From: Tollef Fog Heen <tfheen@err.no>
Date: Mon, 7 Aug 2017 16:30:18 +0000 (+0200)
Subject: Allow traffic from Fastly to 5141 instead and set up syslog-ng rules
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=a9bd0396f79339214576a881e6efcf679e53ed5c;p=mirror%2Fdsa-puppet.git

Allow traffic from Fastly to 5141 instead and set up syslog-ng rules
---

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 7dca2520f..6b4fceadc 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -46,7 +46,7 @@ class ferm::per_host {
 			}
 			@ferm::rule { 'fastly-syslog':
 				description     => 'Allow syslog access',
-				rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_FASTLY)'
+				rule            => '&SERVICE_RANGE(tcp, 5141, $HOST_FASTLY)'
 			}
 		}
 		kaufmann: {
diff --git a/modules/syslog_ng/templates/syslog-ng.conf.erb b/modules/syslog_ng/templates/syslog-ng.conf.erb
index 6a3688c8e..89c77ed91 100644
--- a/modules/syslog_ng/templates/syslog-ng.conf.erb
+++ b/modules/syslog_ng/templates/syslog-ng.conf.erb
@@ -132,6 +132,16 @@ source s_network {
 };
 <%- end -%>
 
+<%- if (@hostname == "lully") -%>
+source s_network_fastly {
+	tcp6(port(5141) max-connections(100)
+		tls( key_file("/etc/exim4/ssl/thishost.key")
+		     cert_file("/etc/exim4/ssl/thishost.crt")
+		     peer-verify(optional-untrusted))
+	);
+};
+<%- end -%>
+
 
 ######
 # destinations
@@ -557,3 +567,11 @@ log { source(s_local);
       source(s_network);
       filter(f_syslog); destination(df_ALL_syslog); };
 <%- end -%>
+
+<%- if (@hostname == "lully") -%>
+destination fastly { file("/var/log/fastly.log" };
+
+log { source(s_network_fastly);
+      destination(fastly); };
+
+<%- end -%>