From: Stephen Gran <steve@lobefin.net>
Date: Sun, 20 May 2012 20:05:31 +0000 (+0100)
Subject: Merge branch 'rsync-shuffle'
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=650335318c9021ace96b0cb6d49a13c1a472271f;hp=a62a2f51e3e22a56cd3e4ef5c5a2e731a28cf4b0;p=dsa-puppet.git

Merge branch 'rsync-shuffle'
---

diff --git a/manifests/site.pp b/manifests/site.pp
index c3a3657c..cadc12ed 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -65,10 +65,6 @@ node default {
 		include apache2
 	}
 
-	if $::rsyncd {
-		include rsyncd-log
-	}
-
 	if $::hostname in [ravel,senfl,orff,draghi,diamond] {
 		include named::authoritative
 	} elsif $::hostname in [geo1,geo2,geo3] {
diff --git a/modules/debian-org/lib/facter/software.rb b/modules/debian-org/lib/facter/software.rb
index 2bcc0a63..33f1c422 100644
--- a/modules/debian-org/lib/facter/software.rb
+++ b/modules/debian-org/lib/facter/software.rb
@@ -131,15 +131,6 @@ Facter.add("syslogversion") do
 		%x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp
 	end
 end
-Facter.add("rsyncd") do
-	setcode do
-		if FileTest.exist?("/etc/rsyncd.conf")
-			true
-		else
-			''
-		end
-	end
-end
 Facter.add("unbound") do
 	unbound=FileTest.exist?("/usr/sbin/unbound") and
 		FileTest.exist?("/var/lib/unbound/root.key")
diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
index ee6755ff..f6df5968 100644
--- a/modules/debian-org/misc/local.yaml
+++ b/modules/debian-org/misc/local.yaml
@@ -149,6 +149,8 @@ services:
   bugsmaster:
   bugsmx:
     - busoni.debian.org
+  bugs_search:
+    - glinka.debian.org
   dbmaster:
     - draghi.debian.org
   ftp_master:
@@ -175,6 +177,10 @@ services:
     - reger.debian.org
   security_master:
     - chopin.debian.org
+  www_master:
+    - wolkenstein.debian.org
+  keyring:
+    - kaufmann.debian.org
 host_settings:
   heavy_exim:
     - bellini.debian.org
diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index d6fbb0a1..2756e59f 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -3,6 +3,14 @@ class ferm::per-host {
 		include ferm::zivit
 	}
 
+	if $::hostname in [klecker,merikanto,powell,ravel,rietz,senfl,sibelius,stabile] {
+		ferm::rule { 'dsa-rsync':
+			domain      => '(ip ip6)',
+			description => 'Allow rsync access',
+			rule        => '&SERVICE(tcp, 873)'
+		}
+	}
+
 	case $::hostname {
 		piatti,samosa: {
 			@ferm::rule { 'dsa-udd-stunnel':
@@ -217,7 +225,4 @@ REJECT reject-with icmp-admin-prohibited
 		default: {}
 	}
 
-	if $::rsyncd {
-		include ferm::rsync
-	}
 }
diff --git a/modules/ferm/manifests/rsync.pp b/modules/ferm/manifests/rsync.pp
deleted file mode 100644
index 44feab65..00000000
--- a/modules/ferm/manifests/rsync.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-class ferm::rsync {
-	@ferm::rule { 'dsa-rsync':
-		domain      => '(ip ip6)',
-		description => 'Allow rsync access',
-		rule        => '&SERVICE(tcp, 873)'
-	}
-}
-
diff --git a/modules/roles/files/backports_master/rsyncd.conf b/modules/roles/files/backports_master/rsyncd.conf
new file mode 100644
index 00000000..ed79313e
--- /dev/null
+++ b/modules/roles/files/backports_master/rsyncd.conf
@@ -0,0 +1,21 @@
+uid = nobody
+gid = nogroup
+max connections = 20
+syslog facility = daemon
+log file = /var/log/rsyncd/rsyncd.log
+socket options = SO_KEEPALIVE
+timeout = 7200
+
+[debian-backports]
+  path = /srv/backports-master.debian.org/mirror
+  comment = Debian backports archive
+  read only = true
+  auth users = *
+  secrets file = /etc/rsyncd/ftp.secrets
+
+[exports]
+  path = /srv/backports-web.debian.org/export
+  comment = Various metadata exports
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/exports.secrets
diff --git a/modules/roles/files/bugs_search/rsyncd.conf b/modules/roles/files/bugs_search/rsyncd.conf
new file mode 100644
index 00000000..008e1b12
--- /dev/null
+++ b/modules/roles/files/bugs_search/rsyncd.conf
@@ -0,0 +1,29 @@
+uid = nobody
+gid = nogroup
+max connections = 20
+syslog facility = daemon
+socket options = SO_KEEPALIVE
+timeout = 7200
+log file = /var/log/rsyncd/rsyncd.log
+
+[bts-spool-db]
+  comment = [bugs-mirror.debian.org] active bug spool
+  path = /srv/bugs.debian.org/spool/db-h
+  read only = true
+
+[bts-spool-archive]
+  comment = [bugs-mirror.debian.org] archived bug spool
+  path = /srv/bugs.debian.org/spool/archive
+  read only = true
+
+[bts-spool-index]
+  comment = [bugs-mirror.debian.org] bug index files
+  path = /srv/bugs.debian.org/spool
+  exclude = db-h archive
+  read only = true
+
+[bts-versions]
+  comment = [bugs-mirror.debian.org] bts package version information
+  path = /srv/bugs.debian.org/versions
+  exclude = archive cl-data lock queue bin
+  read only = true
diff --git a/modules/roles/files/dakmaster/rsyncd.conf b/modules/roles/files/dakmaster/rsyncd.conf
new file mode 100644
index 00000000..d8d6a578
--- /dev/null
+++ b/modules/roles/files/dakmaster/rsyncd.conf
@@ -0,0 +1,106 @@
+uid = nobody
+gid = nogroup
+max connections = 25
+syslog facility = daemon
+socket options = SO_KEEPALIVE
+timeout = 7200
+log file = /var/log/rsyncd/rsyncd.log
+
+[indices]
+  path = /srv/ftp.debian.org/mirror/indices
+  comment = index files
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/indices.secrets
+
+[ftp]
+  path = /srv/ftp.debian.org/rsync/all
+  comment = Full Debian FTP Archive (~450 GB)
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/ftp.secrets
+  list = no
+
+[debian-all]
+  path = /srv/ftp.debian.org/rsync/all
+  comment = Full Debian FTP Archive (~450 GB)
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/ftp.secrets
+  list = no
+
+[debian]
+  path = /srv/ftp.debian.org/rsync/all
+  comment = Full Debian FTP Archive (~450 GB)
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/ftp.secrets
+
+[buildd-unstable]
+  path = /srv/incoming.debian.org/dists/unstable/current/
+  comment = Buildd directory unstable
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
+
+[buildd-sid]
+  path = /srv/incoming.debian.org/dists/unstable/current/
+  comment = Buildd directory unstable
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
+
+[buildd-experimental]
+  path = /srv/incoming.debian.org/dists/experimental/current/
+  comment = Buildd directory experimental
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
+
+[buildd-rc-buggy]
+  path = /srv/incoming.debian.org/dists/experimental/current/
+  comment = Buildd directory experimental
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
+
+[exports]
+  path = /srv/ftp.debian.org/rsync/export
+  comment = Various metadata exports
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/exports.secrets
+
+# disabled 20091024 RT#1864
+#[debian]
+#  path = /srv/ftp.debian.org/rsync/typical
+#  comment = Typical Debian FTP Archive (~150 GB)
+#  auth users = *
+#  read only = true
+#  secrets file = /etc/rsyncd/ftp.secrets
+#
+#[debian-all+typical]
+#  path = /srv/ftp.debian.org/rsync/all+typical
+#  comment = Debian 'all' and 'typical' FTP Archive (NB: use rsync with -H)
+#  auth users = *
+#  read only = true
+#  secrets file = /etc/rsyncd/ftp.secrets
+
+[buildd-keyrings]
+  path = /srv/ftp-master.debian.org/scripts/builddkeyrings/keyrings
+  comment = buildd keys for archive uploads
+  read only = true
+  list = no
+  hosts allow = 82.195.75.106, 2001:41b8:202:deb:216:36ff:fe40:3906
+
+[buildd-all]
+  path = /srv/incoming.debian.org/dists/
+  comment = buildd tree sync for geodns
+  read only = true
+  list = no
+  auth users = *
+  secrets file = /etc/rsyncd/buildd-all.secrets
diff --git a/modules/roles/files/keyring/rsyncd.conf b/modules/roles/files/keyring/rsyncd.conf
new file mode 100644
index 00000000..e97db762
--- /dev/null
+++ b/modules/roles/files/keyring/rsyncd.conf
@@ -0,0 +1,14 @@
+uid = nobody
+gid = nogroup
+max connections = 25
+syslog facility = daemon
+log file = /var/log/rsyncd/rsyncd.log
+socket options = SO_KEEPALIVE
+timeout = 7200
+
+[keyrings]
+  path = /org/keyring.debian.org/pub
+  exclude = keyrings-new/incoming/
+  comment = Debian Keyrings
+  read only = true
+
diff --git a/modules/roles/files/security_master/rsyncd.conf b/modules/roles/files/security_master/rsyncd.conf
new file mode 100644
index 00000000..a5cea769
--- /dev/null
+++ b/modules/roles/files/security_master/rsyncd.conf
@@ -0,0 +1,43 @@
+uid = nobody
+gid = nogroup
+max connections = 20
+syslog facility = daemon
+socket options = SO_KEEPALIVE
+timeout = 7200
+log file = /var/log/rsyncd/rsyncd.log
+
+[debian-security]
+  path = /srv/security.debian.org/archive/debian-security/
+  comment = Debian security archive
+  read only = true
+
+[exports]
+  path = /srv/security.debian.org/rsync/export
+  comment = Various metadata exports
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/exports.secrets
+
+[buildd-lenny]
+  path = /srv/security-master.debian.org/buildd/lenny/
+  comment = Buildd directory oldstable security
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
+
+[buildd-squeeze]
+  path = /srv/security-master.debian.org/buildd/squeeze/
+  comment = Buildd directory stable security
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
+
+[buildd-wheezy]
+  path = /srv/security-master.debian.org/buildd/wheezy/
+  comment = Buildd directory testing security
+  auth users = *
+  read only = true
+  secrets file = /etc/rsyncd/buildd.secrets
+  list = no
diff --git a/modules/roles/files/security_mirror/rsyncd.conf b/modules/roles/files/security_mirror/rsyncd.conf
new file mode 100644
index 00000000..d419156f
--- /dev/null
+++ b/modules/roles/files/security_mirror/rsyncd.conf
@@ -0,0 +1,15 @@
+uid = nobody
+gid = nogroup
+max connections = 20
+syslog facility = daemon
+socket options = SO_KEEPALIVE
+timeout = 1200
+
+# weasel 2007-11-19
+log file =  /var/log/rsyncd/rsyncd.log
+
+[debian-security]
+  path = /org/ftp.root/debian-security
+  comment = Debian security archive
+  read only = true
+
diff --git a/modules/roles/files/www_master/rsyncd.conf b/modules/roles/files/www_master/rsyncd.conf
new file mode 100644
index 00000000..7ff52ac7
--- /dev/null
+++ b/modules/roles/files/www_master/rsyncd.conf
@@ -0,0 +1,14 @@
+uid = nobody
+gid = nogroup
+max connections = 20
+syslog facility = daemon
+socket options = SO_KEEPALIVE
+timeout = 7200
+log file = /var/log/rsyncd/rsyncd.log
+
+[web.debian.org]
+	path = /srv/www.debian.org/www
+	comment = Debian Web Site
+	auth users = *
+	read only = true
+	secrets file = /etc/rsyncd/www.secrets
diff --git a/modules/roles/manifests/backports_master.pp b/modules/roles/manifests/backports_master.pp
index 44c5d449..98f927e8 100644
--- a/modules/roles/manifests/backports_master.pp
+++ b/modules/roles/manifests/backports_master.pp
@@ -9,4 +9,9 @@ class roles::backports_master {
 		chown_user => dak,
 		root       => '/srv/backports-upload',
 	}
+
+	rsync::site { 'backports_master':
+		source        => 'puppet:///modules/roles/backports_master/rsyncd.conf',
+		max_clients => 100,
+	}
 }
diff --git a/modules/roles/manifests/bugs_search.pp b/modules/roles/manifests/bugs_search.pp
new file mode 100644
index 00000000..9be0a9c7
--- /dev/null
+++ b/modules/roles/manifests/bugs_search.pp
@@ -0,0 +1,7 @@
+class roles::bugs_search {
+
+	rsync::site { 'bugs_search':
+		source      => 'puppet:///modules/roles/bugs_search/rsyncd.conf',
+		max_clients => 100,
+	}
+}
diff --git a/modules/roles/manifests/ftp_master.pp b/modules/roles/manifests/ftp_master.pp
new file mode 100644
index 00000000..259333e2
--- /dev/null
+++ b/modules/roles/manifests/ftp_master.pp
@@ -0,0 +1,7 @@
+class roles::ftp_master {
+
+	rsync::site { 'dakmaster':
+		source        => 'puppet:///modules/roles/dakmaster/rsyncd.conf',
+		max_clients => 100,
+	}
+}
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 2bdae0d3..a8f745ab 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -16,7 +16,12 @@ class roles {
 		include buildd
 	}
 
+	if getfromhash($site::nodeinfo, 'bugs_search') {
+		include roles::bugs_search
+	}
+
 	if getfromhash($site::nodeinfo, 'ftp_master') {
+		include roles::ftp_master
 		include roles::dakmaster
 	}
 
@@ -50,6 +55,14 @@ class roles {
 		include roles::dakmaster
 	}
 
+	if getfromhash($site::nodeinfo, 'www_master') {
+		include roles::www_master
+	}
+
+	if getfromhash($site::nodeinfo, 'keyring') {
+		include roles::keyring
+	}
+
 	if getfromhash($site::nodeinfo, 'apache2_ftp-upcoming_mirror') {
 		include roles::ftp-upcoming_mirror
 	}
diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
new file mode 100644
index 00000000..eb40c83a
--- /dev/null
+++ b/modules/roles/manifests/keyring.pp
@@ -0,0 +1,5 @@
+class roles::keyring {
+	rsync::site { 'keyring':
+		source => 'puppet:///modules/roles/keyring/rsyncd.conf',
+	}
+}
diff --git a/modules/roles/manifests/security_master.pp b/modules/roles/manifests/security_master.pp
index 3f1b70ce..036f0599 100644
--- a/modules/roles/manifests/security_master.pp
+++ b/modules/roles/manifests/security_master.pp
@@ -7,4 +7,9 @@ class roles::security_master {
 		chown_user => dak,
 		root       => '/srv/ftp.root/',
 	}
+
+	rsync::site { 'security_master':
+		source        => 'puppet:///modules/roles/security_master/rsyncd.conf',
+		max_clients => 100,
+	}
 }
diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 4608f6d5..9b85cb5f 100644
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -11,4 +11,9 @@ class roles::security_mirror {
 		max_clients  => 200,
 		root         => '/srv/ftp.root/',
 	}
+
+	rsync::site { 'security':
+		source      => 'puppet:///modules/roles/security_mirror/rsyncd.conf',
+		max_clients => 100,
+	}
 }
diff --git a/modules/roles/manifests/www_master.pp b/modules/roles/manifests/www_master.pp
new file mode 100644
index 00000000..856721ce
--- /dev/null
+++ b/modules/roles/manifests/www_master.pp
@@ -0,0 +1,6 @@
+class roles::www_master {
+		rsync::site { 'www_master':
+			source => 'puppet:///modules/roles/www_master/rsyncd.conf',
+		}
+
+}
diff --git a/modules/rsync/files/logrotate.d-dsa-rsyncd b/modules/rsync/files/logrotate.d-dsa-rsyncd
new file mode 100644
index 00000000..405039d6
--- /dev/null
+++ b/modules/rsync/files/logrotate.d-dsa-rsyncd
@@ -0,0 +1,14 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/var/log/rsyncd/*.log {
+        daily
+        missingok
+        rotate 56
+        compress
+        delaycompress
+        notifempty
+        create 644 root root
+}
diff --git a/modules/rsync/manifests/init.pp b/modules/rsync/manifests/init.pp
new file mode 100644
index 00000000..7671c6f2
--- /dev/null
+++ b/modules/rsync/manifests/init.pp
@@ -0,0 +1,31 @@
+class rsync {
+
+	package { 'rsync':
+		ensure => installed,
+		noop   => true,
+	}
+
+	service { 'rsync':
+		ensure  => stopped,
+		noop    => true,
+		require => Package['rsync'],
+	}
+
+	file { '/etc/logrotate.d/dsa-rsyncd':
+		source  => 'puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd',
+		noop    => true,
+		require => Package['debian.org'],
+	}
+	file { '/var/log/rsyncd':
+		ensure => directory,
+		noop   => true,
+		mode   => '0755',
+	}
+
+	@ferm::rule { 'dsa-rsync':
+		domain      => '(ip ip6)',
+		description => 'Allow rsync access',
+		rule        => '&SERVICE(tcp, 873)'
+	}
+
+}
diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp
new file mode 100644
index 00000000..13d90dc7
--- /dev/null
+++ b/modules/rsync/manifests/site.pp
@@ -0,0 +1,47 @@
+define rsync::site (
+	$bind='',
+	$source='',
+	$content='',
+	$fname='/etc/rsyncd.conf',
+	$max_clients=200,
+	$ensure=present
+){
+
+	include rsync
+
+	case $ensure {
+		present,absent: {}
+		default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
+	}
+
+	if ($source and $content) {
+		fail ( "Can't define both source and content for ${name}" )
+	}
+
+	if $source {
+		file { $fname:
+			ensure => $ensure,
+			source => $source
+		}
+	} elsif $content {
+		file { $fname:
+			ensure  => $ensure,
+			content => $content,
+		}
+	} else {
+		fail ( "Can't find config for ${name}" )
+	}
+
+	xinetd::service { "rsync-${name}":
+		bind        => $bind,
+		id          => "${name}-rsync",
+		server      => '/usr/sbin/rsyncd',
+		port        => 'rsync',
+		server_args => $fname,
+		ferm        => false,
+		instances   => $max_clients,
+		require     => File[$fname]
+	}
+
+	Service['rsync']->Service['xinetd']
+}
diff --git a/modules/rsyncd-log/files/logrotate.d-dsa-rsyncd b/modules/rsyncd-log/files/logrotate.d-dsa-rsyncd
deleted file mode 100644
index 405039d6..00000000
--- a/modules/rsyncd-log/files/logrotate.d-dsa-rsyncd
+++ /dev/null
@@ -1,14 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-/var/log/rsyncd/*.log {
-        daily
-        missingok
-        rotate 56
-        compress
-        delaycompress
-        notifempty
-        create 644 root root
-}
diff --git a/modules/rsyncd-log/manifests/init.pp b/modules/rsyncd-log/manifests/init.pp
deleted file mode 100644
index 0ae5951d..00000000
--- a/modules/rsyncd-log/manifests/init.pp
+++ /dev/null
@@ -1,10 +0,0 @@
-class rsyncd-log {
-	file { '/etc/logrotate.d/dsa-rsyncd':
-		source  => 'puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd',
-		require => Package['debian.org'],
-	}
-	file { '/var/log/rsyncd':
-		ensure  => directory,
-		mode    => '0755',
-	}
-}