From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 24 Sep 2019 06:00:00 +0000 (+0200)
Subject: Switch bacula director->client firewalling to store/collect
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=93aa8a665a0d34bfe7a16c4e65dbd4875feac197;p=mirror%2Fdsa-puppet.git

Switch bacula director->client firewalling to store/collect
---

diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp
index 08502b71d..5a8f41f1f 100644
--- a/modules/bacula/manifests/client.pp
+++ b/modules/bacula/manifests/client.pp
@@ -24,6 +24,11 @@ class bacula::client(
           | EOF
       tag     => $bacula::tag_bacula_dsa_client_list,
     }
+
+    # allow access from director
+    Ferm::Rule::Simple <<| tag == 'bacula::director-to-fd' |>> {
+      port => $bacula::bacula_client_port
+    }
   } elsif $ensure == 'absent' {
     file { '/etc/bacula':
       ensure  => absent,
@@ -96,10 +101,4 @@ class bacula::client(
       ensure  => absent,
     }
   }
-
-  ferm::rule { 'dsa-bacula-fd':
-    domain      => '(ip ip6)',
-    description => 'Allow bacula access from storage and director',
-    rule        => "proto tcp mod state state (NEW) dport (${bacula::bacula_client_port}) saddr (${bacula::bacula_director_ip_addrs}) ACCEPT",
-  }
 }
diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp
index df425f8bb..3b62c5962 100644
--- a/modules/bacula/manifests/director.pp
+++ b/modules/bacula/manifests/director.pp
@@ -111,4 +111,11 @@ class bacula::director inherits bacula {
     order   => '00',
   }
   Concat::Fragment <<| tag == $bacula::tag_bacula_dsa_client_list |>>
+
+  @@ferm::rule::simple { "bacula::director-to-fd::${::fqdn}":
+    tag         => 'bacula::director-to-fd',
+    description => 'Allow bacula-fd from the bacula-director',
+    port        => '7', # overridden on collecting
+    saddr       => $bacula::public_addresses,
+  }
 }
diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp
index 3ec270d3f..270d0708e 100644
--- a/modules/bacula/manifests/init.pp
+++ b/modules/bacula/manifests/init.pp
@@ -1,4 +1,6 @@
 # bacula class -- defines all the variables we care about in our bacula deployment
+#
+# @param public_addresses this host's public IP addresses.  The ones it connects out from and is reachable from outsite.
 class bacula (
   String  $bacula_operator_email      = 'bacula-reports@admin.debian.org',
   String  $bacula_director_name       = 'debian-dir',
@@ -10,7 +12,6 @@ class bacula (
   String  $bacula_pool_name           = 'debian',
 
   # use IP address for ferm.
-  String  $bacula_director_ip_addrs   = '82.195.75.77 2001:41b8:202:deb::311:77',
   String  $bacula_director_address    = 'dinis.debian.org',
   Integer $bacula_director_port       = 9101,
   String  $bacula_storage_address     = 'storace.debian.org',
@@ -35,6 +36,8 @@ class bacula (
 
   String  $bacula_dsa_client_list     = '/etc/bacula/dsa-clients',
   String  $tag_bacula_dsa_client_list = 'bacula::dsa::clientlist',
+
+  Array[Stdlib::IP::Address] $public_addresses = $base::public_addresses,
 ) {
   file { '/usr/local/sbin/bacula-idle-restart':
     mode    => '0555',