From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 7 Jan 2014 21:46:50 +0000 (+0100)
Subject: update firewalls regarding dns
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;ds=sidebyside;h=49922b83ef7b7c817e88210ac363f935cf11a110;p=mirror%2Fdsa-puppet.git

update firewalls regarding dns
---

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 67e3457db..186feb609 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('site::allnodeinfo')
   roles = scope.lookupvar('site::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_secondary}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         rolehost[role] << allnodeinfo[node]['ipHostNumber']
@@ -61,6 +61,9 @@
 @def $HOST_STATIC_V4 = (<%= scope.function_filter_ipv4([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
 @def $HOST_STATIC_V6 = (<%= scope.function_filter_ipv6([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
 
+@def $HOST_DNS_SECONDARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_secondary']]).uniq.join(' ') %>);
+@def $HOST_DNS_SECONDARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_secondary']]).uniq.join(' ') %>);
+
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 7b960e71f..c3df480b0 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -22,7 +22,7 @@ ssh4allowed = []
 ssh6allowed = []
 
 if restrict_ssh.include?(hostname) then
-	ssh4allowed  << %w{$DSA_IPS   $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
+	ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
 	ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
 
 	if %w{lebrun schroeder}.include?(hostname) then
@@ -39,9 +39,11 @@ if restrict_ssh.include?(hostname) then
 		ssh4allowed << %w{$HOST_DEBIAN_V4}
 		ssh6allowed << %w{$HOST_DEBIAN_V6}
 	end
-	if %w{denis}.include?(hostname) then
+	if scope.function_has_role(['dns_primary']) then
 		ssh4allowed << "5.153.231.5" # adayevskaya
 		ssh6allowed << "2001:41c8:1000:21::21:5" # adayevskaya
+		ssh4allowed << "$HOST_DNS_SECONDARY_V4"
+		ssh6allowed << "$HOST_DNS_SECONDARY_V6"
 	end
 
 	if scope.function_has_role(['static_master']) then
diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index cf3b76f26..49911f8b5 100644
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -25,12 +25,12 @@ class named {
 		@ferm::rule { '01-dsa-bind-4':
 			domain      => '(ip)',
 			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DEBIAN_V4)',
+			rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DNS_SECONDARY_V4)',
 		}
 		@ferm::rule { '01-dsa-bind-6':
 			domain      => '(ip6)',
 			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DEBIAN_V6)',
+			rule        => '&TCP_UDP_SERVICE_RANGE(53, $HOST_DNS_SECONDARY_V6)',
 		}
 	} else {
 		@ferm::rule { '01-dsa-bind':