From 0ea057452a4fb807add958781fc70cd54189f98d Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 30 Sep 2019 07:55:30 +0200
Subject: [PATCH] manage ullmann/udd pg_hba

---
 data/common.yaml                              |  3 +++
 data/nodes/master.debian.org.yaml             |  3 +++
 data/nodes/ullmann.debian.org.yaml            |  2 +-
 modules/ferm/manifests/per_host.pp            | 16 ---------------
 modules/roles/manifests/api_ftp_master.pp     |  3 +++
 modules/roles/manifests/buildd_master.pp      |  2 ++
 modules/roles/manifests/master.pp             |  5 +++++
 modules/roles/manifests/qamaster.pp           |  2 ++
 modules/roles/manifests/release.pp            |  1 +
 modules/roles/manifests/udd.pp                |  4 ++++
 .../roles/manifests/udd/db_guest_access.pp    | 20 +++++++++++++++++++
 modules/roles/manifests/udd/params.pp         |  9 +++++++++
 12 files changed, 53 insertions(+), 17 deletions(-)
 create mode 100644 modules/roles/manifests/master.pp
 create mode 100644 modules/roles/manifests/udd/db_guest_access.pp
 create mode 100644 modules/roles/manifests/udd/params.pp

diff --git a/data/common.yaml b/data/common.yaml
index 0e4cac831..e9afc7266 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -69,6 +69,9 @@ roles::rtmaster::db_port: 5433
 roles::sso::db_address: danzi.debian.org
 roles::sso::db_port: 5433
 
+roles::udd::params::db_address: ullmann.debian.org
+roles::udd::params::db_port: 5452
+
 roles::ftp_master::db_port: 5433
 
 roles::postgresql::ftp_master_dak_replica::db_server: fasolo.debian.org
diff --git a/data/nodes/master.debian.org.yaml b/data/nodes/master.debian.org.yaml
index 891db1fa0..5120f569f 100644
--- a/data/nodes/master.debian.org.yaml
+++ b/data/nodes/master.debian.org.yaml
@@ -1,2 +1,5 @@
 ---
+classes:
+  - roles::master
+
 roles::mta::heavy: true
diff --git a/data/nodes/ullmann.debian.org.yaml b/data/nodes/ullmann.debian.org.yaml
index 03028e8b7..9d2788ea2 100644
--- a/data/nodes/ullmann.debian.org.yaml
+++ b/data/nodes/ullmann.debian.org.yaml
@@ -3,5 +3,5 @@ classes:
   - roles::udd
   - roles::postgresql::server
 
-# roles::postgresql::server::manage_clusters_hba: true
+roles::postgresql::server::manage_clusters_hba: true
 roles::postgresql::server::backups: false
diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index e04d66ff3..7c9e170a4 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -86,22 +86,6 @@ class ferm::per_host {
 
   # postgres stuff
   case $::hostname {
-    ullmann: {
-      ferm::rule { 'dsa-postgres-udd':
-        description => 'Allow postgress access',
-        domain      => '(ip ip6)',
-        # quantz, master, coccia
-        rule        => @("EOF")
-          &SERVICE_RANGE(tcp, 5452, (
-            ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
-            ${ join(getfromhash($deprecated::allnodeinfo, 'master.debian.org', 'ipHostNumber'), " ") }
-            ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
-            ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
-            ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
-          ))
-          | EOF
-      }
-    }
     bmdb1: {
       ferm::rule { 'dsa-postgres-main':
         description => 'Allow postgress access to cluster: main',
diff --git a/modules/roles/manifests/api_ftp_master.pp b/modules/roles/manifests/api_ftp_master.pp
index b60246958..61b9d3785 100644
--- a/modules/roles/manifests/api_ftp_master.pp
+++ b/modules/roles/manifests/api_ftp_master.pp
@@ -4,4 +4,7 @@ class roles::api_ftp_master {
     notify => Exec['service apache2 reload'],
     key    => true,
   }
+
+  # is api_ftp_master the right role to put this in?
+  include roles::udd::db_guest_access
 }
diff --git a/modules/roles/manifests/buildd_master.pp b/modules/roles/manifests/buildd_master.pp
index fd5154cef..3d4d449c9 100644
--- a/modules/roles/manifests/buildd_master.pp
+++ b/modules/roles/manifests/buildd_master.pp
@@ -35,4 +35,6 @@ class roles::buildd_master (
     user     => 'all',
     address  => $base::public_addresses,
   }
+
+  include roles::udd::db_guest_access
 }
diff --git a/modules/roles/manifests/master.pp b/modules/roles/manifests/master.pp
new file mode 100644
index 000000000..718ddca08
--- /dev/null
+++ b/modules/roles/manifests/master.pp
@@ -0,0 +1,5 @@
+# master.debian.org role, generic DD shell stuff
+#
+class roles::master {
+  include roles::udd::db_guest_access
+}
diff --git a/modules/roles/manifests/qamaster.pp b/modules/roles/manifests/qamaster.pp
index 94bb67568..66ba8381b 100644
--- a/modules/roles/manifests/qamaster.pp
+++ b/modules/roles/manifests/qamaster.pp
@@ -8,4 +8,6 @@ class roles::qamaster {
     owner => 'qa',
     group => 'qa',
   }
+
+  include roles::udd::db_guest_access
 }
diff --git a/modules/roles/manifests/release.pp b/modules/roles/manifests/release.pp
index 077ee0ddd..14015ee86 100644
--- a/modules/roles/manifests/release.pp
+++ b/modules/roles/manifests/release.pp
@@ -3,4 +3,5 @@
 class roles::release {
 
   include roles::buildd_master::db_guest_access
+  include roles::udd::db_guest_access
 }
diff --git a/modules/roles/manifests/udd.pp b/modules/roles/manifests/udd.pp
index ec966278f..4267b0bd3 100644
--- a/modules/roles/manifests/udd.pp
+++ b/modules/roles/manifests/udd.pp
@@ -10,4 +10,8 @@ class roles::udd {
   }
 
   include roles::buildd_master::db_guest_access
+
+  class { 'roles::udd::db_guest_access':
+    database => ['udd', 'udd-dev'],
+  }
 }
diff --git a/modules/roles/manifests/udd/db_guest_access.pp b/modules/roles/manifests/udd/db_guest_access.pp
new file mode 100644
index 000000000..d848722cc
--- /dev/null
+++ b/modules/roles/manifests/udd/db_guest_access.pp
@@ -0,0 +1,20 @@
+# udd guest access to DB
+#
+# @param db_address     hostname of the postgres server for this service
+# @param db_port        port of the postgres server for this service
+# @param database       list of databases to give access to
+class roles::udd::db_guest_access (
+  String  $db_address     = $roles::udd::params::db_address,
+  Integer $db_port        = $roles::udd::params::db_port,
+  Array[String] $database = ['udd']
+) inherits roles::udd::params {
+  @@postgres::cluster::hba_entry { "udd-guest-${::fqdn}":
+    tag      => "postgres::cluster::${db_port}::hba::${db_address}",
+    pg_port  => $db_port,
+    database => $database,
+    user     => 'guest',
+    address  => $base::public_addresses,
+    method   => 'trust',
+    order    => '40',
+  }
+}
diff --git a/modules/roles/manifests/udd/params.pp b/modules/roles/manifests/udd/params.pp
new file mode 100644
index 000000000..530a80d93
--- /dev/null
+++ b/modules/roles/manifests/udd/params.pp
@@ -0,0 +1,9 @@
+# udd parameters
+#
+# @param db_address     hostname of the postgres server for this service
+# @param db_port        port of the postgres server for this service
+class roles::udd::params (
+  String  $db_address = $roles::udd::db_address,
+  Integer $db_port    = $roles::udd::db_port,
+) {
+}
-- 
2.20.1