try to setup firewall rules for bgp on bilbao

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 1e6822a..4eaf987 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -267,3 +267,5 @@ roles:
     - ticharich.debian.org
     - villa.debian.org
     - wieck.debian.org
+  bgp:
+    - bilbao.debian.org

diff --git a/modules/roles/manifests/bgp.pp b/modules/roles/manifests/bgp.pp
new file mode 100644 (file)
index 0000000..d3fbb39
--- /dev/null
+++ b/modules/roles/manifests/bgp.pp
@@ -0,0 +1,16 @@
+class roles::bgp {
+       $bgp_peers = $::hostname ? {
+               bilbao    => '2001:41c9:2:13c::/128 89.16.162.0/32',
+               default    => undef,
+       }
+
+       if ! $bgp_peers {
+               fail("Do not have bgp_peers set for $::hostname.")
+       }
+
+       @ferm::rule { 'dsa-bgp':
+               description => 'Allow BGP from peers',
+               domain      => '(ip ip6)',
+               rule        => '&SERVICE_RANGE(tcp, ssh, $bgp_peers)'
+       }
+}

diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 4c07f64..978be81 100644 (file)
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -316,4 +316,7 @@ class roles {
        if has_role('onionbalance') {
                include onion::balance
        }
+       if has_role('bgp') {
+               include roles::bgp
+       }
 }