From acd1de8f69a30e3a07fcb5dad44f980dd8bd89a3 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 7 Jul 2019 12:13:50 +0200 Subject: [PATCH] fw on kaufmann --- modules/ferm/templates/defs.conf.erb | 6 +++++- modules/roles/manifests/keyring.pp | 3 +-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 4981a4220..42bb37642 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -24,7 +24,7 @@ allnodeinfo = scope.lookupvar('site::allnodeinfo') roles = scope.lookupvar('site::roles') - %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role| + %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role| rolehost[role] = [] roles[role].each do |node| next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber') @@ -91,6 +91,10 @@ @def $HOST_RCODE0 = (83.136.34.0/27 2A02:850:8::/47); @def $HOST_NETNOD = (192.71.80.0/24 192.36.144.222 192.36.144.218 194.146.105.24 194.146.105.25 2a01:3f0:0:27::24 2a01:3f0:0:28::25); +@def $HOST_DNSPRIMARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_primary']]).uniq.join(' ') %>); +@def $HOST_DNSPRIMARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_primary']]).uniq.join(' ') %>); +@def $HOST_DNSPRIMARY = ($HOST_DNSPRIMARY_V4 $HOST_DNSPRIMARY_V6); + <% def getfastlyranges() begin diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp index a1d40e23f..903064d5c 100644 --- a/modules/roles/manifests/keyring.pp +++ b/modules/roles/manifests/keyring.pp @@ -12,13 +12,12 @@ class roles::keyring { include named::authoritative - $notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), " ") $notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ") @ferm::rule { '01-dsa-bind': domain => '(ip ip6)', description => 'Allow nameserver access', - rule => "\&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $notify_address ) )", + rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )', } concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone': -- 2.20.1