X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fkeyring.pp;h=25ab9d308f04eb4c9ee43a6175eb2336b27a3807;hb=29cbe59430d1e7d7d5575579b48513c56227e2f7;hp=cafad2b0191bf35a56ab14c8e238b2cc07b76f35;hpb=66e44c6472622455d3e8b0b892cbce878b86630e;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index cafad2b01..25ab9d308 100644
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -12,7 +12,13 @@ class roles::keyring {
 
 	include named::authoritative
 
-	$notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+	$notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+
+	ferm::rule { '01-dsa-bind':
+		domain      => '(ip ip6)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
+	}
 
 	concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
 		target => '/etc/bind/named.conf.puppet-misc',
@@ -20,16 +26,16 @@ class roles::keyring {
 		content  => @("EOF"),
 			zone "_openpgpkey.debian.org" {
 				type master;
-					file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
-					allow-query { any; };
-					allow-transfer {
-						key tsig-denis.debian.org-kaufmann.debian.org ;
-						127.0.0.1;
-					};
-					also-notify {
-						$notify_address;
-					};
-			}
+				file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
+				allow-query { any; };
+				allow-transfer {
+					key tsig-denis.debian.org-kaufmann.debian.org ;
+					127.0.0.1;
+				};
+				also-notify {
+					$notify_address_bind;
+				};
+			};
 			| EOF
 	}