From c6872f30223f23afe81c6905a061a6a5c38a22f7 Mon Sep 17 00:00:00 2001 From: Luca Filipozzi Date: Tue, 17 Apr 2012 23:23:44 +0000 Subject: [PATCH] more rules for ganeti; try rsa keys --- modules/ferm/templates/defs.conf.erb | 1 + modules/ganeti2/manifests/init.pp | 6 ++++++ modules/ssh/templates/authorized_keys.erb | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 127b30d2..d5734dfd 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -166,6 +166,7 @@ %>); @def $HOST_GANETI_V4 = (206.12.19.213/32 206.12.19.217/32); +@def $HOST_DRBD_V4 = (192.168.2.213/32 192.168.2.217/32); @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6); diff --git a/modules/ganeti2/manifests/init.pp b/modules/ganeti2/manifests/init.pp index 9333a8b2..887d4481 100644 --- a/modules/ganeti2/manifests/init.pp +++ b/modules/ganeti2/manifests/init.pp @@ -21,4 +21,10 @@ class ganeti2 { rule => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti\' { saddr ($HOST_GANETI_V4) ACCEPT; }', notarule => true, } + + @ferm::rule { 'dsa-drbd-v4': + description => 'Allow ganeti from ganeti master', + rule => 'proto tcp mod state state (NEW) dport (11000-11999) @subchain \'drbd\' { saddr ($HOST_DRBD_V4) ACCEPT; }', + notarule => true, + } } diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb index 2738aef5..23ee49b7 100644 --- a/modules/ssh/templates/authorized_keys.erb +++ b/modules/ssh/templates/authorized_keys.erb @@ -20,7 +20,7 @@ end localkeys %> <%= ganetikeys = case fqdn - when "tristano.debian.org", "pasquini.debian.org" then "ssh-dss AAAAB3NzaC1kc3MAAACBAJ2CX2dqGozYF30+/A44SoObQI4/OL17Hyprsxv9UynMsZHdVDckEQFMMp2M80dLOXsVRzC4DGxUoCzj9chZ5m5ZilwNV09hJxcqRlqKsQMZsCwDNhpCZo9sjrmpn2UUQQdAhFivIIeoqfYCwlc4jHoR8Uc1v1Okv4WXDnYINhizAAAAFQDNy8fH4Gd0kErcY9LT+89xPQNq3QAAAIAks1ud/arXFb7FepYZHRv7BzA4wrEiZ0A/3Acp/vR23ph4qEOucWxQC+Bpf4AqNWCctt5p0SYWoEeO78eNvMI/xewaOEBK/lzecPdvlU/bC35HRrfz8jajXto+p7BBo57RzwOauDazrT0VfYifXE1/b2yNrvY6zgU/vkNOa7a/RQAAAIBkS/X7/nOEKl2RyJMSzZFsCn+C1/swAaTrqLCvcA+5OgZow68yy8jpt/MUSmBzVxU+cbAHlgZgF93P3TgXc2jcDKcB4cEJIEyRVWJow6KXY4hygAt7s4Y95rauxanjEJ28bNqdmwktA0LOhJVyVTeY1z2P19jLvVJNSUrSRGU80A== root@tristano.debian.org (ganeti)\nssh-dss AAAAB3NzaC1kc3MAAACBAPozGq+2RqyYgIk9pckBqNd7RgjhAUvnthmj9yAREI6raDCeT7TSY0MpZV0qm7ZW/kL/klHaugSCUCMbZe8EVGnMdFWAP+h8AJMlSHjjNXdq8K/Ulq/Cap1D7zAx+PkEhl9e9XprrAciPffji9Hd3murKS+navZ/YmEDFGq4kSZ5AAAAFQDSHpoCNVsY7WkWocVI7xS1+NtIxwAAAIEA4HpymvPT0htwiGhOz94ARhioo54IwIMdzZwL1dEFlCiPNa07BWwlU034L/hLTMe5+Qc0Jey77FTNVKH0E+MHb8xkC/MtSLMjIZ7POVS0vlc90b3m8yHO/pFFyqtPPlvOoNzeDqo7Wjdb9DQpaQhreHvadAGXFzGT4PdUcKevz/wAAACBAMPdM9wukVM0EHjxMiIQOpunArtWLeT2tiQiABmtiARHn6/3931Cf8lm6k2l3zLZfdoTWvoCE7G0a2YGzBZnC7KmqYGjpRTL4xssGS3pJl+zDsou88t5m+q89ln9z9Og/x6fmNq6onbZE0VmXgMSujEtxcwMAz6kZAGv3Z76d+EF root@pasquini.debian.org (ganeti)" + when "tristano.debian.org", "pasquini.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiT6Asr5mK3wR8hjB1gSqJYqWUrQfi1+jtMuZggQcD7VIpabIy0zYSaUP63Oam96BE96qSHUZDEp1EGPoh64rK/9WxGXX/0sRZXJURkOpCO3U2zDAhRbAGqAAYyWS4TPHVUt3g5g+rrHAGgXzc/y2sYChADWJaQ59ga1MyrYGi1VIPAuAaidM01RyFagR1/UmVGP8jCkSD4nGmho4UuFn9Fopnhk5V0YjEEjhjUkPCVe11ckc+fYPiEPFnzgaWJPAycJwF/YmpgjLSKB+mNXqpU4m+jHhpGQ4lK1l0VVf2xOUpbN74uOxThtwPSpgIyq3eG99PkbBGUUweIcSTsZ8h root@pasquini.debian.org (for ganeti)\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC44glHFs5fdojQOUZaR1xwORfVxpmthmjOBgahz3RTCYzX8g0Y4v3rSBTiFOUzgfaY1qyHJX94HDzIq95Unig5ZHZZ2q0V3m3ksIiMQQbiElIqH4w7Yrqc2PICkjzttGwCziNUCIvxuy9pnKqRkpzx4TmorEVhRBjGTM0iAimWcZ5bpZ1E2nWHVtvsMs5nQziRdAiG8hoE2UKzQbpf+AeltZPSIw2LVEAdTmmEWrmyLGaIWY2R5lirwPOTbZsfpLDUD3CLntZbqCFoTOb1xuWvf0SdmpChY7cigaFgwz+ozATxFuLqdW9/YTa/fP1uvid3rSvHkNgojndm0S3/sYTh root@tristano.debian.org (for ganeti)" end ganetikeys %> -- 2.39.2