planet-master.d.o: only allow access from localhost and local IP

This way it's possible to access planet-master.d.o using SSH as a socks
proxy. It requires to connect to planet-master.d.o aka philp.d.o instead
of any debian machine.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>

diff --git a/modules/roles/files/planet_master/planet-master.debian.org b/modules/roles/files/planet_master/planet-master.debian.org
deleted file mode 100644 (file)
index a58f07c..0000000
--- a/modules/roles/files/planet_master/planet-master.debian.org
+++ /dev/null
@@ -1,20 +0,0 @@
-Use common-debian-service-https-redirect * planet-master.debian.org
-<VirtualHost *:443>
-       ServerName planet-master.debian.org
-       ServerAdmin debian-admin@lists.debian.org
-
-       Use common-debian-service-ssl planet-master.debian.org
-       Use common-ssl-HSTS
-
-       <IfModule mod_userdir.c>
-               UserDir disabled
-       </IfModule>
-       ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log
-       CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy
-       ServerSignature On
-
-       DocumentRoot /srv/planet.debian.org/www
-       <Directory /srv/planet.debian.org/www>
-               Use DebianHostList
-       </Directory>
-</VirtualHost>

diff --git a/modules/roles/manifests/planet_master.pp b/modules/roles/manifests/planet_master.pp
index 5114ece..3d47163 100644 (file)
--- a/modules/roles/manifests/planet_master.pp
+++ b/modules/roles/manifests/planet_master.pp
@@ -1,10 +1,10 @@
 class roles::planet_master {
        include apache2::ssl
        apache2::config { 'puppet-debianhosts':
-               content => template('roles/conf-debianhostlist.erb'),
+               ensure => 'absent',
        }
        apache2::site { 'planet-master.debian.org':
-               source => 'puppet:///modules/roles/planet_master/planet-master.debian.org',
+               template => template('roles/planet_master/planet-master.debian.org.erb')
        }
        ssl::service { 'planet-master.debian.org':
                notify => Exec['service apache2 reload'],

diff --git a/modules/roles/templates/planet_master/planet-master.debian.org.erb b/modules/roles/templates/planet_master/planet-master.debian.org.erb
new file mode 100644 (file)
index 0000000..95afcf0
--- /dev/null
+++ b/modules/roles/templates/planet_master/planet-master.debian.org.erb
@@ -0,0 +1,41 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+Use common-debian-service-https-redirect * planet-master.debian.org
+<VirtualHost *:443>
+       ServerName planet-master.debian.org
+       ServerAdmin debian-admin@lists.debian.org
+
+       Use common-debian-service-ssl planet-master.debian.org
+       Use common-ssl-HSTS
+
+       <IfModule mod_userdir.c>
+               UserDir disabled
+       </IfModule>
+       ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log
+       CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy
+       ServerSignature On
+
+       DocumentRoot /srv/planet.debian.org/www
+       <Directory /srv/planet.debian.org/www>
+               # Localhost
+               Require ip ::1
+               Require ip 127.0.0.1
+<%=
+  lines = []
+  roles = scope.lookupvar('site::roles')
+  roles['planet_master'].each do |node|
+    lines << "\t\t# #{scope.lookupvar('site::allnodeinfo')[node]['hostname'][0]}"
+    scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr|
+      lines << "\t\tRequire ip #{addr}"
+    end
+  end
+  lines.join("\n")
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
+%>
+       </Directory>
+</VirtualHost>