Generate the apache ACL for draghi's "restricted" repo (RT#7962)

[mirror/dsa-puppet.git] / modules / roles / manifests / keyring.pp

diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index 5743dbd..11be4ea 100644 (file)
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -1,43 +1,44 @@
 class roles::keyring {
-       rsync::site { 'keyring':
-               source  => 'puppet:///modules/roles/keyring/rsyncd.conf',
-               sslname => 'keyring.debian.org',
-       }
-
-       ssl::service { 'keyring.debian.org':
-               notify   => Exec['service apache2 reload'],
-               key      => true,
-               tlsaport => [443, 1873],
-       }
-
-       include named::authoritative
-
-       $notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "  ")
-       $notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
-
-       @ferm::rule { '01-dsa-bind':
-               domain      => '(ip ip6)',
-               description => 'Allow nameserver access',
-               rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $notify_address ) )',
-       }
-
-       concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
-               target => '/etc/bind/named.conf.puppet-misc',
-               order  => '020',
-               content  => @("EOF"),
-                       zone "_openpgpkey.debian.org" {
-                               type master;
-                               file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
-                               allow-query { any; };
-                               allow-transfer {
-                                       key tsig-denis.debian.org-kaufmann.debian.org ;
-                                       127.0.0.1;
-                               };
-                               also-notify {
-                                       $notify_address;
-                               };
-                       };
-                       | EOF
-       }
+  include apache2
+
+  rsync::site { 'keyring':
+    source  => 'puppet:///modules/roles/keyring/rsyncd.conf',
+    sslname => 'keyring.debian.org',
+  }
+
+  ssl::service { 'keyring.debian.org':
+    notify   => Exec['service apache2 reload'],
+    key      => true,
+    tlsaport => [443, 1873],
+  }
+
+  include named::authoritative
+
+  $notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), '; ')
+
+  ferm::rule::simple { 'keyserver':
+    port => 11371
+  }
+
+  Ferm::Rule::Simple <<| tag == 'named::keyring::ferm' |>>
+
+  concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
+    target  => '/etc/bind/named.conf.puppet-misc',
+    order   => '020',
+    content => @("EOF"),
+      zone "_openpgpkey.debian.org" {
+        type master;
+        file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
+        allow-query { any; };
+        allow-transfer {
+          key tsig-denis.debian.org-kaufmann.debian.org ;
+          127.0.0.1;
+        };
+        also-notify {
+          ${notify_address_bind};
+        };
+      };
+      | EOF
+  }
 
 }