From ab52321ca7ccd1b0c42c41cd62d4a06b976e119c Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 9 Feb 2018 20:03:17 +0100 Subject: [PATCH] Add a apache_not_public role where we do not add ferm allow rules and put casulana into it --- hieradata/common.yaml | 4 ++++ modules/apache2/manifests/init.pp | 28 +++++++++++++++------------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 29d235dd3..c946236ac 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -352,3 +352,7 @@ roles: - storace.debian.org debconf_wafer: - debussy.debian.org + apache_not_public: + # Hosts that run apache but where it should not be open to the internet by + # default + - casulana.debian.org diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 985620fa5..8aacde987 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -153,21 +153,23 @@ class apache2 { ensure => installed, } - if $::hostname in [beach,buxtehude,picconi,pkgmirror-csail] { - include apache2::dynamic - } else { - @ferm::rule { 'dsa-http': - prio => '23', - description => 'Allow web access', - rule => '&SERVICE(tcp, (http https))' + if (! has_role('apache_not_public')) { + if $::hostname in [beach,buxtehude,picconi,pkgmirror-csail] { + include apache2::dynamic + } else { + @ferm::rule { 'dsa-http': + prio => '23', + description => 'Allow web access', + rule => '&SERVICE(tcp, (http https))' + } } - } - @ferm::rule { 'dsa-http-v6': - domain => '(ip6)', - prio => '23', - description => 'Allow web access', - rule => '&SERVICE(tcp, (http https))' + @ferm::rule { 'dsa-http-v6': + domain => '(ip6)', + prio => '23', + description => 'Allow web access', + rule => '&SERVICE(tcp, (http https))' + } } exec { 'service apache2 reload': -- 2.20.1