From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 22 Sep 2019 18:59:47 +0000 (+0200)
Subject: danzi: merge dsa-postgres-danzi and dsa-postgres-danzi6
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=53cba9c46f2ba494f2376b765c38bc4813c03cd3;hp=e6e108c7f741245f4a180f564d4dbc97780f50a0;p=mirror%2Fdsa-puppet.git

danzi: merge dsa-postgres-danzi and dsa-postgres-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the main cluster. Drop the
old IP addresses of wuiet and the old UBC subnet. Ideally we should have
a least of host there, but that's already an improvement.
---

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 140ac7e35..92eaa7f4b 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -188,17 +188,12 @@ class ferm::per_host {
           ))
           | EOF
       }
-      ferm::rule { 'dsa-postgres-danzi':
+      ferm::rule { 'dsa-postgres-main':
         # ubc, wuiet
-        description => 'Allow postgress access',
-        rule        => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
-      }
-      ferm::rule { 'dsa-postgres-danzi6':
-        domain      => 'ip6',
-        description => 'Allow postgress access',
-        rule        => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
+        description => 'Allow postgress access to cluster: main',
+        domain      => '(ip ip6)',
+        rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
       }
-
       ferm::rule { 'dsa-postgres2-danzi':
         description => 'Allow postgress access2',
         rule        => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'