Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet
authorJulien Cristau <jcristau@debian.org>
Sun, 29 Sep 2019 14:21:12 +0000 (16:21 +0200)
committerJulien Cristau <jcristau@debian.org>
Sun, 29 Sep 2019 14:21:12 +0000 (16:21 +0200)
modules/ferm/manifests/rule/chain.pp [new file with mode: 0644]
modules/postgres/manifests/backup_cluster.pp
modules/postgres/manifests/cluster.pp
modules/roles/manifests/bacula/director.pp

diff --git a/modules/ferm/manifests/rule/chain.pp b/modules/ferm/manifests/rule/chain.pp
new file mode 100644 (file)
index 0000000..50ae56b
--- /dev/null
@@ -0,0 +1,32 @@
+# Create an (empty) chain
+#
+# @param domain netfilter domain: ip (IPv4), ip6 (IPv6), or both.
+# @param table  netfilter table
+# @param chain  netfilter chain
+# @param description a description of the rule
+# @param prio   Priority/Order of the rule
+define ferm::rule::chain (
+  String $chain,
+  String $description = '',
+  Variant[Enum['ip', 'ip6'], Array[Enum['ip', 'ip6']]] $domain = ['ip', 'ip6'],
+  String $table = 'filter',
+  String $prio = '10',
+) {
+  include ferm
+
+  $real_domain = Array($domain, true)
+
+  file {
+    "/etc/ferm/dsa.d/${prio}_${name}":
+      ensure  => 'present',
+      mode    => '0400',
+      notify  => Exec['ferm reload'],
+      content => inline_template( @(EOF) ),
+                    domain (<%= @real_domain.join(' ') %>) {
+                      table <%= @table %> {
+                        chain <%= @chain %> {}
+                      }
+                    }
+                    | EOF
+  }
+}
index 172f33c..dcbf28f 100644 (file)
@@ -65,7 +65,7 @@ define postgres::backup_cluster(
     pg_cluster => $pg_cluster,
     pg_port    => $pg_port,
     database   => 'replication',
-    user       => db_backup_role,
+    user       => $db_backup_role,
     address    => $backup_servers_addrs,
   }
   postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
index 424d354..92f87d1 100644 (file)
@@ -50,6 +50,10 @@ define postgres::cluster(
     command     => "systemctl reload postgresql@${real_version}-${real_cluster}.service",
     refreshonly => true,
   }
+  ferm::rule::chain { "postgres::cluster::hba_entry::chain::pg-${real_port}":
+    description => "chain for pg${real_version}/${real_cluster}",
+    chain       => "pg-${real_port}",
+  }
   ferm::rule::simple { "postgres::cluster::hba_entry::${real_version}::${real_cluster}":
     description => "check access to pg${real_version}/${real_cluster}",
     port        => $real_port,
index 91b198d..e74f2e5 100644 (file)
@@ -12,7 +12,7 @@ class roles::bacula::director(
     tag      => "postgres::cluster::${pg_port}::hba::${pg_server}",
     pg_port  => $pg_port,
     database => 'bacula',
-    user     => ['bacula', 'bacula-${::hostname}-reader', 'nagios'],
+    user     => ['bacula', "bacula-${::hostname}-reader", 'nagios'],
     address  => $base::public_addresses,
   }
 }