X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fnfs-server%2Fmanifests%2Finit.pp;h=7021ef330589ccfe9f7a85898633a883ae033fe9;hb=47f1649e4e6521ac0b80ec74960d0f032da497e6;hp=b9ff8885ffd124ae30d3b3a83739bdeb865aa2df;hpb=3eb533e5499e66423bafdedaf6c7d08ead1772de;p=mirror%2Fdsa-puppet.git

diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp
index b9ff8885f..7021ef330 100644
--- a/modules/nfs-server/manifests/init.pp
+++ b/modules/nfs-server/manifests/init.pp
@@ -4,57 +4,72 @@ class nfs-server {
 			'nfs-common',
 			'nfs-kernel-server'
 		]:
-			ensure => installed
+		ensure => installed
 	}
 
 	service { 'nfs-common':
 		hasstatus   => false,
 		status      => '/bin/true',
-		refreshonly => true,
 	}
 	service { 'nfs-kernel-server':
 		hasstatus   => false,
 		status      => '/bin/true',
-		refreshonly => true,
+	}
+
+	case $::hostname {
+		lw01,lw02,lw03,lw04: {
+			$client_range    = '10.0.0.0/8'
+		}
+		milanollo,senfter: {
+			$client_range    = '172.29.122.0/24'
+		}
+		buxtehude: {
+			$client_range    = '(172.29.40.0/22 206.12.19.126/32)'
+		}
+		gretchaninov: {
+			$client_range    = '172.29.40.0/22'
+		}
+		default: {
+			# Better than 0.0.0.0/0 - we really ought to configure a
+			# client range for them all instead of exporting to the world.
+			$client_range    = '127.0.0.0/8'
+		}
 	}
 
 	@ferm::rule { 'dsa-portmap':
-		domain      => '(ip ip6)',
 		description => 'Allow portmap access',
-		rule        => '&TCP_UDP_SERVICE(111)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(111, $client_range)"
 	}
 	@ferm::rule { 'dsa-nfs':
-		domain      => '(ip ip6)',
 		description => 'Allow nfsd access',
-		rule        => '&TCP_UDP_SERVICE(2049)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)"
 	}
 	@ferm::rule { 'dsa-status':
-		domain      => '(ip ip6)',
 		description => 'Allow statd access',
-		rule        => '&TCP_UDP_SERVICE(10000)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)"
 	}
 	@ferm::rule { 'dsa-mountd':
-		domain      => '(ip ip6)',
 		description => 'Allow mountd access',
-		rule        => '&TCP_UDP_SERVICE(10002)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)"
 	}
 	@ferm::rule { 'dsa-lockd':
-		domain      => '(ip ip6)',
 		description => 'Allow lockd access',
-		rule        => '&TCP_UDP_SERVICE(10003)'
+		rule        => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)"
 	}
 
 	file { '/etc/default/nfs-common':
 		source  => 'puppet:///modules/nfs-server/nfs-common.default',
-		require => Package['nfs-common'],
+		before  => Package['nfs-common'],
 		notify  => Service['nfs-common'],
 	}
 	file { '/etc/default/nfs-kernel-server':
 		source  => 'puppet:///modules/nfs-server/nfs-kernel-server.default',
-		require => Package['nfs-kernel-server'],
+		before  => Package['nfs-kernel-server'],
 		notify  => Service['nfs-kernel-server'],
 	}
 	file { '/etc/modprobe.d/lockd.local':
-		source => 'puppet:///modules/nfs-server/lockd.local.modprobe'
+		source => 'puppet:///modules/nfs-server/lockd.local.modprobe',
+		before => Package['nfs-common'],
+		notify => Service['nfs-common'],
 	}
 }