From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 22 Sep 2019 19:05:55 +0000 (+0200)
Subject: danzi: merge dsa-postgres2-danzi and dsa-postgres2-danzi6
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=6849c0d133f88df75366cf25a663e52409eac389;hp=53cba9c46f2ba494f2376b765c38bc4813c03cd3;p=mirror%2Fdsa-puppet.git

danzi: merge dsa-postgres2-danzi and dsa-postgres2-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the debconf cluster. Only
allow access from debussy instead of the whole subnet.
---

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 92eaa7f4b..10b99f8c9 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -194,14 +194,15 @@ class ferm::per_host {
         domain      => '(ip ip6)',
         rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
       }
-      ferm::rule { 'dsa-postgres2-danzi':
-        description => 'Allow postgress access2',
-        rule        => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
-      }
-      ferm::rule { 'dsa-postgres2-danzi6':
-        domain      => 'ip6',
-        description => 'Allow postgress access2',
-        rule        => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
+      ferm::rule { 'dsa-postgres-debconf':
+        description => 'Allow postgress access to cluster: debconf',
+        domain      => '(ip ip6)',
+        rule        => @("EOF"/$)
+          &SERVICE_RANGE(tcp, 5434, (
+            ${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") }
+            \$HOST_PGBACKUPHOST
+          ))
+          | EOF
       }
       ferm::rule { 'dsa-postgres-wannabuild':
         description => 'Allow postgress access to cluster: wannabuild',