From: Peter Palfrader Date: Sat, 21 Sep 2019 10:02:14 +0000 (+0200) Subject: retire old-style firewalling for mirrormaster sshing to the mirror nodes X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=a4f1af760e5f48eace1070239af4c01b1676e0b1;p=mirror%2Fdsa-puppet.git retire old-style firewalling for mirrormaster sshing to the mirror nodes --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 17253c3f6..e4990b1f8 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -59,9 +59,6 @@ roles: # XXX - ONLY used by ferm templates/defs.conf.erb - mailly.debian.org - muffat.debian.org - mirrormaster: - # XXX - used by ferm templates/defs.conf.erb - - melartin.debian.org muninmaster: # XXX - used by ferm templates/defs.conf.erb - menotti.debian.org diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 365fdc8a4..08beaa0eb 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -24,7 +24,7 @@ allnodeinfo = scope.lookupvar('deprecated::allnodeinfo') roles = scope.lookupvar('deprecated::roles') - %w{mailrelay nagiosmaster muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role| + %w{mailrelay nagiosmaster muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master}.each do |role| rolehost[role] = [] roles[role].each do |node| next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber') @@ -65,8 +65,6 @@ @def $HOST_PORTSMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ports_master']]).uniq.join(' ') %>); @def $HOST_ARCHIVEMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['historical_master']]).uniq.join(' ') %>); @def $HOST_ARCHIVEMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['historical_master']]).uniq.join(' ') %>); -@def $HOST_MIRRORMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['mirrormaster']]).uniq.join(' ') %>); -@def $HOST_MIRRORMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['mirrormaster']]).uniq.join(' ') %>); @def $HOST_SYNCPROXY_V4 = (<%= scope.function_filter_ipv4([rolehost['syncproxy']]).uniq.join(' ') %>); @def $HOST_SYNCPROXY_V6 = (<%= scope.function_filter_ipv6([rolehost['syncproxy']]).uniq.join(' ') %>); # syncproxy.au syncproxy2.eu syncproxy3.eu syncproxy4.eu diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 072c2c08a..6bd95df6b 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -41,14 +41,6 @@ if should_restrict then ssh6allowed << %w{$HOST_DEBIAN_V6} end - if scope.function_has_role(['debian_mirror']) or - scope.function_has_role(['security_mirror']) or - scope.function_has_role(['debug_mirror']) or - scope.function_has_role(['historical_mirror']) or - scope.function_has_role(['syncproxy']) then - ssh4allowed << '$HOST_MIRRORMASTER_V4' - ssh6allowed << '$HOST_MIRRORMASTER_V6' - end if scope.function_has_role(['debian_mirror']) or scope.function_has_role(['syncproxy']) then ssh4allowed << '$HOST_SYNCPROXY_V4'