From: Luca Filipozzi <lfilipoz@emyr.net>
Date: Sat, 31 May 2014 15:31:35 +0000 (+0000)
Subject: Merge branch 'master' of ssh://handel.debian.org/~/dsa-puppet
X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=4f25efdcfdc0dd891ec089c9acd6709a6823b24c;hp=ce8d2c8bd3204fb16214604785f755e8870367b6

Merge branch 'master' of ssh://handel.debian.org/~/dsa-puppet
---

diff --git a/manifests/site.pp b/manifests/site.pp
index 8690e553..a3c219cc 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -101,7 +101,7 @@ node default {
 	#	include dacs
 	#}
 
-	if $::hostname in [stabile,beach,glinka,milanollo,rautavaara] {
+	if $::hostname in [stabile,beach,glinka,milanollo,rautavaara,lw01,lw02,lw03,lw04] {
 		include nfs-server
 	}
 
diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp
index a9e4758d..e1f077d3 100644
--- a/modules/nfs-server/manifests/init.pp
+++ b/modules/nfs-server/manifests/init.pp
@@ -16,30 +16,37 @@ class nfs-server {
 		status      => '/bin/true',
 	}
 
+	case $::hostname {
+		lw01,lw02,lw03,lw04: {
+			$client_range    = '10.0.0.0/8'
+		}
+		milanollo: {
+			$client_range    = '172.29.122.0/24'
+		}
+		default: {
+			$client_range    = '0.0.0.0/0'
+		}
+	}
+
 	@ferm::rule { 'dsa-portmap':
-		domain      => '(ip ip6)',
 		description => 'Allow portmap access',
-		rule        => '&TCP_UDP_SERVICE(111)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(111, $client_range)"
 	}
 	@ferm::rule { 'dsa-nfs':
-		domain      => '(ip ip6)',
 		description => 'Allow nfsd access',
-		rule        => '&TCP_UDP_SERVICE(2049)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)"
 	}
 	@ferm::rule { 'dsa-status':
-		domain      => '(ip ip6)',
 		description => 'Allow statd access',
-		rule        => '&TCP_UDP_SERVICE(10000)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)"
 	}
 	@ferm::rule { 'dsa-mountd':
-		domain      => '(ip ip6)',
 		description => 'Allow mountd access',
-		rule        => '&TCP_UDP_SERVICE(10002)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)"
 	}
 	@ferm::rule { 'dsa-lockd':
-		domain      => '(ip ip6)',
 		description => 'Allow lockd access',
-		rule        => '&TCP_UDP_SERVICE(10003)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)"
 	}
 
 	file { '/etc/default/nfs-common':