From c65c8ae856902096b3b070b3b5e5e77bce9222d6 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 21 Sep 2019 12:21:37 +0200
Subject: [PATCH] syncproxy ssh firewalling

---
 modules/roles/manifests/syncproxy.pp | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp
index 158b872c9..26e1c5a31 100644
--- a/modules/roles/manifests/syncproxy.pp
+++ b/modules/roles/manifests/syncproxy.pp
@@ -1,3 +1,4 @@
+# a syncproxy
 class roles::syncproxy {
   include roles::archvsync_base
 
@@ -66,4 +67,19 @@ class roles::syncproxy {
       binds   => $binds,
     }
   }
+
+  @@ferm::rule::simple { "dsa-ssh-from-syncproxy-${::fqdn}":
+    tag         => 'ssh::server::allow::syncproxy',
+    description => 'Allow ssh access from a syncproxy',
+    port        => '22',
+    saddr       => $base::public_addresses,
+  }
+
+  # syncproxies should be accessible from various role hosts
+  Ferm::Rule::Simple <<|
+    tag == 'ssh::server::allow::archvsync' or
+    tag == 'ssh::server::allow::ftp-master' or
+    tag == 'ssh::server::allow::ports-master' or
+    tag == 'ssh::server::allow::security-master'
+    |>>
 }
-- 
2.20.1