Use callout verification for domains we are relaying to

[chef.git] / cookbooks / rsyncd / recipes / default.rb

diff --git a/cookbooks/rsyncd/recipes/default.rb b/cookbooks/rsyncd/recipes/default.rb
index a2edd32faf14262009b2448f4136000adc670036..89ee459091705e5e057647b191921fe0beb393ad 100644 (file)
--- a/cookbooks/rsyncd/recipes/default.rb
+++ b/cookbooks/rsyncd/recipes/default.rb
@@ -19,10 +19,13 @@
 
 include_recipe "networking"
 
+writable_paths = []
 hosts_allow = {}
 hosts_deny = {}
 
 node[:rsyncd][:modules].each do |name, details|
+  writable_paths << details[:path] if details[:write_only]
+
   hosts_allow[name] = details[:hosts_allow] || []
 
   if details[:nodes_allow]
@@ -45,7 +48,9 @@ package "rsync"
 systemd_service "rsync-override" do
   service "rsync"
   dropin "override"
-  exec_start "/usr/bin/rsync --daemon --no-detach --bwlimit=16384"
+  exec_start "/usr/bin/rsync --daemon --no-detach"
+  nice 10
+  read_write_paths writable_paths.sort
   notifies :restart, "service[rsync]"
 end
 
@@ -72,9 +77,8 @@ end
 
 firewall_rule "accept-rsync" do
   action :accept
-  source "net"
-  dest "fw"
-  proto "tcp:syn"
+  context :incoming
+  protocol :tcp
   dest_ports "rsync"
-  source_ports "1024:"
+  source_ports "1024-65535"
 end