X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=b9ad487de7d0517edf43ea150f5bb7eaffec5e83;hb=a001db15a8463b3aac135b05343aca2ac7dc2aa9;hp=232aa12e98cfed04966a2969479da62f16e22246;hpb=451142c0730ffe4c1ea13089f3972e9660cb2465;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 232aa12e9..b9ad487de 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -3,7 +3,7 @@ class ferm::per-host {
 		include ferm::zivit
 	}
 
-	if $::hostname in [glinka,klecker,ravel,rietz,sibelius] {
+	if $::hostname in [glinka] {
 		ferm::rule { 'dsa-rsync':
 			domain      => '(ip ip6)',
 			description => 'Allow rsync access',
@@ -284,13 +284,13 @@ class ferm::per-host {
 		ullmann: {
 			@ferm::rule { 'dsa-postgres-udd':
 				description     => 'Allow postgress access',
-				# quantz, moszumanska, master, couper, coccia, franck
-				rule            => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
+				# quantz, moszumanska, master, coccia, franck
+				rule            => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 138.16.160.12/32 ))'
 			}
 			@ferm::rule { 'dsa-postgres-udd6':
 				domain          => '(ip6)',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
 			}
 		}
 		franck: {
@@ -317,42 +317,32 @@ class ferm::per-host {
 		bmdb1: {
 			@ferm::rule { 'dsa-postgres-main':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32))'
+				rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
 			}
 			@ferm::rule { 'dsa-postgres-main6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128))'
+				rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
 			}
 			@ferm::rule { 'dsa-postgres-dak':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 5.153.231.18/32 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 ))'
 			}
 			@ferm::rule { 'dsa-postgres-dak6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
 			}
-			@ferm::rule { 'dsa-postgres-wanna-build':
+			@ferm::rule { 'dsa-postgres-wannabuild':
 				# wuiet, ullmann, franck
 				description     => 'Allow postgress access',
 				rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
 			}
-			@ferm::rule { 'dsa-postgres-wanna-build6':
+			@ferm::rule { 'dsa-postgres-wannabuild6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
 				rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
 			}
-			@ferm::rule { 'dsa-postgres-wanna-build-ports':
-				# portman
-				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.29/32 ))'
-			}
-			@ferm::rule { 'dsa-postgres-wanna-build-ports6':
-				domain          => 'ip6',
-				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:29/128 ))'
-			}
 			@ferm::rule { 'dsa-postgres-bacula':
 				# dinis
 				description     => 'Allow postgress access1',
@@ -431,7 +421,7 @@ class ferm::per-host {
 				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 			}
 		}
-		chopin: {
+		seger: {
 			@ferm::rule { 'dsa-postgres-backup':
 				description     => 'Allow postgress access',
 				rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
@@ -473,11 +463,22 @@ class ferm::per-host {
 				rule            => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
 			}
 		}
+		vittoria: {
+			@ferm::rule { 'dsa-postgres-backup':
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
+			}
+			@ferm::rule { 'dsa-postgres-backup6':
+				domain          => 'ip6',
+				description     => 'Allow postgress access',
+				rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
+			}
+		}
 		default: {}
 	}
 	# vpn fu
 	case $::hostname {
-		draghi,eysler: {
+		draghi: {
 			@ferm::rule { 'dsa-vpn':
 				description     => 'Allow openvpn access',
 				rule            => '&SERVICE(udp, 17257)'
@@ -502,6 +503,12 @@ REJECT reject-with icmp-admin-prohibited
 				rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
 			}
 		}
+		ubc-enc2bl1,ubc-enc2bl2,ubc-enc2bl9,ubc-enc2bl10: {
+			@ferm::rule { 'dsa-luca-fixme':
+				description     => 'Allow ssh access from mnt and vpn networks',
+				rule            => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
+			}
+		}
 		default: {}
 	}
 	# tftp
@@ -512,7 +519,7 @@ REJECT reject-with icmp-admin-prohibited
 				rule            => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
 			}
 		}
-		jenkins: {
+		jenko: {
 			@ferm::rule { 'dsa-tftp':
 				description     => 'Allow tftp access',
 				rule            => '&SERVICE_RANGE(udp, 69, ( 192.168.2.0/24 206.12.19.0/24 ))'