From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 29 Sep 2019 14:36:38 +0000 (+0200)
Subject: manage debsources access to its DB on bmdb1
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=01c8ae18739a123996081388ca68fe34459b218f;hp=2e6fa9d0a37eb696efc95c75279d35e338dcf898;p=mirror%2Fdsa-puppet.git

manage debsources access to its DB on bmdb1
---

diff --git a/data/common.yaml b/data/common.yaml
index 3d4546b14..b9e458947 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -48,6 +48,9 @@ bacula::director::pool_name:  'debian'
 bacula::client::director_server: dinis.debian.org
 bacula::client::storage_server: storace.debian.org
 
+roles::debsources::db_address: bmdb1.debian.org
+roles::debsources::db_port: 5440
+
 
 # == other variables
 #####################
diff --git a/data/nodes/bmdb1.debian.org.yaml b/data/nodes/bmdb1.debian.org.yaml
index b50c65318..32e5d8c68 100644
--- a/data/nodes/bmdb1.debian.org.yaml
+++ b/data/nodes/bmdb1.debian.org.yaml
@@ -3,3 +3,4 @@ classes:
   - roles::postgresql::server
 
 postgres::backup_server::register_backup_clienthost::allow_read_hosts: ['fasolo']
+roles::postgresql::server::manage_clusters_hba: [5440]
diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 851fa8f52..28e3c3079 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -143,15 +143,6 @@ class ferm::per_host {
           ))
           | EOF
       }
-      ferm::rule { 'dsa-postgres-debsources':
-        description => 'Allow postgress access to cluster: debsources',
-        domain      => '(ip ip6)',
-        rule        => @("EOF"/$)
-          &SERVICE_RANGE(tcp, 5440, (
-            ${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") }
-          ))
-          | EOF
-      }
     }
     danzi: {
       ferm::rule { 'dsa-postgres-tracker':
diff --git a/modules/roles/manifests/debsources.pp b/modules/roles/manifests/debsources.pp
index f3af3cadc..60cb490a5 100644
--- a/modules/roles/manifests/debsources.pp
+++ b/modules/roles/manifests/debsources.pp
@@ -1,4 +1,11 @@
-class roles::debsources {
+# sources.debian.org role
+
+# @param db_address     hostname of the postgres server for this service
+# @param db_port        port of the postgres server for this service
+class roles::debsources (
+  String  $db_address,
+  Integer $db_port,
+) {
   include apache2
   include apache2::ssl
 
@@ -14,4 +21,21 @@ class roles::debsources {
     notify => Exec['service apache2 reload'],
     key    => true,
   }
+
+  @@postgres::cluster::hba_entry { 'debsources':
+    tag      => "postgres::cluster::${db_port}::hba::${db_address}",
+    pg_port  => $db_port,
+    database => 'debsources',
+    user     => ['debsource_admin', 'debsource_updater'],
+    address  => $base::public_addresses,
+  }
+
+  @@postgres::cluster::hba_entry { 'debsources-guest':
+    tag      => "postgres::cluster::${db_port}::hba::${db_address}",
+    pg_port  => $db_port,
+    database => 'debsources',
+    user     => ['guest'],
+    method   => 'trust',
+    address  => $base::public_addresses,
+  }
 }