From 050a7a1b6b8de2ad9b3964f1a0b855e8ae3a660b Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 21 Sep 2019 11:58:58 +0200 Subject: [PATCH] Attempt to enable melartin(mirrormaster) to ssh to all the mirrors/syncproxies --- hieradata/nodes/melartin.debian.org.yaml | 1 + modules/roles/manifests/archvsync_base.pp | 2 ++ modules/roles/manifests/mirrormaster.pp | 11 +++++++++++ 3 files changed, 14 insertions(+) create mode 100644 modules/roles/manifests/mirrormaster.pp diff --git a/hieradata/nodes/melartin.debian.org.yaml b/hieradata/nodes/melartin.debian.org.yaml index 3ccff770b..8a22ab94f 100644 --- a/hieradata/nodes/melartin.debian.org.yaml +++ b/hieradata/nodes/melartin.debian.org.yaml @@ -1,2 +1,3 @@ classes: - roles::static_source + - roles::mirrormaster diff --git a/modules/roles/manifests/archvsync_base.pp b/modules/roles/manifests/archvsync_base.pp index d84c21b69..c61d3fbbb 100644 --- a/modules/roles/manifests/archvsync_base.pp +++ b/modules/roles/manifests/archvsync_base.pp @@ -18,4 +18,6 @@ class roles::archvsync_base { ensure => 'link', target => '/home/archvsync/.ssh/authorized_keys', } + + Ferm::Rule::Simple <<| tag == 'ssh::server::allow' |>> } diff --git a/modules/roles/manifests/mirrormaster.pp b/modules/roles/manifests/mirrormaster.pp new file mode 100644 index 000000000..2d8d7d17c --- /dev/null +++ b/modules/roles/manifests/mirrormaster.pp @@ -0,0 +1,11 @@ +# the mirrormaster needs to be able to ssh to all the syncproxies and mirrors +# to update their config +class roles::mirrormaster( +) { + @@ferm::rule::simple { "dsa-ssh-from-mirrormaster-${::fqdn}": + tag => 'ssh::server::allow', + description => 'Allow ssh access from the mirrormaster', + port => '22', + saddr => $base::public_addresses, + } +} -- 2.20.1