From 8317ae9c41d1692c8bd7585794eddd82010e202b Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 22 Sep 2019 23:16:36 +0200 Subject: [PATCH] security_mirror -> hiera role; part 2; also make security apache bind to the security specific addresses --- data/common.yaml | 36 --------- data/nodes/lobos.debian.org.yaml | 3 + data/nodes/mirror-anu.debian.org.yaml | 2 + data/nodes/mirror-isc.debian.org.yaml | 3 + data/nodes/mirror-umn.debian.org.yaml | 3 + data/nodes/schmelzer.debian.org.yaml | 1 + data/nodes/schumann.debian.org.yaml | 2 + data/nodes/villa.debian.org.yaml | 3 + data/nodes/wieck.debian.org.yaml | 2 + modules/roles/manifests/security_mirror.pp | 76 +++++++++++-------- .../security_mirror/security.debian.org.erb | 2 +- 11 files changed, 64 insertions(+), 69 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 635f03ecc..f5c4b7f03 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -54,42 +54,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/' # all of these should be retired in favour of including the class role # with the host. weasel, 2019-09 roles: - security_mirror: - # XXX used also in ferm me.conf.erb - mirror-anu.debian.org: - fastly-backend: false - mirror-csail.debian.org: - fastly-backend: false - mirror-isc.debian.org: - onion_v4_address: 149.20.4.14 - mirror-umn.debian.org: - onion_v4_address: 128.101.240.215 - mirror-accumu.debian.org: - fastly-backend: false - mirror-skroutz.debian.org: - fastly-backend: false - lobos.debian.org: - service-hostname: lobos.security.backend.mirrors.debian.org - fastly-backend: false - onion_v4_address: 212.211.132.250 - santoro.debian.org: - fastly-backend: false - schmelzer.debian.org: - fastly-backend: false - schumann.debian.org: - service-hostname: schumann.security.backend.mirrors.debian.org - fastly-backend: true - setoguchi.debian.org: - fastly-backend: false - sechter.debian.org: - fastly-backend: false - villa.debian.org: - service-hostname: villa.security.backend.mirrors.debian.org - fastly-backend: true - onion_v4_address: 212.211.132.32 - wieck.debian.org: - service-hostname: wieck.security.backend.mirrors.debian.org - fastly-backend: true postgres_backup_server: # XXX - used by ferm templates/defs.conf.erb - backuphost.debian.org diff --git a/data/nodes/lobos.debian.org.yaml b/data/nodes/lobos.debian.org.yaml index 854f0ec97..8b46d8df7 100644 --- a/data/nodes/lobos.debian.org.yaml +++ b/data/nodes/lobos.debian.org.yaml @@ -1,3 +1,6 @@ --- classes: - roles::security_mirror + +roles::security_mirror::healthcheck_name: lobos.security.backend.mirrors.debian.org +roles::security_mirror::onion_service: true diff --git a/data/nodes/mirror-anu.debian.org.yaml b/data/nodes/mirror-anu.debian.org.yaml index 02f0648f1..087d72b6e 100644 --- a/data/nodes/mirror-anu.debian.org.yaml +++ b/data/nodes/mirror-anu.debian.org.yaml @@ -3,6 +3,8 @@ classes: - roles::static_mirror_web - roles::syncproxy +roles::security_mirror::listen_addr: ['150.203.164.61', '2001:388:1034:2900::3d'] + roles::static_mirror_web::listen_addr: ['150.203.164.62', '2001:388:1034:2900::3e'] roles::syncproxy::syncproxy_name: syncproxy.au.debian.org diff --git a/data/nodes/mirror-isc.debian.org.yaml b/data/nodes/mirror-isc.debian.org.yaml index cd3beca91..ff0c5ff11 100644 --- a/data/nodes/mirror-isc.debian.org.yaml +++ b/data/nodes/mirror-isc.debian.org.yaml @@ -12,6 +12,9 @@ roles::debian_mirror::onion_service: true roles::ports_mirror::listen_addr: ['149.20.4.15', '2001:4f8:1:c::15'] roles::ports_mirror::onion_service: true +roles::security_mirror::listen_addr: ['149.20.4.14', '2001:4f8:1:c::14'] +roles::security_mirror::onion_service: true + roles::static_mirror_web::listen_addr: ['149.20.4.15', '2001:4f8:1:c::15'] roles::static_mirror_web::onion_service: true diff --git a/data/nodes/mirror-umn.debian.org.yaml b/data/nodes/mirror-umn.debian.org.yaml index bca495b33..030fef83a 100644 --- a/data/nodes/mirror-umn.debian.org.yaml +++ b/data/nodes/mirror-umn.debian.org.yaml @@ -3,5 +3,8 @@ classes: - roles::security_mirror - roles::syncproxy +roles::security_mirror::listen_addr: ['128.101.240.215', '2607:ea00:101:3c0b::1deb:215'] +roles::security_mirror::onion_service: true + roles::syncproxy::syncproxy_name: syncproxy.cna.debian.org roles::syncproxy::listen_addr: ['128.101.240.216', '2607:ea00:101:3c0b::1deb:216'] diff --git a/data/nodes/schmelzer.debian.org.yaml b/data/nodes/schmelzer.debian.org.yaml index 3a9537a37..28bd0fe65 100644 --- a/data/nodes/schmelzer.debian.org.yaml +++ b/data/nodes/schmelzer.debian.org.yaml @@ -11,6 +11,7 @@ roles::debian_mirror::healthcheck_name: conova.debian.backend.mirrors.debian.org roles::debug_mirror::listen_addr: ['217.196.149.232', '2a02:16a8:dc41:100::232'] roles::debug_mirror::onion_service: true roles::debug_mirror::healthcheck_name: conova.debug.backend.mirrors.debian.org +roles::security_mirror::listen_addr: ['217.196.149.233', '2a02:16a8:dc41:100::233'] roles::syncproxy::syncproxy_name: syncproxy4.eu.debian.org roles::syncproxy::listen_addr: ['217.196.149.237', '2a02:16a8:dc41:100::237'] roles::historical_mirror::listen_addr: ['217.196.149.234', '2a02:16a8:dc41:100::234'] diff --git a/data/nodes/schumann.debian.org.yaml b/data/nodes/schumann.debian.org.yaml index 854f0ec97..63dbc3ec6 100644 --- a/data/nodes/schumann.debian.org.yaml +++ b/data/nodes/schumann.debian.org.yaml @@ -1,3 +1,5 @@ --- classes: - roles::security_mirror + +roles::security_mirror::healthcheck_name: schumann.security.backend.mirrors.debian.org diff --git a/data/nodes/villa.debian.org.yaml b/data/nodes/villa.debian.org.yaml index 854f0ec97..4478a5f60 100644 --- a/data/nodes/villa.debian.org.yaml +++ b/data/nodes/villa.debian.org.yaml @@ -1,3 +1,6 @@ --- classes: - roles::security_mirror + +roles::security_mirror::healthcheck_name: villa.security.backend.mirrors.debian.org +roles::security_mirror::onion_service: true diff --git a/data/nodes/wieck.debian.org.yaml b/data/nodes/wieck.debian.org.yaml index 854f0ec97..1a73885c8 100644 --- a/data/nodes/wieck.debian.org.yaml +++ b/data/nodes/wieck.debian.org.yaml @@ -1,3 +1,5 @@ --- classes: - roles::security_mirror + +roles::security_mirror::healthcheck_name: wieck.security.backend.mirrors.debian.org diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp index 30f0ea042..e87431a86 100644 --- a/modules/roles/manifests/security_mirror.pp +++ b/modules/roles/manifests/security_mirror.pp @@ -1,55 +1,67 @@ -class roles::security_mirror { +# security mirror +# +# @param listen_addr IP addresses to have rsync listen on +# @param onion_service provide the onion service from this host +# @param healthcheck_name name to access this node in the health checker +class roles::security_mirror( + Array[Stdlib::IP::Address] $listen_addr = [], + Boolean $onion_service = false, + Optional[String] $healthcheck_name = undef, +){ include roles::archvsync_base + include apache2 + include apache2::expires + include apache2::rewrite - # security abusers - # 198.108.67.48 DoS against our rsync service - ferm::rule { 'dsa-security-abusers': - prio => '005', - rule => 'saddr ( 198.108.67.48/32 ) DROP', + $enclosed_addresses_rsync = empty($listen_addr) ? { + true => ['[::]'], + default => enclose_ipv6($listen_addr), } - - $binds = $::hostname ? { - mirror-anu => [ '150.203.164.61', '[2001:388:1034:2900::3d]' ], - mirror-isc => [ '149.20.4.14', '[2001:4f8:1:c::14]' ], - mirror-umn => [ '128.101.240.215', '[2607:ea00:101:3c0b::1deb:215]' ], - schmelzer => [ '217.196.149.233', '[2a02:16a8:dc41:100::233]' ], - default => [ '[::]' ], + $_enclosed_addresses = empty($listen_addr) ? { + true => ['*'], + default => enclose_ipv6($listen_addr), } - - include apache2::expires - include apache2::rewrite + $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:80" } .join(' ') apache2::site { '010-security.debian.org': site => 'security.debian.org', content => template('roles/security_mirror/security.debian.org.erb') } - $mirrors = hiera('roles.security_mirror', {}) - $fastly_mirrors = $mirrors.filter |$h| { $h[1]['fastly-backend'] } - $hosts_to_check = $fastly_mirrors.map |$h| { $h[1]['service-hostname'] } - - roles::mirror_health { 'security': - check_hosts => $hosts_to_check, - check_service => 'security', - url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release', - health_url => 'http://security.backend.mirrors.debian.org/_health', - } - rsync::site { 'security': source => 'puppet:///modules/roles/security_mirror/rsyncd.conf', max_clients => 100, - binds => $binds, + binds => $enclosed_addresses_rsync, } - $onion_v4_addr = hiera('roles.security_mirror', {}) - .dig($::fqdn, 'onion_v4_address') - if $onion_v4_addr { + if $onion_service { + $onion_addr = empty($listen_addr) ? { + true => $base::public_address, + default => filter_ipv4($listen_addr)[0] + } + if ! $onion_addr { + fail("Do not have a useable address for the onionservice on ${::hostname}. Is \$listen_addr empty or does it not have an IPv4 address?.") + } + onion::service { 'security.debian.org': port => 80, target_port => 80, - target_address => $onion_v4_addr, + target_address => $onion_addr, } } Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>> + + mirror_health::service { 'security': + this_host_service_name => $healthcheck_name, + url => 'http://security.backend.mirrors.debian.org/debian-security/dists/stable/updates/Release', + health_url => 'http://security.backend.mirrors.debian.org/_health', + } + + # security abusers + # 198.108.67.48 DoS against our rsync service + ferm::rule { 'dsa-security-abusers': + prio => '005', + rule => 'saddr ( 198.108.67.48/32 ) DROP', + } } diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb index 917732741..91e4056e4 100644 --- a/modules/roles/templates/security_mirror/security.debian.org.erb +++ b/modules/roles/templates/security_mirror/security.debian.org.erb @@ -3,7 +3,7 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## - + 127.0.0.1:80 [::1]:80 > ServerAdmin debian-admin@debian.org DocumentRoot /srv/mirrors/debian-security ServerPath /debian-security -- 2.20.1