From: Julien Cristau <jcristau@debian.org>
Date: Tue, 3 Oct 2017 07:00:09 +0000 (+0200)
Subject: Restrict ssh to mirrors
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;ds=inline;h=30f5ef8dda3079eb5a7073cdb0cdaab5c6b15964;p=mirror%2Fdsa-puppet.git

Restrict ssh to mirrors
---

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 618cd540a..2dd47996d 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -71,6 +71,8 @@ roles:
   manpages-dyn:
     - manziarly.debian.org
     - cgi-grnet-01.debian.org
+  mirrormaster:
+    - melartin.debian.org
   muninmaster:
     - menotti.debian.org
   nagiosmaster:
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index af5c387c0..45ed58c63 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('site::allnodeinfo')
   roles = scope.lookupvar('site::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo postgres_backup_server}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -66,6 +66,19 @@
 @def $HOST_STATIC_V4 = (<%= scope.function_filter_ipv4([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
 @def $HOST_STATIC_V6 = (<%= scope.function_filter_ipv6([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
 
+@def $HOST_FTPMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['ftp_master']]).uniq.join(' ') %>);
+@def $HOST_FTPMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ftp_master']]).uniq.join(' ') %>);
+@def $HOST_SECMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['security_master']]).uniq.join(' ') %>);
+@def $HOST_SECMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['security_master']]).uniq.join(' ') %>);
+@def $HOST_PORTSMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['ports_master']]).uniq.join(' ') %>);
+@def $HOST_PORTSMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ports_master']]).uniq.join(' ') %>);
+@def $HOST_ARCHIVEMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['historical_master']]).uniq.join(' ') %>);
+@def $HOST_ARCHIVEMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['historical_master']]).uniq.join(' ') %>);
+@def $HOST_MIRRORMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['mirrormaster']]).uniq.join(' ') %>);
+@def $HOST_MIRRORMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['mirrormaster']]).uniq.join(' ') %>);
+@def $HOST_SYNCPROXY_V4 = (<%= scope.function_filter_ipv4([rolehost['syncproxy']]).uniq.join(' ') %>);
+@def $HOST_SYNCPROXY_V6 = (<%= scope.function_filter_ipv6([rolehost['syncproxy']]).uniq.join(' ') %>);
+
 @def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>);
 @def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>);
 @def $HOST_EASYDNS_V4 = (64.68.200.91);
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 7ebd7e2c0..21d35483b 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -7,7 +7,7 @@
 nodeinfo = scope.lookupvar('site::nodeinfo')
 out = []
 
-restricted_purposes = ['kvm host', 'central syslog server', 'puppet master', 'jumphost', 'buildd']
+restricted_purposes = ['kvm host', 'central syslog server', 'puppet master', 'jumphost', 'buildd', 'static-mirror', 'anycast mirror']
 restrict_ssh = %w{tchaikovsky draghi adayevskaya}
 
 if (nodeinfo['ldap'].has_key?('purpose')) then
@@ -59,6 +59,33 @@ if restrict_ssh.include?(@hostname) then
 		ssh4allowed << '$HOST_STATICMASTER_V4'
 		ssh6allowed << '$HOST_STATICMASTER_V6'
 	end
+	if scope.function_has_role(['debian_mirror']) or
+	   scope.function_has_role(['security_mirror']) or
+	   scope.function_has_role(['historical_mirror']) or
+	   scope.function_has_role(['syncproxy']) then
+		ssh4allowed << '$HOST_MIRRORMASTER_V4'
+		ssh6allowed << '$HOST_MIRRORMASTER_V6'
+	end
+	if scope.function_has_role(['debian_mirror']) or
+	   scope.function_has_role(['syncproxy']) then
+		ssh4allowed << '$HOST_SYNCPROXY_V4'
+		ssh6allowed << '$HOST_SYNCPROXY_V6'
+	end
+	if scope.function_has_role(['security_mirror']) or
+	   scope.function_has_role(['syncproxy']) then
+		ssh4allowed << '$HOST_SECMASTER_V4'
+		ssh6allowed << '$HOST_SECMASTER_V6'
+	end
+	if scope.function_has_role(['historical_mirror']) then
+		ssh4allowed << '$HOST_ARCHIVEMASTER_V4'
+		ssh6allowed << '$HOST_ARCHIVEMASTER_V6'
+	end
+	if scope.function_has_role(['syncproxy']) then
+		ssh4allowed << '$HOST_FTPMASTER_V4'
+		ssh6allowed << '$HOST_FTPMASTER_V6'
+		ssh4allowed << '$HOST_PORTSMASTER_V4'
+		ssh6allowed << '$HOST_PORTSMASTER_V6'
+	end
 end
 ssh4allowed.length == 0 and ssh4allowed << '0.0.0.0/0'
 ssh6allowed.length == 0 and ssh6allowed << '::/0'