From: Peter Palfrader Date: Tue, 7 Jan 2014 21:53:05 +0000 (+0100) Subject: denis: llow ssh from geo[123] X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=8467acd82ff1d92e9825361d717721bd3b38e26f denis: llow ssh from geo[123] --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index c9d346fc..0d9ee5f3 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -21,6 +21,10 @@ roles: - senfl.debian.org - diamond.debian.org - orff.debian.org + dns_geo: + - geo1.debian.org + - geo2.debian.org + - geo3.debian.org extranrpeclient: - denis.debian.org - orff.debian.org diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 186feb60..bc603b7e 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -63,6 +63,8 @@ @def $HOST_DNS_SECONDARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_secondary']]).uniq.join(' ') %>); @def $HOST_DNS_SECONDARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_secondary']]).uniq.join(' ') %>); +@def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>); +@def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>); @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>); @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>); diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index c3df480b..9a7dd8b0 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -8,7 +8,7 @@ nodeinfo = scope.lookupvar('site::nodeinfo') out = [] restricted_purposes = ['kvm host', 'central syslog server', 'puppet master', 'jumphost'] -restrict_ssh = %w{lebrun geo1 geo2 geo3 beethoven tchaikovsky schroeder draghi adayevskaya denis} +restrict_ssh = %w{lebrun beethoven tchaikovsky schroeder draghi adayevskaya} if (nodeinfo['ldap'].has_key?('purpose')) then nodeinfo['ldap']['purpose'].each do |purp| @@ -21,6 +21,12 @@ end ssh4allowed = [] ssh6allowed = [] +should_restrict = restrict_ssh.include?(hostname) +%w{dns_primary dns_geo}.each do |role_restrict| + if scope.function_has_role([role_restrict]) then should_restrict = true +end + + if restrict_ssh.include?(hostname) then ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4} ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6} @@ -42,8 +48,8 @@ if restrict_ssh.include?(hostname) then if scope.function_has_role(['dns_primary']) then ssh4allowed << "5.153.231.5" # adayevskaya ssh6allowed << "2001:41c8:1000:21::21:5" # adayevskaya - ssh4allowed << "$HOST_DNS_SECONDARY_V4" - ssh6allowed << "$HOST_DNS_SECONDARY_V6" + ssh4allowed << "$HOST_DNS_GEO_V4" + ssh6allowed << "$HOST_DNS_GEO_V6" end if scope.function_has_role(['static_master']) then