From cb1653b870f26dacdf6444dcd7520b0556018bfa Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 12:24:22 +0200
Subject: [PATCH] on ftp, ports, and security-master: store ssh allows to be
 collected on the syncproxies

---
 modules/roles/manifests/ftp_master.pp      | 8 ++++++++
 modules/roles/manifests/ports_master.pp    | 8 ++++++++
 modules/roles/manifests/security_master.pp | 8 ++++++++
 3 files changed, 24 insertions(+)

diff --git a/modules/roles/manifests/ftp_master.pp b/modules/roles/manifests/ftp_master.pp
index 776758931..f8d6f877e 100644
--- a/modules/roles/manifests/ftp_master.pp
+++ b/modules/roles/manifests/ftp_master.pp
@@ -11,4 +11,12 @@ class roles::ftp_master {
     key      => true,
     tlsaport => [443, 1873],
   }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::ftp-master',
+    description => 'Allow ssh access from ftp-master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/roles/manifests/ports_master.pp b/modules/roles/manifests/ports_master.pp
index 5fb48ba32..31c650303 100644
--- a/modules/roles/manifests/ports_master.pp
+++ b/modules/roles/manifests/ports_master.pp
@@ -18,4 +18,12 @@ class roles::ports_master {
     chown_user     => mini-dak-unpriv,
     root           => '/srv/ports-master.debian.org/ftp.upload',
   }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::ports-master',
+    description => 'Allow ssh access from ports-master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/roles/manifests/security_master.pp b/modules/roles/manifests/security_master.pp
index 83685a884..6f92d33a2 100644
--- a/modules/roles/manifests/security_master.pp
+++ b/modules/roles/manifests/security_master.pp
@@ -11,4 +11,12 @@ class roles::security_master {
     max_clients => 50,
     sslname     => 'security-master.debian.org',
   }
+
+  # export ssh allow rules for hosts that we should be able to access
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::security-master',
+    description => 'Allow ssh access from security-master',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
 }
-- 
2.20.1