From 1ef0cf361b9785b0c2ffb0562636ac57eed122f2 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 13:30:39 +0200
Subject: [PATCH] remove old-style ssh firewalling setup for
 mirrors/syncproxies

---
 hieradata/common.yaml                | 10 ----------
 modules/ferm/templates/defs.conf.erb | 19 +------------------
 modules/ferm/templates/me.conf.erb   | 25 -------------------------
 3 files changed, 1 insertion(+), 53 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index e4990b1f8..e0847ce8e 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -104,16 +104,6 @@ roles:
     wieck.debian.org:
       service-hostname: wieck.security.backend.mirrors.debian.org
       fastly-backend: true
-  syncproxy:
-    # XXX - used by ferm templates/defs.conf.erb
-    - gretchaninov.debian.org
-    - klecker.debian.org
-    - milanollo.debian.org
-    - mirror-anu.debian.org
-    - mirror-isc.debian.org
-    - mirror-umn.debian.org
-    - schmelzer.debian.org
-    - smit.debian.org
   postgres_backup_server:
     # XXX - used by ferm templates/defs.conf.erb
     - backuphost.debian.org
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 08beaa0eb..031471507 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
   roles = scope.lookupvar('deprecated::roles')
 
-  %w{mailrelay nagiosmaster  muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master}.each do |role|
+  %w{mailrelay nagiosmaster  muninmaster postgres_backup_server}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -57,23 +57,6 @@
 @def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
 @def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );
 
-@def $HOST_FTPMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['ftp_master']]).uniq.join(' ') %>);
-@def $HOST_FTPMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ftp_master']]).uniq.join(' ') %>);
-@def $HOST_SECMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['security_master']]).uniq.join(' ') %>);
-@def $HOST_SECMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['security_master']]).uniq.join(' ') %>);
-@def $HOST_PORTSMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['ports_master']]).uniq.join(' ') %>);
-@def $HOST_PORTSMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ports_master']]).uniq.join(' ') %>);
-@def $HOST_ARCHIVEMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['historical_master']]).uniq.join(' ') %>);
-@def $HOST_ARCHIVEMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['historical_master']]).uniq.join(' ') %>);
-@def $HOST_SYNCPROXY_V4 = (<%= scope.function_filter_ipv4([rolehost['syncproxy']]).uniq.join(' ') %>);
-@def $HOST_SYNCPROXY_V6 = (<%= scope.function_filter_ipv6([rolehost['syncproxy']]).uniq.join(' ') %>);
-#                                             syncproxy.au           syncproxy2.eu              syncproxy3.eu           syncproxy4.eu
-@def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 150.203.164.60         130.89.148.10              5.153.231.9             217.196.149.237);
-@def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2001:388:1034:2900::3c 2001:67c:2564:a119::148:10 2001:41c8:1000:21::21:9 2a02:16a8:dc41:100::237);
-#                                             syncproxy.cna                syncproxy.na                syncproxy2.wna   syncproxy3.wna
-@def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216              128.31.0.64                 149.20.4.16      209.87.16.40);
-@def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40                  2001:4f8:1:c::16 2607:f8f0:614:1::1274:40);
-
 
 <%
 def getfastlyranges()
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 6bd95df6b..829d71aae 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -40,31 +40,6 @@ if should_restrict then
 		ssh4allowed << %w{$HOST_DEBIAN_V4}
 		ssh6allowed << %w{$HOST_DEBIAN_V6}
 	end
-
-	if scope.function_has_role(['debian_mirror']) or
-	   scope.function_has_role(['syncproxy']) then
-		ssh4allowed << '$HOST_SYNCPROXY_V4'
-		ssh6allowed << '$HOST_SYNCPROXY_V6'
-	end
-	if scope.function_has_role(['security_mirror']) or
-	   scope.function_has_role(['syncproxy']) then
-		ssh4allowed << '$HOST_SECMASTER_V4'
-		ssh6allowed << '$HOST_SECMASTER_V6'
-	end
-	if scope.function_has_role(['historical_mirror']) then
-		ssh4allowed << '$HOST_ARCHIVEMASTER_V4'
-		ssh6allowed << '$HOST_ARCHIVEMASTER_V6'
-	end
-	if scope.function_has_role(['syncproxy']) then
-		ssh4allowed << '$HOST_FTPMASTER_V4'
-		ssh6allowed << '$HOST_FTPMASTER_V6'
-		ssh4allowed << '$HOST_PORTSMASTER_V4'
-		ssh6allowed << '$HOST_PORTSMASTER_V6'
-	end
-	if scope.function_has_role(['debug_mirror']) then
-		ssh4allowed << '$HOST_FTPMASTER_V4'
-		ssh6allowed << '$HOST_FTPMASTER_V6'
-	end
 end
 ssh4allowed.length == 0 and ssh4allowed << '0.0.0.0/0'
 ssh6allowed.length == 0 and ssh6allowed << '::/0'
-- 
2.20.1