From 050a7a1b6b8de2ad9b3964f1a0b855e8ae3a660b Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 11:58:58 +0200
Subject: [PATCH] Attempt to enable melartin(mirrormaster) to ssh to all the
 mirrors/syncproxies

---
 hieradata/nodes/melartin.debian.org.yaml  |  1 +
 modules/roles/manifests/archvsync_base.pp |  2 ++
 modules/roles/manifests/mirrormaster.pp   | 11 +++++++++++
 3 files changed, 14 insertions(+)
 create mode 100644 modules/roles/manifests/mirrormaster.pp

diff --git a/hieradata/nodes/melartin.debian.org.yaml b/hieradata/nodes/melartin.debian.org.yaml
index 3ccff770b..8a22ab94f 100644
--- a/hieradata/nodes/melartin.debian.org.yaml
+++ b/hieradata/nodes/melartin.debian.org.yaml
@@ -1,2 +1,3 @@
 classes:
   - roles::static_source
+  - roles::mirrormaster
diff --git a/modules/roles/manifests/archvsync_base.pp b/modules/roles/manifests/archvsync_base.pp
index d84c21b69..c61d3fbbb 100644
--- a/modules/roles/manifests/archvsync_base.pp
+++ b/modules/roles/manifests/archvsync_base.pp
@@ -18,4 +18,6 @@ class roles::archvsync_base {
     ensure => 'link',
     target => '/home/archvsync/.ssh/authorized_keys',
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::allow' |>>
 }
diff --git a/modules/roles/manifests/mirrormaster.pp b/modules/roles/manifests/mirrormaster.pp
new file mode 100644
index 000000000..2d8d7d17c
--- /dev/null
+++ b/modules/roles/manifests/mirrormaster.pp
@@ -0,0 +1,11 @@
+# the mirrormaster needs to be able to ssh to all the syncproxies and mirrors
+# to update their config
+class roles::mirrormaster(
+) {
+  @@ferm::rule::simple { "dsa-ssh-from-mirrormaster-${::fqdn}":
+    tag         => 'ssh::server::allow',
+    description => 'Allow ssh access from the mirrormaster',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
+}
-- 
2.20.1