mirror ssh firewalling setup from ferm/templates/me.conf.erb with roles

In particular:
  debian mirrors can be accessed from syncproxies
  debug mirrors can be accessed from ftp-master
  historical mirrors can be accessed from historical-master
  security mirrors can be accessed from security-master

And from the previous commits:
  syncproxies can be accessed from syncproxies, ftp-master, ports-master, and security-master

diff --git a/modules/roles/manifests/debian_mirror.pp b/modules/roles/manifests/debian_mirror.pp
index 2484d49..de9e624 100644 (file)
--- a/modules/roles/manifests/debian_mirror.pp
+++ b/modules/roles/manifests/debian_mirror.pp
@@ -40,4 +40,6 @@ class roles::debian_mirror {
     url           => 'http://debian.backend.mirrors.debian.org/debian/dists/sid/Release',
     health_url    => 'http://debian.backend.mirrors.debian.org/_health',
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::syncproxy' |>>
 }

diff --git a/modules/roles/manifests/debug_mirror.pp b/modules/roles/manifests/debug_mirror.pp
index 6892c26..dc69cff 100644 (file)
--- a/modules/roles/manifests/debug_mirror.pp
+++ b/modules/roles/manifests/debug_mirror.pp
@@ -38,4 +38,6 @@ class roles::debug_mirror {
     url           => 'http://debug.backend.mirrors.debian.org/debian-debug/dists/sid-debug/Release',
     health_url    => 'http://debug.backend.mirrors.debian.org/_health',
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::ftp_master' |>>
 }

diff --git a/modules/roles/manifests/historical_mirror.pp b/modules/roles/manifests/historical_mirror.pp
index e970ce7..4ef3af0 100644 (file)
--- a/modules/roles/manifests/historical_mirror.pp
+++ b/modules/roles/manifests/historical_mirror.pp
@@ -50,4 +50,6 @@ class roles::historical_mirror {
       target_address => $onion_v4_addr,
     }
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::historical_master' |>>
 }

diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 25cc301..30f0ea0 100644 (file)
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -50,4 +50,6 @@ class roles::security_mirror {
       target_address => $onion_v4_addr,
     }
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
 }