From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 10:24:22 +0000 (+0200)
Subject: on ftp, ports, and security-master: store ssh allows to be collected on the syncproxies
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=cb1653b870f26dacdf6444dcd7520b0556018bfa;p=mirror%2Fdsa-puppet.git

on ftp, ports, and security-master: store ssh allows to be collected on the syncproxies
---

diff --git a/modules/roles/manifests/ftp_master.pp b/modules/roles/manifests/ftp_master.pp
index 776758931..f8d6f877e 100644
--- a/modules/roles/manifests/ftp_master.pp
+++ b/modules/roles/manifests/ftp_master.pp
@@ -11,4 +11,12 @@ class roles::ftp_master {
     key      => true,
     tlsaport => [443, 1873],
   }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::ftp-master',
+    description => 'Allow ssh access from ftp-master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/roles/manifests/ports_master.pp b/modules/roles/manifests/ports_master.pp
index 5fb48ba32..31c650303 100644
--- a/modules/roles/manifests/ports_master.pp
+++ b/modules/roles/manifests/ports_master.pp
@@ -18,4 +18,12 @@ class roles::ports_master {
     chown_user     => mini-dak-unpriv,
     root           => '/srv/ports-master.debian.org/ftp.upload',
   }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::ports-master',
+    description => 'Allow ssh access from ports-master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/roles/manifests/security_master.pp b/modules/roles/manifests/security_master.pp
index 83685a884..6f92d33a2 100644
--- a/modules/roles/manifests/security_master.pp
+++ b/modules/roles/manifests/security_master.pp
@@ -11,4 +11,12 @@ class roles::security_master {
     max_clients => 50,
     sslname     => 'security-master.debian.org',
   }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::security-master',
+    description => 'Allow ssh access from security-master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }