update firewalls regarding dns

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 67e3457..186feb6 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('site::allnodeinfo')
   roles = scope.lookupvar('site::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_secondary}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         rolehost[role] << allnodeinfo[node]['ipHostNumber']
@@ -61,6 +61,9 @@
 @def $HOST_STATIC_V4 = (<%= scope.function_filter_ipv4([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
 @def $HOST_STATIC_V6 = (<%= scope.function_filter_ipv6([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
 
+@def $HOST_DNS_SECONDARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_secondary']]).uniq.join(' ') %>);
+@def $HOST_DNS_SECONDARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_secondary']]).uniq.join(' ') %>);
+
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 7b960e7..c3df480 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -22,7 +22,7 @@ ssh4allowed = []
 ssh6allowed = []
 
 if restrict_ssh.include?(hostname) then
-       ssh4allowed  << %w{$DSA_IPS   $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
+       ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
        ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
 
        if %w{lebrun schroeder}.include?(hostname) then
@@ -39,9 +39,11 @@ if restrict_ssh.include?(hostname) then
                ssh4allowed << %w{$HOST_DEBIAN_V4}
                ssh6allowed << %w{$HOST_DEBIAN_V6}
        end
-       if %w{denis}.include?(hostname) then
+       if scope.function_has_role(['dns_primary']) then
                ssh4allowed << "5.153.231.5" # adayevskaya
                ssh6allowed << "2001:41c8:1000:21::21:5" # adayevskaya
+               ssh4allowed << "$HOST_DNS_SECONDARY_V4"
+               ssh6allowed << "$HOST_DNS_SECONDARY_V6"
        end
 
        if scope.function_has_role(['static_master']) then

diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index cf3b76f..49911f8 100644 (file)
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -25,12 +25,12 @@ class named {
                @ferm::rule { '01-dsa-bind-4':
                        domain      => '(ip)',
                        description => 'Allow nameserver access',
-                       rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DEBIAN_V4)',
+                       rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DNS_SECONDARY_V4)',
                }
                @ferm::rule { '01-dsa-bind-6':
                        domain      => '(ip6)',
                        description => 'Allow nameserver access',
-                       rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DEBIAN_V6)',
+                       rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DNS_SECONDARY_V6)',
                }
        } else {
                @ferm::rule { '01-dsa-bind':