add ganeti3

Signed-off-by: Martin Zobel-Helas <zobel@debian.org>

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 15810e85df4b7fe40b6f5c1f30b7aa5315c3122a..525624c7f11817c6d6fa8d5880e481d5b534786a 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -166,8 +166,11 @@
 %>);
 
 # FIXME XXX we should get these from other information, and reconsider the places where we use them in destination matching rules
-@def $HOST_GANETI_V4           = (206.12.19.213/32 206.12.19.217/32 206.12.19.212/32 206.12.19.216/32);
-@def $HOST_GANETI_BACKEND_V4   = (192.168.2.213/32 192.168.2.217/32 192.168.2.212/32 192.168.2.216/32);
+@def $HOST_GANETI_V4                = (206.12.19.213/32 206.12.19.217/32 206.12.19.212/32 206.12.19.216/32);
+@def $HOST_GANETI_BACKEND_V4        = (192.168.2.213/32 192.168.2.217/32 192.168.2.212/32 192.168.2.216/32);
+@def $HOST_GANETI_MANDA_V4          = (82.195.75.103/32 82.195.75.109/32)
+@def $HOST_GANETI_MANDA_BACKEND_V4 = (192.168.75.103/32 192.168.75.109/32)
+
 
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
 

diff --git a/modules/ganeti2/manifests/init.pp b/modules/ganeti2/manifests/init.pp
index 4cbd7d5e704f182c8586d8bb60a5863ce8667397..3b5c835746e445d57d8e1b2f6774ad1dbe5d6f60 100644 (file)
--- a/modules/ganeti2/manifests/init.pp
+++ b/modules/ganeti2/manifests/init.pp
@@ -54,6 +54,47 @@ class ganeti2 {
                                notarule    => true,
                        }
                }
+               'ganeti3.debian.org': {
+                       package { 'drbd8-utils':
+                               ensure => installed
+                       }
+
+                       @ferm::rule { 'dsa-ganeti-noded-v4':
+                               description => 'allow ganeti-noded communication',
+                               rule        => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }',
+                               notarule    => true,
+                       }
+
+                       @ferm::rule { 'dsa-ganeti-confd-v4':
+                               description => 'allow ganeti-confd communication',
+                               rule        => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }',
+                               notarule    => true,
+                       }
+
+                       @ferm::rule { 'dsa-ganeti-rapi-v4':
+                               description => 'allow ganeti-rapi communication',
+                               rule        => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }',
+                               notarule    => true,
+                       }
+
+                       @ferm::rule { 'dsa-ganeti-drbd-v4':
+                               description => 'allow ganeti drbd communication',
+                               rule        => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_MANDA_BACKEND_V4) daddr ($HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }',
+                               notarule    => true,
+                       }
+
+                       @ferm::rule { 'dsa-ganeti-kvm-migration-v4':
+                               description => 'allow ganeti kvm migration ',
+                               rule        => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_MANDA_BACKEND_V4) daddr ($HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }',
+                               notarule    => true,
+                       }
+
+                       @ferm::rule { 'dsa-ganeti-ssh-v4':
+                               description => 'allow ganeti to ssh around',
+                               rule        => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_MANDA_V4 $HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }',
+                               notarule    => true,
+                       }
+               }
        }
 
        file {