X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Froles%2Fmanifests%2Fsecurity_master.pp;h=6dd5fce6725d5ee417c75ca0664fb5df399eae1e;hb=3324b4ae702172197fe7ad725a36f052f1e67c71;hp=365f3b09252fd0ce7812e3d175b6bfa9e193bfc6;hpb=48efe7cbd91806d7b6316c9acade0cc2d97ac155;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/security_master.pp b/modules/roles/manifests/security_master.pp
index 365f3b092..6dd5fce67 100644
--- a/modules/roles/manifests/security_master.pp
+++ b/modules/roles/manifests/security_master.pp
@@ -1,14 +1,22 @@
 class roles::security_master {
-	ssl::service { 'security-master.debian.org':
-		notify   => Exec['service apache2 reload'],
-		key      => true,
-		tlsaport => [443, 1873],
-	}
+  ssl::service { 'security-master.debian.org':
+    notify   => Exec['service apache2 reload'],
+    key      => true,
+    tlsaport => [443, 1873],
+  }
 
-	rsync::site { 'security_master':
-		source      => 'puppet:///modules/roles/security_master/rsyncd.conf',
-		# Needs to be at least twice the number of direct mirrors (currently 15) plus some spare
-		max_clients => 50,
-		sslname     => 'security-master.debian.org',
-	}
+  rsync::site { 'security_master':
+    source      => 'puppet:///modules/roles/security_master/rsyncd.conf',
+    # Needs to be at least twice the number of direct mirrors (currently 15) plus some spare
+    max_clients => 50,
+    sslname     => 'security-master.debian.org',
+  }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-security_master-${::fqdn}":
+    tag         => 'ssh::server::from::security_master',
+    description => 'Allow ssh access from security_master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }