--- /dev/null
+# Create an (empty) chain
+#
+# @param domain netfilter domain: ip (IPv4), ip6 (IPv6), or both.
+# @param table netfilter table
+# @param chain netfilter chain
+# @param description a description of the rule
+# @param prio Priority/Order of the rule
+define ferm::rule::chain (
+ String $chain,
+ String $description = '',
+ Variant[Enum['ip', 'ip6'], Array[Enum['ip', 'ip6']]] $domain = ['ip', 'ip6'],
+ String $table = 'filter',
+ String $prio = '10',
+) {
+ include ferm
+
+ $real_domain = Array($domain, true)
+
+ file {
+ "/etc/ferm/dsa.d/${prio}_${name}":
+ ensure => 'present',
+ mode => '0400',
+ notify => Exec['ferm reload'],
+ content => inline_template( @(EOF) ),
+ domain (<%= @real_domain.join(' ') %>) {
+ table <%= @table %> {
+ chain <%= @chain %> {}
+ }
+ }
+ | EOF
+ }
+}
pg_cluster => $pg_cluster,
pg_port => $pg_port,
database => 'replication',
- user => db_backup_role,
+ user => $db_backup_role,
address => $backup_servers_addrs,
}
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
command => "systemctl reload postgresql@${real_version}-${real_cluster}.service",
refreshonly => true,
}
+ ferm::rule::chain { "postgres::cluster::hba_entry::chain::pg-${real_port}":
+ description => "chain for pg${real_version}/${real_cluster}",
+ chain => "pg-${real_port}",
+ }
ferm::rule::simple { "postgres::cluster::hba_entry::${real_version}::${real_cluster}":
description => "check access to pg${real_version}/${real_cluster}",
port => $real_port,
tag => "postgres::cluster::${pg_port}::hba::${pg_server}",
pg_port => $pg_port,
database => 'bacula',
- user => ['bacula', 'bacula-${::hostname}-reader', 'nagios'],
+ user => ['bacula', "bacula-${::hostname}-reader", 'nagios'],
address => $base::public_addresses,
}
}