projects / mirror / dsa-puppet.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8ee0030)
make dns primary export and keyring host collect firewall rules for the openpgpkey...
authorPeter Palfrader <peter@palfrader.org>
Mon, 16 Sep 2019 09:11:50 +0000 (11:11 +0200)
committerPeter Palfrader <peter@palfrader.org>
Mon, 16 Sep 2019 09:11:50 +0000 (11:11 +0200)
hieradata/common.yaml patch | blob | history
hieradata/nodes/denis.debian.org.yaml [new file with mode: 0644] patch | blob
modules/ferm/templates/defs.conf.erb patch | blob | history
modules/nagios/manifests/server.pp patch | blob | history
modules/named/manifests/primary.pp patch | blob | history
modules/roles/manifests/init.pp patch | blob | history
modules/roles/manifests/keyring.pp patch | blob | history

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index c8c0fb8..e3afd79 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -52,9 +52,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/'
 # all of these should be retired in favour of including the class role
 # with the host. weasel, 2019-09
 roles:
-  dns_primary:
-    # XXX - used by ferm templates/defs.conf.erb
-    - denis.debian.org
   extranrpeclient:
     # XXX - used by ferm templates/defs.conf.erb
     - denis.debian.org
diff --git a/hieradata/nodes/denis.debian.org.yaml b/hieradata/nodes/denis.debian.org.yaml
new file mode 100644 (file)
index 0000000..78227ff
--- /dev/null
+++ b/hieradata/nodes/denis.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - roles::dns_primary
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index ff0b14b..1ec8031 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
   roles = scope.lookupvar('deprecated::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -76,9 +76,6 @@
 @def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216              128.31.0.64                 149.20.4.16      209.87.16.40);
 @def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40                  2001:4f8:1:c::16 2607:f8f0:614:1::1274:40);
 
-@def $HOST_DNSPRIMARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_primary']]).uniq.join(' ') %>);
-@def $HOST_DNSPRIMARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_primary']]).uniq.join(' ') %>);
-@def $HOST_DNSPRIMARY = ($HOST_DNSPRIMARY_V4 $HOST_DNSPRIMARY_V6);
 
 <%
 def getfastlyranges()
diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index 58c2e45..afe6c99 100644 (file)
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -134,9 +134,12 @@ class nagios::server {
       | EOF
   }
 
-  # The nagios server wants to do DNS queries on the primary
+  # The nagios server wants to do DNS queries on the primaries
   @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
-    tag         => 'named::primary::ferm',
+    tag         => [
+                    'named::primary::ferm',
+                    'named::keyring::ferm',
+                   ],
     description => 'Allow nagios master access to the primary for checks',
     proto       => ['udp', 'tcp'],
     port        => 'domain',
diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 5f3f6be..cafefff 100644 (file)
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -49,6 +49,13 @@ class named::primary inherits named::authoritative {
       };
       | EOF
   }
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::keyring::ferm',
+    description => 'Allow primary access to the keyring master',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 
   concat::fragment { 'puppet-crontab--nsec3':
     target  => '/etc/cron.d/puppet-crontab',
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index d51a9bc..3a602be 100644 (file)
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -49,10 +49,6 @@ class roles {
                include roles::syncproxy
        }
 
-       if has_role('dns_primary') {
-               include roles::dns_primary
-       }
-
        if has_role('postgres_backup_server') {
                include postgres::backup_server
        }
diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index 453e6c0..cbdee86 100644 (file)
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -16,11 +16,7 @@ class roles::keyring {
 
   $notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), '; ')
 
-  ferm::rule { '01-dsa-bind':
-    domain      => '(ip ip6)',
-    description => 'Allow nameserver access',
-    rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
-  }
+  Ferm::Rule::Simple <<| tag == 'named::keyring::ferm' |>>
 
   concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
     target  => '/etc/bind/named.conf.puppet-misc',
Unnamed repository; edit this file 'description' to name the repository.