X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fkeyring.pp;h=11be4ea63f2ae4a2a1357f4dc6bb1a5d39dce36f;hb=d37aae2f20083c472de30925ff3e16a692408a11;hp=5743dbd368973b097d9e9146d737f5b7d3b05f03;hpb=c092962f8f0879ffc60c39c6b8d5aa09f43412b3;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index 5743dbd36..11be4ea63 100644
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -1,43 +1,44 @@
 class roles::keyring {
-	rsync::site { 'keyring':
-		source  => 'puppet:///modules/roles/keyring/rsyncd.conf',
-		sslname => 'keyring.debian.org',
-	}
-
-	ssl::service { 'keyring.debian.org':
-		notify   => Exec['service apache2 reload'],
-		key      => true,
-		tlsaport => [443, 1873],
-	}
-
-	include named::authoritative
-
-	$notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "  ")
-	$notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
-
-	@ferm::rule { '01-dsa-bind':
-		domain      => '(ip ip6)',
-		description => 'Allow nameserver access',
-		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $notify_address ) )',
-	}
-
-	concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
-		target => '/etc/bind/named.conf.puppet-misc',
-		order  => '020',
-		content  => @("EOF"),
-			zone "_openpgpkey.debian.org" {
-				type master;
-				file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
-				allow-query { any; };
-				allow-transfer {
-					key tsig-denis.debian.org-kaufmann.debian.org ;
-					127.0.0.1;
-				};
-				also-notify {
-					$notify_address;
-				};
-			};
-			| EOF
-	}
+  include apache2
+
+  rsync::site { 'keyring':
+    source  => 'puppet:///modules/roles/keyring/rsyncd.conf',
+    sslname => 'keyring.debian.org',
+  }
+
+  ssl::service { 'keyring.debian.org':
+    notify   => Exec['service apache2 reload'],
+    key      => true,
+    tlsaport => [443, 1873],
+  }
+
+  include named::authoritative
+
+  $notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), '; ')
+
+  ferm::rule::simple { 'keyserver':
+    port => 11371
+  }
+
+  Ferm::Rule::Simple <<| tag == 'named::keyring::ferm' |>>
+
+  concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
+    target  => '/etc/bind/named.conf.puppet-misc',
+    order   => '020',
+    content => @("EOF"),
+      zone "_openpgpkey.debian.org" {
+        type master;
+        file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
+        allow-query { any; };
+        allow-transfer {
+          key tsig-denis.debian.org-kaufmann.debian.org ;
+          127.0.0.1;
+        };
+        also-notify {
+          ${notify_address_bind};
+        };
+      };
+      | EOF
+  }
 
 }