From 9fe2655faaa89deb0815a58141936e1c22424709 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 15 Sep 2019 15:06:30 +0200
Subject: [PATCH] do not use role-based ssh restrict

For now we fall back to and continue to use hostnames, but we should
switch this to something more sane longterm.
---
 modules/ferm/templates/me.conf.erb | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 73970da0a..615f63398 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -8,7 +8,7 @@ nodeinfo = scope.lookupvar('deprecated::nodeinfo')
 out = []
 
 restricted_purposes = ['kvm host', 'ganeti/kvm host', 'central syslog server', 'puppet master', 'jumphost', 'buildd', 'static-mirror', 'anycast mirror']
-restrict_ssh = %w{tchaikovsky draghi adayevskaya static-master-grnet-01 static-master-ubc-01}
+restrict_ssh = %w{tchaikovsky draghi adayevskaya static-master-grnet-01 static-master-ubc-01 geo1 geo2 geo3 denis}
 
 if (nodeinfo['ldap'].has_key?('purpose')) then
 	nodeinfo['ldap']['purpose'].each do |purp|
@@ -22,11 +22,6 @@ ssh4allowed = []
 ssh6allowed = []
 
 should_restrict = restrict_ssh.include?(@hostname)
-%w{dns_primary dns_geo}.each do |role_restrict|
-	if scope.function_has_role([role_restrict]) then
-		should_restrict = true
-	end
-end
 
 
 if should_restrict then
-- 
2.20.1