X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=07269c89e99d4462d581d127ff0cda36aaa6738b;hb=305cb4161ca530fff3466116190620807edfebec;hp=4a1f3713c9b819b70e61efe1c62f2e986f3837c4;hpb=a1d397a274083c5e9dfb9d690593e6d65968b264;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 4a1f3713c..07269c89e 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -3,7 +3,7 @@ class ferm::per-host {
 		include ferm::zivit
 	}
 
-	if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] {
+	if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
 		ferm::rule { 'dsa-rsync':
 			domain      => '(ip ip6)',
 			description => 'Allow rsync access',
@@ -18,19 +18,6 @@ class ferm::per-host {
 				rule         => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
 			}
 		}
-		ullmann: {
-			@ferm::rule { 'dsa-postgres-udd':
-				description     => 'Allow postgress access',
-				# quantz, wagner, master
-				rule            => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))'
-			}
-			@ferm::rule { 'dsa-postgres-udd6':
-				domain          => '(ip6)',
-				description     => 'Allow postgress access',
-				# quantz
-				rule            => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))'
-			}
-		}
 		czerny,clementi: {
 			@ferm::rule { 'dsa-upsmon':
 				description     => 'Allow upsmon access',
@@ -113,29 +100,6 @@ class ferm::per-host {
 				description     => 'Allow ldaps access',
 				rule            => '&SERVICE(tcp, 636)'
 			}
-			@ferm::rule { 'dsa-vpn':
-				description     => 'Allow openvpn access',
-				rule            => '&SERVICE(udp, 17257)'
-			}
-			@ferm::rule { 'dsa-routing':
-				description     => 'forward chain',
-				chain           => 'FORWARD',
-				rule            => 'policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface tun+ ACCEPT;
-REJECT reject-with icmp-admin-prohibited
-'
-			}
-			@ferm::rule { 'dsa-vpn-mark':
-				table           => 'mangle',
-				chain           => 'PREROUTING',
-				rule            => 'interface tun+ MARK set-mark 1',
-			}
-			@ferm::rule { 'dsa-vpn-nat':
-				table           => 'nat',
-				chain           => 'POSTROUTING',
-				rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
-			}
 		}
 		cilea: {
 			ferm::module { 'nf_conntrack_sip': }
@@ -233,7 +197,19 @@ REJECT reject-with icmp-admin-prohibited
 
 	# postgres stuff
 	case $::hostname {
-		grieg: {
+		ullmann: {
+			@ferm::rule { 'dsa-postgres-udd':
+				description     => 'Allow postgress access',
+				# quantz, wagner, master, couper, coccia, franck
+				rule            => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
+			}
+			@ferm::rule { 'dsa-postgres-udd6':
+				domain          => '(ip6)',
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))'
+			}
+		}
+		grieg,wuiet: {
 			@ferm::rule { 'dsa-postgres-ullmann':
 				description     => 'Allow postgress access',
 				rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
@@ -256,14 +232,32 @@ REJECT reject-with icmp-admin-prohibited
 			}
 		}
 		bmdb1: {
+			@ferm::rule { 'dsa-postgres-main':
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))'
+			}
+			@ferm::rule { 'dsa-postgres-main6':
+				domain          => 'ip6',
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))'
+			}
 			@ferm::rule { 'dsa-postgres-dak':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.0/24 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))'
 			}
 			@ferm::rule { 'dsa-postgres-dak6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000::/64 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))'
+			}
+			@ferm::rule { 'dsa-postgres-wanna-build':
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 ))'
+			}
+			@ferm::rule { 'dsa-postgres-wanna-build6':
+				domain          => 'ip6',
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 ))'
 			}
 		}
 		danzi: {
@@ -301,4 +295,32 @@ REJECT reject-with icmp-admin-prohibited
 			}
 		}
 	}
+	# vpn fu
+	case $::hostname {
+		draghi,eysler: {
+			@ferm::rule { 'dsa-vpn':
+				description     => 'Allow openvpn access',
+				rule            => '&SERVICE(udp, 17257)'
+			}
+			@ferm::rule { 'dsa-routing':
+				description     => 'forward chain',
+				chain           => 'FORWARD',
+				rule            => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+			}
+			@ferm::rule { 'dsa-vpn-mark':
+				table           => 'mangle',
+				chain           => 'PREROUTING',
+				rule            => 'interface tun+ MARK set-mark 1',
+			}
+			@ferm::rule { 'dsa-vpn-nat':
+				table           => 'nat',
+				chain           => 'POSTROUTING',
+				rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+			}
+		}
+	}
 }