--- /dev/null
+# Please contact the RTC team about this service at debian-rtc-team@alioth-lists.debian.net
+#
+
+class profile::prosody {
+
+ class { 'prosody':
+ user => 'prosody',
+ group => 'prosody',
+ use_libevent => false,
+ daemonize => true,
+ s2s_secure_auth => false,
+ package_name => 'prosody-modules',
+ ssl_custom_config => false,
+ log_sinks => [],
+ log_advanced => {
+ 'error' => 'syslog',
+ },
+ authentication => 'ha1',
+ custom_options => {
+ 'auth_ha1_file' => '/var/local/rtc-passwords.prosody',
+ 'auth_ha1_use_ha1b' => true,
+ 'auth_ha1_realm' => 'rtc.debian.org',
+ },
+ # we override whatever the module decides as a base
+ modules_base => [
+ 'roster', 'saslauth', 'tls', 'dialback', 'disco', 'posix', 'private',
+ 'vcard', 'version', 'uptime', 'time', 'ping', 'pep', 'register',
+ ],
+ # and add the modules we want on top
+ modules => [
+ 'admin_adhoc', 'blocking', 'carbons', 'carbons_adhoc',
+ 'cloud_notify', 'csi', 'filter_chatstates', 'http',
+ 'http_upload', 'mam', 'smacks', 'smaks', 'throttle_presence',
+ ],
+ }
+
+ -> prosody::virtualhost {
+ 'debian.org':
+ ensure => present,
+ ssl_key => '/etc/ssl/private/debian.org.key',
+ ssl_cert => '/etc/ssl/debian/certs/debian.org.crt-chained',
+ ssl_copy => false,
+ components => {
+ 'conference.debian.org' => {
+ 'type' => 'muc',
+ }
+ }
+ }
+
+ -> posix_acl { '/etc/prosody/prosody.cfg.lua':
+ action => exact,
+ recursive => false,
+ provider => posixacl,
+ permission => [
+ 'user::rw',
+ 'group::r',
+ 'group:debvoip:rw',
+ 'group:prosody:r',
+ 'mask::r',
+ 'other::',
+ ],
+ }
+
+ -> posix_acl { '/etc/prosody/conf.avail/debian.org.cfg.lua':
+ action => exact,
+ recursive => false,
+ provider => posixacl,
+ permission => [
+ 'user::rw',
+ 'group::r',
+ 'group:debvoip:rw',
+ 'group:prosody:r',
+ 'mask::r',
+ 'other::',
+ ],
+ }
+
+}
+# = Class: roles::rtc
+#
+# Setup for machines used by the RTC Team
+#
+# == Sample Usage:
+#
+# include roles::rtc
+#
class roles::rtc {
- ssl::service { 'debian.org':
- tlsaport => [],
- notify => Service['repro'],
- key => true,
- }
+ include profile::prosody
- ssl::service { 'sip-ws.debian.org':
- notify => Service['repro'],
- key => true,
- }
+ ssl::service { 'debian.org':
+ tlsaport => [],
+ notify => Service['repro'],
+ key => true,
+ }
- dnsextras::tlsa_record{ 'tlsa-xmpp':
- zone => 'debian.org',
- certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
- port => [5061, 5222, 5269],
- hostname => $::fqdn,
- }
+ ssl::service { 'sip-ws.debian.org':
+ notify => Service['repro'],
+ key => true,
+ }
- ferm::rule { 'dsa-xmpp-client-ip4':
- domain => 'ip',
- description => 'XMPP connections (client to server)',
- rule => 'proto tcp dport (5222) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-client-ip6':
- domain => 'ip6',
- description => 'XMPP connections (client to server)',
- rule => 'proto tcp dport (5222) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-server-ip4':
- domain => 'ip',
- description => 'XMPP connections (server to server)',
- rule => 'proto tcp dport (5269) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-server-ip6':
- domain => 'ip6',
- description => 'XMPP connections (server to server)',
- rule => 'proto tcp dport (5269) ACCEPT'
- }
+ dnsextras::tlsa_record{ 'tlsa-xmpp':
+ zone => 'debian.org',
+ certfile => '/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt',
+ port => [5061, 5222, 5269],
+ hostname => $::fqdn,
+ }
- ferm::rule { 'dsa-sip-ws-ip4':
- domain => 'ip',
- description => 'SIP connections (WebSocket; for WebRTC)',
- rule => 'proto tcp dport (443) ACCEPT'
- }
- ferm::rule { 'dsa-sip-ws-ip6':
- domain => 'ip6',
- description => 'SIP connections (WebSocket; for WebRTC)',
- rule => 'proto tcp dport (443) ACCEPT'
- }
- ferm::rule { 'dsa-sip-tls-ip4':
- domain => 'ip',
- description => 'SIP connections (TLS)',
- rule => 'proto tcp dport (5061) ACCEPT'
- }
- ferm::rule { 'dsa-sip-tls-ip6':
- domain => 'ip6',
- description => 'SIP connections (TLS)',
- rule => 'proto tcp dport (5061) ACCEPT'
- }
- ferm::rule { 'dsa-turn-ip4':
- domain => 'ip',
- description => 'TURN connections',
- rule => 'proto udp dport (3478) ACCEPT'
- }
- ferm::rule { 'dsa-turn-ip6':
- domain => 'ip6',
- description => 'TURN connections',
- rule => 'proto udp dport (3478) ACCEPT'
- }
- ferm::rule { 'dsa-turn-tls-ip4':
- domain => 'ip',
- description => 'TURN connections (TLS)',
- rule => 'proto tcp dport (5349) ACCEPT'
- }
- ferm::rule { 'dsa-turn-tls-ip6':
- domain => 'ip6',
- description => 'TURN connections (TLS)',
- rule => 'proto tcp dport (5349) ACCEPT'
- }
- ferm::rule { 'dsa-rtp-ip4':
- domain => 'ip',
- description => 'RTP streams',
- rule => 'proto udp dport (49152:65535) ACCEPT'
- }
- ferm::rule { 'dsa-rtp-ip6':
- domain => 'ip6',
- description => 'RTP streams',
- rule => 'proto udp dport (49152:65535) ACCEPT'
- }
+ ferm::rule { 'dsa-xmpp-client-ip4':
+ domain => 'ip',
+ description => 'XMPP connections (client to server)',
+ rule => 'proto tcp dport (5222) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-client-ip6':
+ domain => 'ip6',
+ description => 'XMPP connections (client to server)',
+ rule => 'proto tcp dport (5222) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-server-ip4':
+ domain => 'ip',
+ description => 'XMPP connections (server to server)',
+ rule => 'proto tcp dport (5269) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-server-ip6':
+ domain => 'ip6',
+ description => 'XMPP connections (server to server)',
+ rule => 'proto tcp dport (5269) ACCEPT'
+ }
- file { '/etc/monit/monit.d/50rtc':
- ensure => absent,
- }
+ ferm::rule { 'dsa-sip-ws-ip4':
+ domain => 'ip',
+ description => 'SIP connections (WebSocket; for WebRTC)',
+ rule => 'proto tcp dport (443) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-ws-ip6':
+ domain => 'ip6',
+ description => 'SIP connections (WebSocket; for WebRTC)',
+ rule => 'proto tcp dport (443) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-tls-ip4':
+ domain => 'ip',
+ description => 'SIP connections (TLS)',
+ rule => 'proto tcp dport (5061) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-tls-ip6':
+ domain => 'ip6',
+ description => 'SIP connections (TLS)',
+ rule => 'proto tcp dport (5061) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-ip4':
+ domain => 'ip',
+ description => 'TURN connections',
+ rule => 'proto udp dport (3478) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-ip6':
+ domain => 'ip6',
+ description => 'TURN connections',
+ rule => 'proto udp dport (3478) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-tls-ip4':
+ domain => 'ip',
+ description => 'TURN connections (TLS)',
+ rule => 'proto tcp dport (5349) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-tls-ip6':
+ domain => 'ip6',
+ description => 'TURN connections (TLS)',
+ rule => 'proto tcp dport (5349) ACCEPT'
+ }
+ ferm::rule { 'dsa-rtp-ip4':
+ domain => 'ip',
+ description => 'RTP streams',
+ rule => 'proto udp dport (49152:65535) ACCEPT'
+ }
+ ferm::rule { 'dsa-rtp-ip6':
+ domain => 'ip6',
+ description => 'RTP streams',
+ rule => 'proto udp dport (49152:65535) ACCEPT'
+ }
- service { 'repro':
- ensure => running,
- }
- dsa_systemd::override { 'repro':
- content => @("EOF"),
+ file { '/etc/monit/monit.d/50rtc':
+ ensure => absent,
+ }
+
+ service { 'repro':
+ ensure => running,
+ }
+ dsa_systemd::override { 'repro':
+ content => @("EOF"),
[Unit]
After=network-online.target
| EOF
- }
+ }
- package { 'freeradius':
- ensure => installed,
- }
- service { 'freeradius':
- ensure => running,
- }
- $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
- file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
- content => template('roles/rtc/freeradius-rtc.erb'),
- mode => '0440',
- group => freerad,
- }
- file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
- ensure => link,
- target => '../sites-available/rtc.debian.org',
- }
- file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
- source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
- mode => '0440',
- group => freerad,
- }
- file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
- ensure => link,
- target => '../mods-available/passwd_rtc',
- }
- file { '/etc/repro/radius-servers':
- content => inline_template('localhost/localhost <%= @radius_password %>'),
- mode => '0440',
- group => repro,
- notify => Service['repro'],
- }
- file { '/etc/freeradius/3.0/sites-enabled/default':
- ensure => absent,
- }
- file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
- ensure => absent,
- }
+ package { 'freeradius':
+ ensure => installed,
+ }
+ service { 'freeradius':
+ ensure => running,
+ }
+ $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
+ file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
+ content => template('roles/rtc/freeradius-rtc.erb'),
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
+ ensure => link,
+ target => '../sites-available/rtc.debian.org',
+ }
+ file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
+ source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
+ ensure => link,
+ target => '../mods-available/passwd_rtc',
+ }
+ file { '/etc/repro/radius-servers':
+ content => inline_template('localhost/localhost <%= @radius_password %>'),
+ mode => '0440',
+ group => repro,
+ notify => Service['repro'],
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/default':
+ ensure => absent,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
+ ensure => absent,
+ }
}
projects / mirror / dsa-puppet.git / commitdiff