From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 09:58:58 +0000 (+0200)
Subject: Attempt to enable melartin(mirrormaster) to ssh to all the mirrors/syncproxies
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=050a7a1b6b8de2ad9b3964f1a0b855e8ae3a660b;p=mirror%2Fdsa-puppet.git

Attempt to enable melartin(mirrormaster) to ssh to all the mirrors/syncproxies
---

diff --git a/hieradata/nodes/melartin.debian.org.yaml b/hieradata/nodes/melartin.debian.org.yaml
index 3ccff770b..8a22ab94f 100644
--- a/hieradata/nodes/melartin.debian.org.yaml
+++ b/hieradata/nodes/melartin.debian.org.yaml
@@ -1,2 +1,3 @@
 classes:
   - roles::static_source
+  - roles::mirrormaster
diff --git a/modules/roles/manifests/archvsync_base.pp b/modules/roles/manifests/archvsync_base.pp
index d84c21b69..c61d3fbbb 100644
--- a/modules/roles/manifests/archvsync_base.pp
+++ b/modules/roles/manifests/archvsync_base.pp
@@ -18,4 +18,6 @@ class roles::archvsync_base {
     ensure => 'link',
     target => '/home/archvsync/.ssh/authorized_keys',
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::allow' |>>
 }
diff --git a/modules/roles/manifests/mirrormaster.pp b/modules/roles/manifests/mirrormaster.pp
new file mode 100644
index 000000000..2d8d7d17c
--- /dev/null
+++ b/modules/roles/manifests/mirrormaster.pp
@@ -0,0 +1,11 @@
+# the mirrormaster needs to be able to ssh to all the syncproxies and mirrors
+# to update their config
+class roles::mirrormaster(
+) {
+  @@ferm::rule::simple { "dsa-ssh-from-mirrormaster-${::fqdn}":
+    tag         => 'ssh::server::allow',
+    description => 'Allow ssh access from the mirrormaster',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
+}