From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 25 Oct 2014 21:14:26 +0000 (+0200)
Subject: Allow pg connections from pgbackuphost
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=28f3d5bd752b787b9448c7723c375ae51eda9e32;p=mirror%2Fdsa-puppet.git

Allow pg connections from pgbackuphost
---

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 76e77a31d..e7016c896 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -263,12 +263,12 @@ class ferm::per-host {
 
 			@ferm::rule { 'dsa-postgres-backup':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
 			}
 			@ferm::rule { 'dsa-postgres-backup6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 			}
 		}
 		bmdb1: {
@@ -324,12 +324,12 @@ class ferm::per-host {
 			@ferm::rule { 'dsa-postgres-backup':
 				# ubc, wuit
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))'
+				rule            => '&SERVICE_RANGE(tcp, (5435 5436), ( $HOST_PGBACKUPHOST_V4 ))'
 			}
 			@ferm::rule { 'dsa-postgres-backup6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, (5435 5436), ( $HOST_PGBACKUPHOST_V6 ))'
 			}
 
 			@ferm::rule { 'dsa-postgres-dedup':
@@ -370,34 +370,34 @@ class ferm::per-host {
 
 			@ferm::rule { 'dsa-postgres-backup':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
 			}
 			@ferm::rule { 'dsa-postgres-backup6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 			}
 		}
 		chopin: {
 			@ferm::rule { 'dsa-postgres-backup':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
 			}
 			@ferm::rule { 'dsa-postgres-backup6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
 			}
 		}
 		sibelius: {
 			@ferm::rule { 'dsa-postgres-backup':
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
 			}
 			@ferm::rule { 'dsa-postgres-backup6':
 				domain          => 'ip6',
 				description     => 'Allow postgress access',
-				rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
+				rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 			}
 			@ferm::rule { 'dsa-postgres-replication':
 				description     => 'Allow postgress access',
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 5f6a1413f..ebaf9e4a1 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('site::allnodeinfo')
   roles = scope.lookupvar('site::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo postgres_backup_server}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         rolehost[role] << allnodeinfo[node]['ipHostNumber']
@@ -56,6 +56,10 @@
 @def $HOST_DB_V6 = (<%= scope.function_filter_ipv6([rolehost['dbmaster']]).uniq.join(' ') %>);
 @def $HOST_DB = ( $HOST_DB_V4 $HOST_DB_V6 );
 
+@def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
+@def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
+@def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );
+
 @def $HOST_STATICMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['static_master']]).uniq.join(' ') %>);
 @def $HOST_STATICMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['static_master']]).uniq.join(' ') %>);
 @def $HOST_STATIC_V4 = (<%= scope.function_filter_ipv4([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);