# Always install both the remctl client and the remctl server on all of our
# systems.

class base::remctl {
  package {
    'remctl-client': ensure => installed;
    'remctl-server': ensure => installed;
  }

  # Install the xinetd configuration.  Force a PATH setting since remctld
  # scripts may be assuming they have a sane PATH but xinetd may not have
  # any PATH set.
  base::xinetd::config { 'remctl':
    server      => '/usr/sbin/remctld',
    description => 'Remote authenticated command server',
    cps         => '100 5',
    env         => 'PATH=/sbin:/bin:/usr/sbin:/usr/bin',
  }

  # Switch RH boxes to 4373
  # TODO: remove this after the migration is complete and all systems are
  # on a modern enough branch to have picked up the change.
  if $::operatingsystem == 'redhat' {
    base::filter { '/etc/services':
      regex   => 'remctl[ \t]*4444/tcp',
      value   => 'remctl    4373/tcp',
      require => Package['remctl-server'],
      notify  => Service['xinetd'],
    }
  }

  # Our default iptables rules for remctl opens connections to all of
  # Stanford.  Allow the legacy port as well for the time being, although
  # we've mostly switched away from it now.
  base::iptables::rule { 'remctl':
    description => 'Allow remctl connections from all Stanford subnets',
    source      => [ '10.0.0.0/8',
                     '68.65.160.0/20',
                     '128.12.0.0/16',
                     '134.79.0.0/16',
                     '171.64.0.0/14',
                     '172.16.0.0/12',
                     '192.168.0.0/16',
                     '204.63.224.0/21' ],
    protocol    => 'tcp',
    port        => 4373,
  }

  # Ignore standard remctl log messages.   This doesn't ignore any of the
  # remctl commands, just messages from starting or stopping the generic
  # daemon and messages caused by port scans or common client errors.
  file { '/etc/filter-syslog/remctl':
    source => 'puppet:///modules/base/remctl/etc/filter-syslog/remctl',
  }
}