projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
8ee0030
)
make dns primary export and keyring host collect firewall rules for the openpgpkey...
author
Peter Palfrader
<peter@palfrader.org>
Mon, 16 Sep 2019 09:11:50 +0000
(11:11 +0200)
committer
Peter Palfrader
<peter@palfrader.org>
Mon, 16 Sep 2019 09:11:50 +0000
(11:11 +0200)
hieradata/common.yaml
patch
|
blob
|
history
hieradata/nodes/denis.debian.org.yaml
[new file with mode: 0644]
patch
|
blob
modules/ferm/templates/defs.conf.erb
patch
|
blob
|
history
modules/nagios/manifests/server.pp
patch
|
blob
|
history
modules/named/manifests/primary.pp
patch
|
blob
|
history
modules/roles/manifests/init.pp
patch
|
blob
|
history
modules/roles/manifests/keyring.pp
patch
|
blob
|
history
diff --git
a/hieradata/common.yaml
b/hieradata/common.yaml
index
c8c0fb8
..
e3afd79
100644
(file)
--- a/
hieradata/common.yaml
+++ b/
hieradata/common.yaml
@@
-52,9
+52,6
@@
apt::sources::debian::location: 'https://deb.debian.org/debian/'
# all of these should be retired in favour of including the class role
# with the host. weasel, 2019-09
roles:
# all of these should be retired in favour of including the class role
# with the host. weasel, 2019-09
roles:
- dns_primary:
- # XXX - used by ferm templates/defs.conf.erb
- - denis.debian.org
extranrpeclient:
# XXX - used by ferm templates/defs.conf.erb
- denis.debian.org
extranrpeclient:
# XXX - used by ferm templates/defs.conf.erb
- denis.debian.org
diff --git a/hieradata/nodes/denis.debian.org.yaml
b/hieradata/nodes/denis.debian.org.yaml
new file mode 100644
(file)
index 0000000..
78227ff
--- /dev/null
+++ b/
hieradata/nodes/denis.debian.org.yaml
@@ -0,0
+1,3
@@
+---
+classes:
+ - roles::dns_primary
diff --git
a/modules/ferm/templates/defs.conf.erb
b/modules/ferm/templates/defs.conf.erb
index
ff0b14b
..
1ec8031
100644
(file)
--- a/
modules/ferm/templates/defs.conf.erb
+++ b/
modules/ferm/templates/defs.conf.erb
@@
-24,7
+24,7
@@
allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
roles = scope.lookupvar('deprecated::roles')
allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
roles = scope.lookupvar('deprecated::roles')
- %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster
dns_primary
}.each do |role|
+ %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role|
rolehost[role] = []
roles[role].each do |node|
next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
rolehost[role] = []
roles[role].each do |node|
next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@
-76,9
+76,6
@@
@def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216 128.31.0.64 149.20.4.16 209.87.16.40);
@def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40 2001:4f8:1:c::16 2607:f8f0:614:1::1274:40);
@def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216 128.31.0.64 149.20.4.16 209.87.16.40);
@def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40 2001:4f8:1:c::16 2607:f8f0:614:1::1274:40);
-@def $HOST_DNSPRIMARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_primary']]).uniq.join(' ') %>);
-@def $HOST_DNSPRIMARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_primary']]).uniq.join(' ') %>);
-@def $HOST_DNSPRIMARY = ($HOST_DNSPRIMARY_V4 $HOST_DNSPRIMARY_V6);
<%
def getfastlyranges()
<%
def getfastlyranges()
diff --git
a/modules/nagios/manifests/server.pp
b/modules/nagios/manifests/server.pp
index
58c2e45
..
afe6c99
100644
(file)
--- a/
modules/nagios/manifests/server.pp
+++ b/
modules/nagios/manifests/server.pp
@@
-134,9
+134,12
@@
class nagios::server {
| EOF
}
| EOF
}
- # The nagios server wants to do DNS queries on the primar
y
+ # The nagios server wants to do DNS queries on the primar
ies
@@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
@@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
- tag => 'named::primary::ferm',
+ tag => [
+ 'named::primary::ferm',
+ 'named::keyring::ferm',
+ ],
description => 'Allow nagios master access to the primary for checks',
proto => ['udp', 'tcp'],
port => 'domain',
description => 'Allow nagios master access to the primary for checks',
proto => ['udp', 'tcp'],
port => 'domain',
diff --git
a/modules/named/manifests/primary.pp
b/modules/named/manifests/primary.pp
index
5f3f6be
..
cafefff
100644
(file)
--- a/
modules/named/manifests/primary.pp
+++ b/
modules/named/manifests/primary.pp
@@
-49,6
+49,13
@@
class named::primary inherits named::authoritative {
};
| EOF
}
};
| EOF
}
+ @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+ tag => 'named::keyring::ferm',
+ description => 'Allow primary access to the keyring master',
+ proto => ['udp', 'tcp'],
+ port => 'domain',
+ saddr => $base::public_addresses,
+ }
concat::fragment { 'puppet-crontab--nsec3':
target => '/etc/cron.d/puppet-crontab',
concat::fragment { 'puppet-crontab--nsec3':
target => '/etc/cron.d/puppet-crontab',
diff --git
a/modules/roles/manifests/init.pp
b/modules/roles/manifests/init.pp
index
d51a9bc
..
3a602be
100644
(file)
--- a/
modules/roles/manifests/init.pp
+++ b/
modules/roles/manifests/init.pp
@@
-49,10
+49,6
@@
class roles {
include roles::syncproxy
}
include roles::syncproxy
}
- if has_role('dns_primary') {
- include roles::dns_primary
- }
-
if has_role('postgres_backup_server') {
include postgres::backup_server
}
if has_role('postgres_backup_server') {
include postgres::backup_server
}
diff --git
a/modules/roles/manifests/keyring.pp
b/modules/roles/manifests/keyring.pp
index
453e6c0
..
cbdee86
100644
(file)
--- a/
modules/roles/manifests/keyring.pp
+++ b/
modules/roles/manifests/keyring.pp
@@
-16,11
+16,7
@@
class roles::keyring {
$notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), '; ')
$notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), '; ')
- ferm::rule { '01-dsa-bind':
- domain => '(ip ip6)',
- description => 'Allow nameserver access',
- rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
- }
+ Ferm::Rule::Simple <<| tag == 'named::keyring::ferm' |>>
concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
target => '/etc/bind/named.conf.puppet-misc',
concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
target => '/etc/bind/named.conf.puppet-misc',