From c092962f8f0879ffc60c39c6b8d5aa09f43412b3 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 7 Jul 2019 12:06:39 +0200
Subject: [PATCH] fw on kaufmann

---
 modules/roles/manifests/keyring.pp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index 08876cd20..5743dbd36 100644
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -12,7 +12,14 @@ class roles::keyring {
 
 	include named::authoritative
 
-	$notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+	$notify_address = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "  ")
+	$notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+
+	@ferm::rule { '01-dsa-bind':
+		domain      => '(ip ip6)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $notify_address ) )',
+	}
 
 	concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
 		target => '/etc/bind/named.conf.puppet-misc',
-- 
2.20.1