ferm: open ssh from mirror-master to ports mirror

[mirror/dsa-puppet.git] / modules / ferm / templates / me.conf.erb

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 615f633..f23946b 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -25,8 +25,9 @@ should_restrict = restrict_ssh.include?(@hostname)
 
 
 if should_restrict then
-       ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
-       ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
+       # draghi makes for a nice jumphost
+       ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4  82.195.75.106}
+       ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6  2001:41b8:202:deb:1a1a:0:52c3:4b6a}
 
        if %w{draghi}.include?(@hostname) then
                ssh4allowed << '$HOST_DEBIAN_V4'
@@ -42,6 +43,7 @@ if should_restrict then
 
        if scope.function_has_role(['debian_mirror']) or
           scope.function_has_role(['security_mirror']) or
+          scope.function_has_role(['ports_mirror']) or
           scope.function_has_role(['debug_mirror']) or
           scope.function_has_role(['historical_mirror']) or
           scope.function_has_role(['syncproxy']) then