X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fkeyring.pp;h=903064d5ccbd4c89f9ac20287eda01b1e6642332;hb=236efe8e28f32419ddc5b4445780bd17775adaf3;hp=08876cd20193de5b7e11fc51229a14f4b03c7d3f;hpb=6f7e7e5506551b4c9d06add3a5610119de7f2bce;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index 08876cd20..903064d5c 100644
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -12,7 +12,13 @@ class roles::keyring {
 
 	include named::authoritative
 
-	$notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+	$notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+
+	@ferm::rule { '01-dsa-bind':
+		domain      => '(ip ip6)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
+	}
 
 	concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
 		target => '/etc/bind/named.conf.puppet-misc',
@@ -27,7 +33,7 @@ class roles::keyring {
 					127.0.0.1;
 				};
 				also-notify {
-					$notify_address;
+					$notify_address_bind;
 				};
 			};
 			| EOF