manage debsources access to its DB on bmdb1

diff --git a/data/common.yaml b/data/common.yaml
index 3d4546b..b9e4589 100644 (file)
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -48,6 +48,9 @@ bacula::director::pool_name:  'debian'
 bacula::client::director_server: dinis.debian.org
 bacula::client::storage_server: storace.debian.org
 
+roles::debsources::db_address: bmdb1.debian.org
+roles::debsources::db_port: 5440
+
 
 # == other variables
 #####################

diff --git a/data/nodes/bmdb1.debian.org.yaml b/data/nodes/bmdb1.debian.org.yaml
index b50c653..32e5d8c 100644 (file)
--- a/data/nodes/bmdb1.debian.org.yaml
+++ b/data/nodes/bmdb1.debian.org.yaml
@@ -3,3 +3,4 @@ classes:
   - roles::postgresql::server
 
 postgres::backup_server::register_backup_clienthost::allow_read_hosts: ['fasolo']
+roles::postgresql::server::manage_clusters_hba: [5440]

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 851fa8f..28e3c30 100644 (file)
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -143,15 +143,6 @@ class ferm::per_host {
           ))
           | EOF
       }
-      ferm::rule { 'dsa-postgres-debsources':
-        description => 'Allow postgress access to cluster: debsources',
-        domain      => '(ip ip6)',
-        rule        => @("EOF"/$)
-          &SERVICE_RANGE(tcp, 5440, (
-            ${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") }
-          ))
-          | EOF
-      }
     }
     danzi: {
       ferm::rule { 'dsa-postgres-tracker':

diff --git a/modules/roles/manifests/debsources.pp b/modules/roles/manifests/debsources.pp
index f3af3ca..60cb490 100644 (file)
--- a/modules/roles/manifests/debsources.pp
+++ b/modules/roles/manifests/debsources.pp
@@ -1,4 +1,11 @@
-class roles::debsources {
+# sources.debian.org role
+
+# @param db_address     hostname of the postgres server for this service
+# @param db_port        port of the postgres server for this service
+class roles::debsources (
+  String  $db_address,
+  Integer $db_port,
+) {
   include apache2
   include apache2::ssl
 
@@ -14,4 +21,21 @@ class roles::debsources {
     notify => Exec['service apache2 reload'],
     key    => true,
   }
+
+  @@postgres::cluster::hba_entry { 'debsources':
+    tag      => "postgres::cluster::${db_port}::hba::${db_address}",
+    pg_port  => $db_port,
+    database => 'debsources',
+    user     => ['debsource_admin', 'debsource_updater'],
+    address  => $base::public_addresses,
+  }
+
+  @@postgres::cluster::hba_entry { 'debsources-guest':
+    tag      => "postgres::cluster::${db_port}::hba::${db_address}",
+    pg_port  => $db_port,
+    database => 'debsources',
+    user     => ['guest'],
+    method   => 'trust',
+    address  => $base::public_addresses,
+  }
 }