From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 31 Jan 2017 08:23:31 +0000 (+0100)
Subject: try to setup firewall rules for bgp on bilbao
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=d551cf8d994dbfe75b4406e512796544881ac714;p=mirror%2Fdsa-puppet.git

try to setup firewall rules for bgp on bilbao
---

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 1e6822a65..4eaf9873f 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -267,3 +267,5 @@ roles:
     - ticharich.debian.org
     - villa.debian.org
     - wieck.debian.org
+  bgp:
+    - bilbao.debian.org
diff --git a/modules/roles/manifests/bgp.pp b/modules/roles/manifests/bgp.pp
new file mode 100644
index 000000000..d3fbb390b
--- /dev/null
+++ b/modules/roles/manifests/bgp.pp
@@ -0,0 +1,16 @@
+class roles::bgp {
+	$bgp_peers = $::hostname ? {
+		bilbao    => '2001:41c9:2:13c::/128 89.16.162.0/32',
+		default    => undef,
+	}
+
+	if ! $bgp_peers {
+		fail("Do not have bgp_peers set for $::hostname.")
+	}
+
+	@ferm::rule { 'dsa-bgp':
+		description => 'Allow BGP from peers',
+		domain      => '(ip ip6)',
+		rule        => '&SERVICE_RANGE(tcp, ssh, $bgp_peers)'
+	}
+}
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 4c07f648b..978be8111 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -316,4 +316,7 @@ class roles {
 	if has_role('onionbalance') {
 		include onion::balance
 	}
+	if has_role('bgp') {
+		include roles::bgp
+	}
 }