From 3d8a5c781bd9f3843fa3a79501d88eac0f1e4c6d Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 16 Sep 2019 10:30:27 +0200
Subject: [PATCH] publish, store and collect ferm rules for dns primary access

---
 modules/nagios/manifests/server.pp | 9 +++++++++
 modules/named/manifests/geodns.pp  | 8 ++++++++
 modules/named/manifests/primary.pp | 1 +
 3 files changed, 18 insertions(+)

diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index c40c1b9e0..58c2e453a 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -133,4 +133,13 @@ class nagios::server {
       */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
       | EOF
   }
+
+  # The nagios server wants to do DNS queries on the primary
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::primary::ferm',
+    description => 'Allow nagios master access to the primary for checks',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp
index 49a9663da..37a906558 100644
--- a/modules/named/manifests/geodns.pp
+++ b/modules/named/manifests/geodns.pp
@@ -60,4 +60,12 @@ class named::geodns inherits named {
     proto       => ['udp', 'tcp'],
     port        => 'domain',
   }
+
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::primary::ferm',
+    description => 'Allow geo nameserver access to the primary for the (non-geo) zones that we AXFR',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 046fd9d49..b383ca548 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -6,6 +6,7 @@ class named::primary inherits named::authoritative {
     description => 'Allow nameserver access',
     rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
   }
+  Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
 
   concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
     target  => '/etc/bind/named.conf.puppet-misc',
-- 
2.20.1