Merge remote-tracking branch 'origin/master' into staging

[mirror/dsa-puppet.git] / modules / roles / manifests / security_tracker.pp

diff --git a/modules/roles/manifests/security_tracker.pp b/modules/roles/manifests/security_tracker.pp
index 4c7ee44..0e94dd8 100644 (file)
--- a/modules/roles/manifests/security_tracker.pp
+++ b/modules/roles/manifests/security_tracker.pp
@@ -1,6 +1,44 @@
 class roles::security_tracker {
+       include apache2::ssl
+       include apache2::proxy_http
+       include apache2::expires
+
+       apache2::module { 'cache_disk':
+               ensure => present,
+       }
+
+       # security-tracker abusers
+       #  66.170.99.1  20180706 excessive number of requests
+       #  66.170.99.2  20180706 excessive number of requests
+       @ferm::rule { 'dsa-sectracker-abusers':
+               prio  => "000",
+               rule  => "saddr (66.170.99.1 66.170.99.2) DROP",
+       }
+
+
        ssl::service { 'security-tracker.debian.org':
                notify  => Exec['service apache2 reload'],
                key => true,
        }
+
+       apache2::site { 'security-tracker.debian.org':
+               site   => 'security-tracker.debian.org',
+               content => template('roles/apache-security-tracker.debian.org.conf.erb')
+       }
+
+       # traffic shaping http traffic
+       #@ferm::rule { 'dsa-security-tracker-shape':
+       #       table => 'mangle',
+       #       chain => 'OUTPUT',
+       #       rule  => "proto tcp sport 443 MARK set-mark 20",
+       #}
+
+       file { '/usr/local/sbin/traffic-shape':
+               mode   => '0755',
+               content => template('roles/security-tracker/traffic-shape'),
+               notify => Exec['/usr/local/sbin/traffic-shape'],
+       }
+       exec { '/usr/local/sbin/traffic-shape':
+               refreshonly => true
+       }
 }