From: Julien Cristau <jcristau@debian.org>
Date: Sun, 6 Aug 2017 19:45:09 +0000 (-0400)
Subject: ferm: accept syslog from fastly IPs
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=9494eea3b67c902f3fa0eedc3e77ae79e755174e;p=mirror%2Fdsa-puppet.git

ferm: accept syslog from fastly IPs
---

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index c68e4b6bb..7dca2520f 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -44,6 +44,10 @@ class ferm::per_host {
 				description     => 'Allow syslog access',
 				rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
 			}
+			@ferm::rule { 'fastly-syslog':
+				description     => 'Allow syslog access',
+				rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_FASTLY)'
+			}
 		}
 		kaufmann: {
 			@ferm::rule { 'dsa-hkp':
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 7c53bb90f..25468cfab 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -73,6 +73,14 @@
 @def $HOST_RCODE0_V6 = (2A02:850:8::/47);
 @def $HOST_NETNOD_V4 = (192.71.80.0/24 192.36.144.222 192.36.144.218);
 
+<%=
+def getfastlyranges()
+	data = YAML.safe_load(File.open("/srv/puppet.debian.org/puppet-facts/fastly_ranges.yaml").read)
+	return data.addresses
+end
+%>
+@def $HOST_FASTLY = (<%= getfastlyranges().join(' ') %>);
+
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);