X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fdns_primary.pp;h=8dd0f00557e9c61b29770781f9776a6abff15583;hb=bf716a4daf9652bc9d1b77deac83a2b384fd78bc;hp=0c86ec1b0cfd3b079d1f3fc04a859f8b82fc475a;hpb=584f12fb4c5f6ce47a187868570f439f543b635d;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/dns_primary.pp b/modules/roles/manifests/dns_primary.pp
index 0c86ec1b0..8dd0f0055 100644
--- a/modules/roles/manifests/dns_primary.pp
+++ b/modules/roles/manifests/dns_primary.pp
@@ -43,7 +43,7 @@ class roles::dns_primary(
   }
 
   # firewalling
-  ferm::rule::simple { 'dsa-bind-from-third-party-secondaries':
+  ferm::rule::simple { 'dns-from-secondaries':
     description => 'Allow additional (such as 3rd party secondary nameserver) access to the primary',
     proto       => ['udp', 'tcp'],
     port        => 'domain',
@@ -51,4 +51,16 @@ class roles::dns_primary(
   }
   Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
 
+  # mini-nag does nrpe queries to check if hosts are still up
+  @@ferm::rule::simple { "dsa-nrpe-from-dnsprimary-${::fqdn}":
+    tag         => 'nagios-nrpe::server',
+    description => 'Allow dns primary running mini-nag access to the nrpe daemon',
+    port        => '5666',
+    saddr       => $base::public_addresses,
+  }
+  @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+    tag     => 'nagios-nrpe::server::debianorg.cfg',
+    target  => '/etc/nagios/nrpe.d/debianorg.cfg',
+    content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+  }
 }