Somewhat contrary to its name, rsync::quickdatcopy is used not just for server migrations or quick one-offs, but also for long-standing data replication workloads (used by everything from smokeping to phabricator). rsync::server is also used directly in many spots (analytics, eventlogging, icinga, ...).
We should TLS-wrap all rsync communications, as there's no good reason not to do so.
TODO:
- refactor the current implementation to unconditionally enable the stunnel listener on the server side, and optionally (default true) enable vanilla rsync. This makes client migrations much easier, as there's no longer a need to synchronize changes on the client and server side. Once all the clients for a given service have been migrated, we could then disable vanilla rsync for that service.