projects / mirror / dsa-puppet.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Generate the apache ACL for draghi's "restricted" repo (RT#7962)
[mirror/dsa-puppet.git] / modules / roles / manifests / dbmaster.pp
diff --git a/modules/roles/manifests/dbmaster.pp b/modules/roles/manifests/dbmaster.pp
index 5b83b66..f207b21 100644 (file)
--- a/modules/roles/manifests/dbmaster.pp
+++ b/modules/roles/manifests/dbmaster.pp
@@ -7,32 +7,64 @@
 #   include roles::dbmaster
 #
 class roles::dbmaster {
+  include apache2
 
-       include roles::pubsub::parameters
-
-       $rabbit_password = $roles::pubsub::parameters::rabbit_password
-
-       ssl::service { 'db.debian.org':
-               notify  => [ Exec['service apache2 reload'],
-                            Service['slapd'] ],
-               key => true,
-               tlsaport => [443, 389, 636],
-       }
-
-       file { "/etc/ldap/db.debian.org.key":
-              ensure => present,
-              mode   => '0440',
-              group  => 'openldap',
-              source => 'puppet:///modules/ssl/from-letsencrypt/db.debian.org.key',
-              links  => follow,
-       }
-
-       roles::pubsub::config { 'generate':
-               key      => 'dsa-udgenerate',
-               exchange => dsa,
-               topic    => 'dsa.ud.replicate',
-               vhost    => dsa,
-               username => $::fqdn,
-               password => $rabbit_password
-       }
+  include roles::pubsub::parameters
+
+  $rabbit_password = $roles::pubsub::parameters::rabbit_password
+
+  ssl::service { 'db.debian.org':
+    notify   => [ Exec['service apache2 reload'],
+                  Service['slapd'] ],
+    key      => true,
+    tlsaport => [443, 389, 636],
+  }
+
+  file { '/etc/ldap/db.debian.org.key':
+    ensure  => present,
+    mode    => '0440',
+    group   => 'openldap',
+    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.letsencrypt_dir"]) + "/db.debian.org.key") %>'),
+    links   => follow,
+  }
+
+  roles::pubsub::config { 'generate':
+    key      => 'dsa-udgenerate',
+    exchange => dsa,
+    topic    => 'dsa.ud.replicate',
+    vhost    => dsa,
+    username => $::fqdn,
+    password => $rabbit_password
+  }
+
+  service { 'slapd':
+    ensure => running,
+  }
+
+  ssh::keygen {'dsa': }
+  ssh::authorized_key_add { 'dbmaster::puppetmaster::nagios-build':
+    target_user => 'puppet',
+    command     => '/srv/puppet.debian.org/sync/bin/puppet-ssh-wrap draghi.debian.org nagiosconfig',
+    key         => $facts['dsa_key'],
+    collect_tag => 'puppetmaster',
+  }
+
+  exim::vdomain { 'db.debian.org':
+    mail_user  => 'mail_db',
+    mail_group => 'nogroup',
+  }
+
+  ferm::rule::simple { 'finger':
+    port => 'finger',
+  }
+  ferm::rule::simple { 'ldap':
+    port => ['ldap', 'ldaps'],
+  }
+
+  concat { '/etc/apache2/conf-available/puppet-restricted-acl.conf':
+    mode           => '0444',
+    ensure_newline => true,
+    warn           => '# This file is maintained with puppet',
+  }
+  Concat::Fragment <<| tag == 'debian_org::apt_restricted::apache-acl' |>>
 }
Unnamed repository; edit this file 'description' to name the repository.