From: Julien Cristau Date: Sun, 29 Sep 2019 14:21:12 +0000 (+0200) Subject: Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=7ca975698c14415282e911881890b3b7d8f8dc68;hp=bf2f551aac2f30c2010f62b4efa53451c3c9a1f5;p=mirror%2Fdsa-puppet.git Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet --- diff --git a/modules/ferm/manifests/rule/chain.pp b/modules/ferm/manifests/rule/chain.pp new file mode 100644 index 000000000..50ae56ba4 --- /dev/null +++ b/modules/ferm/manifests/rule/chain.pp @@ -0,0 +1,32 @@ +# Create an (empty) chain +# +# @param domain netfilter domain: ip (IPv4), ip6 (IPv6), or both. +# @param table netfilter table +# @param chain netfilter chain +# @param description a description of the rule +# @param prio Priority/Order of the rule +define ferm::rule::chain ( + String $chain, + String $description = '', + Variant[Enum['ip', 'ip6'], Array[Enum['ip', 'ip6']]] $domain = ['ip', 'ip6'], + String $table = 'filter', + String $prio = '10', +) { + include ferm + + $real_domain = Array($domain, true) + + file { + "/etc/ferm/dsa.d/${prio}_${name}": + ensure => 'present', + mode => '0400', + notify => Exec['ferm reload'], + content => inline_template( @(EOF) ), + domain (<%= @real_domain.join(' ') %>) { + table <%= @table %> { + chain <%= @chain %> {} + } + } + | EOF + } +} diff --git a/modules/postgres/manifests/backup_cluster.pp b/modules/postgres/manifests/backup_cluster.pp index 172f33c08..dcbf28f67 100644 --- a/modules/postgres/manifests/backup_cluster.pp +++ b/modules/postgres/manifests/backup_cluster.pp @@ -65,7 +65,7 @@ define postgres::backup_cluster( pg_cluster => $pg_cluster, pg_port => $pg_port, database => 'replication', - user => db_backup_role, + user => $db_backup_role, address => $backup_servers_addrs, } postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}": diff --git a/modules/postgres/manifests/cluster.pp b/modules/postgres/manifests/cluster.pp index 424d35458..92f87d160 100644 --- a/modules/postgres/manifests/cluster.pp +++ b/modules/postgres/manifests/cluster.pp @@ -50,6 +50,10 @@ define postgres::cluster( command => "systemctl reload postgresql@${real_version}-${real_cluster}.service", refreshonly => true, } + ferm::rule::chain { "postgres::cluster::hba_entry::chain::pg-${real_port}": + description => "chain for pg${real_version}/${real_cluster}", + chain => "pg-${real_port}", + } ferm::rule::simple { "postgres::cluster::hba_entry::${real_version}::${real_cluster}": description => "check access to pg${real_version}/${real_cluster}", port => $real_port, diff --git a/modules/roles/manifests/bacula/director.pp b/modules/roles/manifests/bacula/director.pp index 91b198dd0..e74f2e51f 100644 --- a/modules/roles/manifests/bacula/director.pp +++ b/modules/roles/manifests/bacula/director.pp @@ -12,7 +12,7 @@ class roles::bacula::director( tag => "postgres::cluster::${pg_port}::hba::${pg_server}", pg_port => $pg_port, database => 'bacula', - user => ['bacula', 'bacula-${::hostname}-reader', 'nagios'], + user => ['bacula', "bacula-${::hostname}-reader", 'nagios'], address => $base::public_addresses, } }