security_mirror -> hiera role; part 2; also make security apache bind to the security...

diff --git a/data/common.yaml b/data/common.yaml
index 635f03e..f5c4b7f 100644 (file)
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -54,42 +54,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/'
 # all of these should be retired in favour of including the class role
 # with the host. weasel, 2019-09
 roles:
-  security_mirror:
-    # XXX used also in ferm me.conf.erb
-    mirror-anu.debian.org:
-      fastly-backend: false
-    mirror-csail.debian.org:
-      fastly-backend: false
-    mirror-isc.debian.org:
-      onion_v4_address: 149.20.4.14
-    mirror-umn.debian.org:
-      onion_v4_address: 128.101.240.215
-    mirror-accumu.debian.org:
-      fastly-backend: false
-    mirror-skroutz.debian.org:
-      fastly-backend: false
-    lobos.debian.org:
-      service-hostname: lobos.security.backend.mirrors.debian.org
-      fastly-backend: false
-      onion_v4_address: 212.211.132.250
-    santoro.debian.org:
-      fastly-backend: false
-    schmelzer.debian.org:
-      fastly-backend: false
-    schumann.debian.org:
-      service-hostname: schumann.security.backend.mirrors.debian.org
-      fastly-backend: true
-    setoguchi.debian.org:
-      fastly-backend: false
-    sechter.debian.org:
-      fastly-backend: false
-    villa.debian.org:
-      service-hostname: villa.security.backend.mirrors.debian.org
-      fastly-backend: true
-      onion_v4_address: 212.211.132.32
-    wieck.debian.org:
-      service-hostname: wieck.security.backend.mirrors.debian.org
-      fastly-backend: true
   postgres_backup_server:
     # XXX - used by ferm templates/defs.conf.erb
     - backuphost.debian.org

diff --git a/data/nodes/lobos.debian.org.yaml b/data/nodes/lobos.debian.org.yaml
index 854f0ec..8b46d8d 100644 (file)
--- a/data/nodes/lobos.debian.org.yaml
+++ b/data/nodes/lobos.debian.org.yaml
@@ -1,3 +1,6 @@
 ---
 classes:
   - roles::security_mirror
+
+roles::security_mirror::healthcheck_name: lobos.security.backend.mirrors.debian.org
+roles::security_mirror::onion_service: true

diff --git a/data/nodes/mirror-anu.debian.org.yaml b/data/nodes/mirror-anu.debian.org.yaml
index 02f0648..087d72b 100644 (file)
--- a/data/nodes/mirror-anu.debian.org.yaml
+++ b/data/nodes/mirror-anu.debian.org.yaml
@@ -3,6 +3,8 @@ classes:
   - roles::static_mirror_web
   - roles::syncproxy
 
+roles::security_mirror::listen_addr: ['150.203.164.61', '2001:388:1034:2900::3d']
+
 roles::static_mirror_web::listen_addr: ['150.203.164.62', '2001:388:1034:2900::3e']
 
 roles::syncproxy::syncproxy_name: syncproxy.au.debian.org

diff --git a/data/nodes/mirror-isc.debian.org.yaml b/data/nodes/mirror-isc.debian.org.yaml
index cd3beca..ff0c5ff 100644 (file)
--- a/data/nodes/mirror-isc.debian.org.yaml
+++ b/data/nodes/mirror-isc.debian.org.yaml
@@ -12,6 +12,9 @@ roles::debian_mirror::onion_service: true
 roles::ports_mirror::listen_addr: ['149.20.4.15', '2001:4f8:1:c::15']
 roles::ports_mirror::onion_service: true
 
+roles::security_mirror::listen_addr: ['149.20.4.14', '2001:4f8:1:c::14']
+roles::security_mirror::onion_service: true
+
 roles::static_mirror_web::listen_addr: ['149.20.4.15', '2001:4f8:1:c::15']
 roles::static_mirror_web::onion_service: true
 

diff --git a/data/nodes/mirror-umn.debian.org.yaml b/data/nodes/mirror-umn.debian.org.yaml
index bca495b..030fef8 100644 (file)
--- a/data/nodes/mirror-umn.debian.org.yaml
+++ b/data/nodes/mirror-umn.debian.org.yaml
@@ -3,5 +3,8 @@ classes:
   - roles::security_mirror
   - roles::syncproxy
 
+roles::security_mirror::listen_addr: ['128.101.240.215', '2607:ea00:101:3c0b::1deb:215']
+roles::security_mirror::onion_service: true
+
 roles::syncproxy::syncproxy_name: syncproxy.cna.debian.org
 roles::syncproxy::listen_addr: ['128.101.240.216', '2607:ea00:101:3c0b::1deb:216']

diff --git a/data/nodes/schmelzer.debian.org.yaml b/data/nodes/schmelzer.debian.org.yaml
index 3a9537a..28bd0fe 100644 (file)
--- a/data/nodes/schmelzer.debian.org.yaml
+++ b/data/nodes/schmelzer.debian.org.yaml
@@ -11,6 +11,7 @@ roles::debian_mirror::healthcheck_name: conova.debian.backend.mirrors.debian.org
 roles::debug_mirror::listen_addr: ['217.196.149.232', '2a02:16a8:dc41:100::232']
 roles::debug_mirror::onion_service: true
 roles::debug_mirror::healthcheck_name: conova.debug.backend.mirrors.debian.org
+roles::security_mirror::listen_addr: ['217.196.149.233', '2a02:16a8:dc41:100::233']
 roles::syncproxy::syncproxy_name: syncproxy4.eu.debian.org
 roles::syncproxy::listen_addr: ['217.196.149.237', '2a02:16a8:dc41:100::237']
 roles::historical_mirror::listen_addr: ['217.196.149.234', '2a02:16a8:dc41:100::234']

diff --git a/data/nodes/schumann.debian.org.yaml b/data/nodes/schumann.debian.org.yaml
index 854f0ec..63dbc3e 100644 (file)
--- a/data/nodes/schumann.debian.org.yaml
+++ b/data/nodes/schumann.debian.org.yaml
@@ -1,3 +1,5 @@
 ---
 classes:
   - roles::security_mirror
+
+roles::security_mirror::healthcheck_name: schumann.security.backend.mirrors.debian.org

diff --git a/data/nodes/villa.debian.org.yaml b/data/nodes/villa.debian.org.yaml
index 854f0ec..4478a5f 100644 (file)
--- a/data/nodes/villa.debian.org.yaml
+++ b/data/nodes/villa.debian.org.yaml
@@ -1,3 +1,6 @@
 ---
 classes:
   - roles::security_mirror
+
+roles::security_mirror::healthcheck_name: villa.security.backend.mirrors.debian.org
+roles::security_mirror::onion_service: true

diff --git a/data/nodes/wieck.debian.org.yaml b/data/nodes/wieck.debian.org.yaml
index 854f0ec..1a73885 100644 (file)
--- a/data/nodes/wieck.debian.org.yaml
+++ b/data/nodes/wieck.debian.org.yaml
@@ -1,3 +1,5 @@
 ---
 classes:
   - roles::security_mirror
+
+roles::security_mirror::healthcheck_name: wieck.security.backend.mirrors.debian.org

diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 30f0ea0..e87431a 100644 (file)
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -1,55 +1,67 @@
-class roles::security_mirror {
+# security mirror
+#
+# @param listen_addr IP addresses to have rsync listen on
+# @param onion_service provide the onion service from this host
+# @param healthcheck_name name to access this node in the health checker
+class roles::security_mirror(
+  Array[Stdlib::IP::Address] $listen_addr = [],
+  Boolean $onion_service = false,
+  Optional[String] $healthcheck_name = undef,
+){
   include roles::archvsync_base
+  include apache2
+  include apache2::expires
+  include apache2::rewrite
 
-  # security abusers
-  #  198.108.67.48 DoS against our rsync service
-  ferm::rule { 'dsa-security-abusers':
-    prio => '005',
-    rule => 'saddr ( 198.108.67.48/32 ) DROP',
+  $enclosed_addresses_rsync = empty($listen_addr) ? {
+    true    => ['[::]'],
+    default => enclose_ipv6($listen_addr),
   }
-
-  $binds = $::hostname ? {
-    mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ],
-    mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ],
-    mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ],
-    schmelzer  => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ],
-    default    => [ '[::]' ],
+  $_enclosed_addresses = empty($listen_addr) ? {
+    true    => ['*'],
+    default => enclose_ipv6($listen_addr),
   }
-
-  include apache2::expires
-  include apache2::rewrite
+  $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ')
 
   apache2::site { '010-security.debian.org':
     site    => 'security.debian.org',
     content => template('roles/security_mirror/security.debian.org.erb')
   }
 
-  $mirrors = hiera('roles.security_mirror', {})
-  $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] }
-  $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] }
-
-  roles::mirror_health { 'security':
-    check_hosts   => $hosts_to_check,
-    check_service => 'security',
-    url           => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
-    health_url    => 'http://security.backend.mirrors.debian.org/_health',
-        }
-
   rsync::site { 'security':
     source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
     max_clients => 100,
-    binds       => $binds,
+    binds       => $enclosed_addresses_rsync,
   }
 
-  $onion_v4_addr = hiera('roles.security_mirror', {})
-    .dig($::fqdn, 'onion_v4_address')
-  if $onion_v4_addr {
+  if $onion_service {
+    $onion_addr = empty($listen_addr) ? {
+      true    => $base::public_address,
+      default => filter_ipv4($listen_addr)[0]
+    }
+    if ! $onion_addr {
+      fail("Do not have a useable address for the onionservice on ${::hostname}.  Is \$listen_addr empty or does it not have an IPv4 address?.")
+    }
+
     onion::service { 'security.debian.org':
       port           => 80,
       target_port    => 80,
-      target_address => $onion_v4_addr,
+      target_address => $onion_addr,
     }
   }
 
   Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
+
+  mirror_health::service { 'security':
+    this_host_service_name => $healthcheck_name,
+    url                    => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release',
+    health_url             => 'http://security.backend.mirrors.debian.org/_health',
+  }
+
+  # security abusers
+  #  198.108.67.48 DoS against our rsync service
+  ferm::rule { 'dsa-security-abusers':
+    prio => '005',
+    rule => 'saddr ( 198.108.67.48/32 ) DROP',
+  }
 }

diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb
index 9177327..91e4056 100644 (file)
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -3,7 +3,7 @@
 ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
 ##
 
-<VirtualHost *:80 127.0.0.1:80 [::1]:80>
+<VirtualHost <%= @vhost_listen %> 127.0.0.1:80 [::1]:80 >
    ServerAdmin debian-admin@debian.org
    DocumentRoot /srv/mirrors/debian-security
    ServerPath /debian-security