From 726b3c330d1da3e999b1c2669ab46bef4f1f8731 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 12:43:31 +0200
Subject: [PATCH] mirror ssh firewalling setup from ferm/templates/me.conf.erb
 with roles

In particular:
  debian mirrors can be accessed from syncproxies
  debug mirrors can be accessed from ftp-master
  historical mirrors can be accessed from historical-master
  security mirrors can be accessed from security-master

And from the previous commits:
  syncproxies can be accessed from syncproxies, ftp-master, ports-master, and security-master
---
 modules/roles/manifests/debian_mirror.pp     | 2 ++
 modules/roles/manifests/debug_mirror.pp      | 2 ++
 modules/roles/manifests/historical_mirror.pp | 2 ++
 modules/roles/manifests/security_mirror.pp   | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/modules/roles/manifests/debian_mirror.pp b/modules/roles/manifests/debian_mirror.pp
index 2484d4943..de9e624ff 100644
--- a/modules/roles/manifests/debian_mirror.pp
+++ b/modules/roles/manifests/debian_mirror.pp
@@ -40,4 +40,6 @@ class roles::debian_mirror {
     url           => 'http://debian.backend.mirrors.debian.org/debian/dists/sid/Release',
     health_url    => 'http://debian.backend.mirrors.debian.org/_health',
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::syncproxy' |>>
 }
diff --git a/modules/roles/manifests/debug_mirror.pp b/modules/roles/manifests/debug_mirror.pp
index 6892c2658..dc69cff88 100644
--- a/modules/roles/manifests/debug_mirror.pp
+++ b/modules/roles/manifests/debug_mirror.pp
@@ -38,4 +38,6 @@ class roles::debug_mirror {
     url           => 'http://debug.backend.mirrors.debian.org/debian-debug/dists/sid-debug/Release',
     health_url    => 'http://debug.backend.mirrors.debian.org/_health',
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::ftp_master' |>>
 }
diff --git a/modules/roles/manifests/historical_mirror.pp b/modules/roles/manifests/historical_mirror.pp
index e970ce716..4ef3af0da 100644
--- a/modules/roles/manifests/historical_mirror.pp
+++ b/modules/roles/manifests/historical_mirror.pp
@@ -50,4 +50,6 @@ class roles::historical_mirror {
       target_address => $onion_v4_addr,
     }
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::historical_master' |>>
 }
diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
index 25cc3019b..30f0ea042 100644
--- a/modules/roles/manifests/security_mirror.pp
+++ b/modules/roles/manifests/security_mirror.pp
@@ -50,4 +50,6 @@ class roles::security_mirror {
       target_address => $onion_v4_addr,
     }
   }
+
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::security_master' |>>
 }
-- 
2.20.1