ssh4allowed << '194.177.211.209' # orff - master
ssh6allowed << '2001:648:2ffc:deb:213:72ff:fe69:e188' # orff - master
end
-if %w{pasquini tristano}.include?(hostname) then
- ssh4allowed << '206.12.19.23' # ganeti2.debian.org
- ssh4allowed << '206.12.19.213' # tristano.debian.org
- ssh4allowed << '206.12.19.217' # pasquini.debian.org
- ssh4allowed << '192.168.2.23' # ganeti2.debprivate-ubc.debian.org
- ssh4allowed << '192.168.2.213' # tristano-mnt.debprivate-ubc.debian.org
- ssh4allowed << '192.168.2.217' # pasquini-mnt.debprivate-ubc.debian.org
-end
ssh4allowed.length == 0 and ssh4allowed << '0.0.0.0/0'
ssh6allowed.length == 0 and ssh6allowed << '::/0'
@ferm::rule { 'dsa-ganeti-migrate':
description => 'allow kvm to migrate instances',
- rule => 'proto tcp dport 8102 @subchain \'kvm-migrate\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }',
+ rule => 'proto tcp dport 8102 @subchain \'ganeti-migrate\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }',
+ notarule => true,
+ }
+
+ @ferm::rule { 'dsa-ganeti-ssh':
+ description => 'allow ganeti to ssh around',
+ rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_V4 $HOST_GANETI_BACKEND_V4) ACCEPT; }',
notarule => true,
}
}
projects / dsa-puppet.git / commitdiff