From: Luca Filipozzi Date: Fri, 17 Jan 2014 06:54:21 +0000 (+0000) Subject: sip -> rtc rename + monit X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=d2ad2858c9a22a1c514626060da4152741277740 sip -> rtc rename + monit --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 3e1847da..10d791f7 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -70,7 +70,7 @@ roles: - chopin.debian.org security_tracker: - soler.debian.org - sip: + rtc: - vogler.debian.org sso: - diabelli.debian.org diff --git a/modules/roles/files/rtc/monit b/modules/roles/files/rtc/monit new file mode 100644 index 00000000..20c703bd --- /dev/null +++ b/modules/roles/files/rtc/monit @@ -0,0 +1,7 @@ +check process repro with pidfile /var/run/repro/repro.pid + start program = "/usr/sbin/service repro start" + stop program = "/usr/sbin/service repro stop" + +check process reTurnServer with pidfile /var/run/reTurnServer/reTurnServer.pid + start program = "/usr/sbin/service resiprocate-turn-server start" + stop program = "/usr/sbin/service resiprocate-turn-server stop" diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 8159e8cd..5f106c38 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -160,7 +160,7 @@ class roles { include roles::release } - if has_role('sip') { - include roles::sip + if has_role('rtc') { + include roles::rtc } } diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp new file mode 100644 index 00000000..2609e5d4 --- /dev/null +++ b/modules/roles/manifests/rtc.pp @@ -0,0 +1,95 @@ +class roles::rtc { + include concat::setup + + ssl::service { 'www.debian.org': + } + + ssl::service { 'sip-ws.debian.org': + } + + concat { '/etc/repro/www.debian.org-chained.crt': + } + concat::fragment { '/etc/ssl/debian/certs/www.debian.org.crt': + target => '/etc/repro/www.debian.org-chained.crt', + source => 'file:///etc/ssl/debian/certs/www.debian.org.crt', + order => 00, + require => File['/etc/ssl/debian/certs/www.debian.org.crt'], + } + concat::fragment { '/etc/ssl/debian/certs/www.debian.org.crt-chain': + target => '/etc/repro/www.debian.org-chained.crt', + source => 'file:///etc/ssl/debian/certs/www.debian.org.crt-chain', + order => 99, + require => File['/etc/ssl/debian/certs/www.debian.org.crt-chain'], + } + + concat { '/etc/repro/sip-ws.debian.org-chained.crt': + } + concat::fragment { '/etc/ssl/debian/certs/sip-ws.debian.org.crt': + target => '/etc/repro/sip-ws.debian.org-chained.crt', + source => 'file:///etc/ssl/debian/certs/sip-ws.debian.org.crt', + order => 00, + require => File['/etc/ssl/debian/certs/sip-ws.debian.org.crt'], + } + concat::fragment { '/etc/ssl/debian/certs/sip-ws.debian.org.crt-chain': + target => '/etc/repro/sip-ws.debian.org-chained.crt', + source => 'file:///etc/ssl/debian/certs/sip-ws.debian.org.crt-chain', + order => 99, + require => File['/etc/ssl/debian/certs/sip-ws.debian.org.crt-chain'], + } + + @ferm::rule { 'dsa-sip-ws-ip4': + domain => 'ip', + description => 'SIP connections (WebSocket; for WebRTC)', + rule => 'proto tcp dport (443) ACCEPT' + } + @ferm::rule { 'dsa-sip-ws-ip6': + domain => 'ip6', + description => 'SIP connections (WebSocket; for WebRTC)', + rule => 'proto tcp dport (443) ACCEPT' + } + @ferm::rule { 'dsa-sip-tls-ip4': + domain => 'ip', + description => 'SIP connections (TLS)', + rule => 'proto tcp dport (5061) ACCEPT' + } + @ferm::rule { 'dsa-sip-tls-ip6': + domain => 'ip6', + description => 'SIP connections (TLS)', + rule => 'proto tcp dport (5061) ACCEPT' + } + @ferm::rule { 'dsa-turn-ip4': + domain => 'ip', + description => 'TURN connections', + rule => 'proto udp dport (3478) ACCEPT' + } + @ferm::rule { 'dsa-turn-ip6': + domain => 'ip6', + description => 'TURN connections', + rule => 'proto udp dport (3478) ACCEPT' + } + @ferm::rule { 'dsa-turn-tls-ip4': + domain => 'ip', + description => 'TURN connections (TLS)', + rule => 'proto tcp dport (5349) ACCEPT' + } + @ferm::rule { 'dsa-turn-tls-ip6': + domain => 'ip6', + description => 'TURN connections (TLS)', + rule => 'proto tcp dport (5349) ACCEPT' + } + @ferm::rule { 'dsa-rtp-ip4': + domain => 'ip', + description => 'RTP streams', + rule => 'proto udp dport (49152:65535) ACCEPT' + } + @ferm::rule { 'dsa-rtp-ip6': + domain => 'ip6', + description => 'RTP streams', + rule => 'proto udp dport (49152:65535) ACCEPT' + } + + file { '/etc/monit/monit.d/50rtc': + source => 'puppet:///modules/roles/rtc/monit', + mode => '0440' + } +} diff --git a/modules/roles/manifests/sip.pp b/modules/roles/manifests/sip.pp deleted file mode 100644 index 3b1973ae..00000000 --- a/modules/roles/manifests/sip.pp +++ /dev/null @@ -1,90 +0,0 @@ -class roles::sip { - include concat::setup - - ssl::service { 'www.debian.org': - } - - ssl::service { 'sip-ws.debian.org': - } - - concat { '/etc/repro/www.debian.org-chained.crt': - } - concat::fragment { '/etc/ssl/debian/certs/www.debian.org.crt': - target => '/etc/repro/www.debian.org-chained.crt', - source => 'file:///etc/ssl/debian/certs/www.debian.org.crt', - order => 00, - require => File['/etc/ssl/debian/certs/www.debian.org.crt'], - } - concat::fragment { '/etc/ssl/debian/certs/www.debian.org.crt-chain': - target => '/etc/repro/www.debian.org-chained.crt', - source => 'file:///etc/ssl/debian/certs/www.debian.org.crt-chain', - order => 99, - require => File['/etc/ssl/debian/certs/www.debian.org.crt-chain'], - } - - concat { '/etc/repro/sip-ws.debian.org-chained.crt': - } - concat::fragment { '/etc/ssl/debian/certs/sip-ws.debian.org.crt': - target => '/etc/repro/sip-ws.debian.org-chained.crt', - source => 'file:///etc/ssl/debian/certs/sip-ws.debian.org.crt', - order => 00, - require => File['/etc/ssl/debian/certs/sip-ws.debian.org.crt'], - } - concat::fragment { '/etc/ssl/debian/certs/sip-ws.debian.org.crt-chain': - target => '/etc/repro/sip-ws.debian.org-chained.crt', - source => 'file:///etc/ssl/debian/certs/sip-ws.debian.org.crt-chain', - order => 99, - require => File['/etc/ssl/debian/certs/sip-ws.debian.org.crt-chain'], - } - - @ferm::rule { 'dsa-sip-ws-ip4': - domain => 'ip', - description => 'SIP connections (WebSocket; for WebRTC)', - rule => 'proto tcp dport (443) ACCEPT' - } - @ferm::rule { 'dsa-sip-ws-ip6': - domain => 'ip6', - description => 'SIP connections (WebSocket; for WebRTC)', - rule => 'proto tcp dport (443) ACCEPT' - } - @ferm::rule { 'dsa-sip-tls-ip4': - domain => 'ip', - description => 'SIP connections (TLS)', - rule => 'proto tcp dport (5061) ACCEPT' - } - @ferm::rule { 'dsa-sip-tls-ip6': - domain => 'ip6', - description => 'SIP connections (TLS)', - rule => 'proto tcp dport (5061) ACCEPT' - } - @ferm::rule { 'dsa-turn-ip4': - domain => 'ip', - description => 'TURN connections', - rule => 'proto udp dport (3478) ACCEPT' - } - @ferm::rule { 'dsa-turn-ip6': - domain => 'ip6', - description => 'TURN connections', - rule => 'proto udp dport (3478) ACCEPT' - } - @ferm::rule { 'dsa-turn-tls-ip4': - domain => 'ip', - description => 'TURN connections (TLS)', - rule => 'proto tcp dport (5349) ACCEPT' - } - @ferm::rule { 'dsa-turn-tls-ip6': - domain => 'ip6', - description => 'TURN connections (TLS)', - rule => 'proto tcp dport (5349) ACCEPT' - } - @ferm::rule { 'dsa-rtp-ip4': - domain => 'ip', - description => 'RTP streams', - rule => 'proto udp dport (49152:65535) ACCEPT' - } - @ferm::rule { 'dsa-rtp-ip6': - domain => 'ip6', - description => 'RTP streams', - rule => 'proto udp dport (49152:65535) ACCEPT' - } -}