+# = Class: roles::rtc
+#
+# Setup for machines used by the RTC Team
+#
+# == Sample Usage:
+#
+# include roles::rtc
+#
class roles::rtc {
- ssl::service { 'debian.org':
- tlsaport => [],
- notify => Service['repro'],
- key => true,
- }
+ include profile::prosody
- ssl::service { 'sip-ws.debian.org':
- notify => Service['repro'],
- key => true,
- }
+ ssl::service { 'debian.org':
+ tlsaport => [],
+ notify => Service['repro'],
+ key => true,
+ }
- dnsextras::tlsa_record{ 'tlsa-xmpp':
- zone => 'debian.org',
- certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
- port => [5061, 5222, 5269],
- hostname => $::fqdn,
- }
+ ssl::service { 'sip-ws.debian.org':
+ notify => Service['repro'],
+ key => true,
+ }
- ferm::rule { 'dsa-xmpp-client-ip4':
- domain => 'ip',
- description => 'XMPP connections (client to server)',
- rule => 'proto tcp dport (5222) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-client-ip6':
- domain => 'ip6',
- description => 'XMPP connections (client to server)',
- rule => 'proto tcp dport (5222) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-server-ip4':
- domain => 'ip',
- description => 'XMPP connections (server to server)',
- rule => 'proto tcp dport (5269) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-server-ip6':
- domain => 'ip6',
- description => 'XMPP connections (server to server)',
- rule => 'proto tcp dport (5269) ACCEPT'
- }
+ dnsextras::tlsa_record{ 'tlsa-xmpp':
+ zone => 'debian.org',
+ certfile => '/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt',
+ port => [5061, 5222, 5269],
+ hostname => $::fqdn,
+ }
- ferm::rule { 'dsa-sip-ws-ip4':
- domain => 'ip',
- description => 'SIP connections (WebSocket; for WebRTC)',
- rule => 'proto tcp dport (443) ACCEPT'
- }
- ferm::rule { 'dsa-sip-ws-ip6':
- domain => 'ip6',
- description => 'SIP connections (WebSocket; for WebRTC)',
- rule => 'proto tcp dport (443) ACCEPT'
- }
- ferm::rule { 'dsa-sip-tls-ip4':
- domain => 'ip',
- description => 'SIP connections (TLS)',
- rule => 'proto tcp dport (5061) ACCEPT'
- }
- ferm::rule { 'dsa-sip-tls-ip6':
- domain => 'ip6',
- description => 'SIP connections (TLS)',
- rule => 'proto tcp dport (5061) ACCEPT'
- }
- ferm::rule { 'dsa-turn-ip4':
- domain => 'ip',
- description => 'TURN connections',
- rule => 'proto udp dport (3478) ACCEPT'
- }
- ferm::rule { 'dsa-turn-ip6':
- domain => 'ip6',
- description => 'TURN connections',
- rule => 'proto udp dport (3478) ACCEPT'
- }
- ferm::rule { 'dsa-turn-tls-ip4':
- domain => 'ip',
- description => 'TURN connections (TLS)',
- rule => 'proto tcp dport (5349) ACCEPT'
- }
- ferm::rule { 'dsa-turn-tls-ip6':
- domain => 'ip6',
- description => 'TURN connections (TLS)',
- rule => 'proto tcp dport (5349) ACCEPT'
- }
- ferm::rule { 'dsa-rtp-ip4':
- domain => 'ip',
- description => 'RTP streams',
- rule => 'proto udp dport (49152:65535) ACCEPT'
- }
- ferm::rule { 'dsa-rtp-ip6':
- domain => 'ip6',
- description => 'RTP streams',
- rule => 'proto udp dport (49152:65535) ACCEPT'
- }
+ ferm::rule { 'dsa-xmpp-client-ip4':
+ domain => 'ip',
+ description => 'XMPP connections (client to server)',
+ rule => 'proto tcp dport (5222) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-client-ip6':
+ domain => 'ip6',
+ description => 'XMPP connections (client to server)',
+ rule => 'proto tcp dport (5222) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-server-ip4':
+ domain => 'ip',
+ description => 'XMPP connections (server to server)',
+ rule => 'proto tcp dport (5269) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-server-ip6':
+ domain => 'ip6',
+ description => 'XMPP connections (server to server)',
+ rule => 'proto tcp dport (5269) ACCEPT'
+ }
- file { '/etc/monit/monit.d/50rtc':
- ensure => absent,
- }
+ ferm::rule { 'dsa-sip-ws-ip4':
+ domain => 'ip',
+ description => 'SIP connections (WebSocket; for WebRTC)',
+ rule => 'proto tcp dport (443) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-ws-ip6':
+ domain => 'ip6',
+ description => 'SIP connections (WebSocket; for WebRTC)',
+ rule => 'proto tcp dport (443) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-tls-ip4':
+ domain => 'ip',
+ description => 'SIP connections (TLS)',
+ rule => 'proto tcp dport (5061) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-tls-ip6':
+ domain => 'ip6',
+ description => 'SIP connections (TLS)',
+ rule => 'proto tcp dport (5061) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-ip4':
+ domain => 'ip',
+ description => 'TURN connections',
+ rule => 'proto udp dport (3478) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-ip6':
+ domain => 'ip6',
+ description => 'TURN connections',
+ rule => 'proto udp dport (3478) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-tls-ip4':
+ domain => 'ip',
+ description => 'TURN connections (TLS)',
+ rule => 'proto tcp dport (5349) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-tls-ip6':
+ domain => 'ip6',
+ description => 'TURN connections (TLS)',
+ rule => 'proto tcp dport (5349) ACCEPT'
+ }
+ ferm::rule { 'dsa-rtp-ip4':
+ domain => 'ip',
+ description => 'RTP streams',
+ rule => 'proto udp dport (49152:65535) ACCEPT'
+ }
+ ferm::rule { 'dsa-rtp-ip6':
+ domain => 'ip6',
+ description => 'RTP streams',
+ rule => 'proto udp dport (49152:65535) ACCEPT'
+ }
- service { 'repro':
- ensure => running,
- }
- dsa_systemd::override { 'repro':
- content => @("EOF"),
+ file { '/etc/monit/monit.d/50rtc':
+ ensure => absent,
+ }
+
+ service { 'repro':
+ ensure => running,
+ }
+ dsa_systemd::override { 'repro':
+ content => @("EOF"),
[Unit]
After=network-online.target
| EOF
- }
+ }
- package { 'freeradius':
- ensure => installed,
- }
- service { 'freeradius':
- ensure => running,
- }
- $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
- file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
- content => template('roles/rtc/freeradius-rtc.erb'),
- mode => '0440',
- group => freerad,
- }
- file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
- ensure => link,
- target => '../sites-available/rtc.debian.org',
- }
- file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
- source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
- mode => '0440',
- group => freerad,
- }
- file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
- ensure => link,
- target => '../mods-available/passwd_rtc',
- }
- file { '/etc/repro/radius-servers':
- content => inline_template('localhost/localhost <%= @radius_password %>'),
- mode => '0440',
- group => repro,
- notify => Service['repro'],
- }
- file { '/etc/freeradius/3.0/sites-enabled/default':
- ensure => absent,
- }
- file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
- ensure => absent,
- }
+ package { 'freeradius':
+ ensure => installed,
+ }
+ service { 'freeradius':
+ ensure => running,
+ }
+ $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
+ file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
+ content => template('roles/rtc/freeradius-rtc.erb'),
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
+ ensure => link,
+ target => '../sites-available/rtc.debian.org',
+ }
+ file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
+ source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
+ ensure => link,
+ target => '../mods-available/passwd_rtc',
+ }
+ file { '/etc/repro/radius-servers':
+ content => inline_template('localhost/localhost <%= @radius_password %>'),
+ mode => '0440',
+ group => repro,
+ notify => Service['repro'],
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/default':
+ ensure => absent,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
+ ensure => absent,
+ }
}
projects / mirror / dsa-puppet.git / blobdiff