From 232800fd5f673cbcb6b750716e0dbc1a6324f729 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 16 Sep 2019 11:11:50 +0200
Subject: [PATCH] make dns primary export and keyring host collect firewall
 rules for the openpgpkey zone transfer; retire old-style dns_primary role

---
 hieradata/common.yaml                 | 3 ---
 hieradata/nodes/denis.debian.org.yaml | 3 +++
 modules/ferm/templates/defs.conf.erb  | 5 +----
 modules/nagios/manifests/server.pp    | 7 +++++--
 modules/named/manifests/primary.pp    | 7 +++++++
 modules/roles/manifests/init.pp       | 4 ----
 modules/roles/manifests/keyring.pp    | 6 +-----
 7 files changed, 17 insertions(+), 18 deletions(-)
 create mode 100644 hieradata/nodes/denis.debian.org.yaml

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index c8c0fb899..e3afd7966 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -52,9 +52,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/'
 # all of these should be retired in favour of including the class role
 # with the host. weasel, 2019-09
 roles:
-  dns_primary:
-    # XXX - used by ferm templates/defs.conf.erb
-    - denis.debian.org
   extranrpeclient:
     # XXX - used by ferm templates/defs.conf.erb
     - denis.debian.org
diff --git a/hieradata/nodes/denis.debian.org.yaml b/hieradata/nodes/denis.debian.org.yaml
new file mode 100644
index 000000000..78227ffd1
--- /dev/null
+++ b/hieradata/nodes/denis.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - roles::dns_primary
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index ff0b14bdd..1ec803180 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
   roles = scope.lookupvar('deprecated::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -76,9 +76,6 @@
 @def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216              128.31.0.64                 149.20.4.16      209.87.16.40);
 @def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40                  2001:4f8:1:c::16 2607:f8f0:614:1::1274:40);
 
-@def $HOST_DNSPRIMARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_primary']]).uniq.join(' ') %>);
-@def $HOST_DNSPRIMARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_primary']]).uniq.join(' ') %>);
-@def $HOST_DNSPRIMARY = ($HOST_DNSPRIMARY_V4 $HOST_DNSPRIMARY_V6);
 
 <%
 def getfastlyranges()
diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index 58c2e453a..afe6c9948 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -134,9 +134,12 @@ class nagios::server {
       | EOF
   }
 
-  # The nagios server wants to do DNS queries on the primary
+  # The nagios server wants to do DNS queries on the primaries
   @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
-    tag         => 'named::primary::ferm',
+    tag         => [
+                    'named::primary::ferm',
+                    'named::keyring::ferm',
+                   ],
     description => 'Allow nagios master access to the primary for checks',
     proto       => ['udp', 'tcp'],
     port        => 'domain',
diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 5f3f6beed..cafefff65 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -49,6 +49,13 @@ class named::primary inherits named::authoritative {
       };
       | EOF
   }
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::keyring::ferm',
+    description => 'Allow primary access to the keyring master',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 
   concat::fragment { 'puppet-crontab--nsec3':
     target  => '/etc/cron.d/puppet-crontab',
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index d51a9bc86..3a602becc 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -49,10 +49,6 @@ class roles {
 		include roles::syncproxy
 	}
 
-	if has_role('dns_primary') {
-		include roles::dns_primary
-	}
-
 	if has_role('postgres_backup_server') {
 		include postgres::backup_server
 	}
diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index 453e6c033..cbdee8640 100644
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -16,11 +16,7 @@ class roles::keyring {
 
   $notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), '; ')
 
-  ferm::rule { '01-dsa-bind':
-    domain      => '(ip ip6)',
-    description => 'Allow nameserver access',
-    rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
-  }
+  Ferm::Rule::Simple <<| tag == 'named::keyring::ferm' |>>
 
   concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
     target  => '/etc/bind/named.conf.puppet-misc',
-- 
2.20.1