['rsync']->Service['xinetd']
-- 
2.20.1