From c93738739075e2bd2ebac4c3d4ac1be171634003 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Wed, 14 Feb 2018 12:43:27 +0100 Subject: [PATCH] planet-master.d.o: only allow access from localhost and local IP This way it's possible to access planet-master.d.o using SSH as a socks proxy. It requires to connect to planet-master.d.o aka philp.d.o instead of any debian machine. Signed-off-by: Aurelien Jarno --- .../planet_master/planet-master.debian.org | 20 --------- modules/roles/manifests/planet_master.pp | 4 +- .../planet-master.debian.org.erb | 41 +++++++++++++++++++ 3 files changed, 43 insertions(+), 22 deletions(-) delete mode 100644 modules/roles/files/planet_master/planet-master.debian.org create mode 100644 modules/roles/templates/planet_master/planet-master.debian.org.erb diff --git a/modules/roles/files/planet_master/planet-master.debian.org b/modules/roles/files/planet_master/planet-master.debian.org deleted file mode 100644 index a58f07c6e..000000000 --- a/modules/roles/files/planet_master/planet-master.debian.org +++ /dev/null @@ -1,20 +0,0 @@ -Use common-debian-service-https-redirect * planet-master.debian.org - - ServerName planet-master.debian.org - ServerAdmin debian-admin@lists.debian.org - - Use common-debian-service-ssl planet-master.debian.org - Use common-ssl-HSTS - - - UserDir disabled - - ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log - CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy - ServerSignature On - - DocumentRoot /srv/planet.debian.org/www - - Use DebianHostList - - diff --git a/modules/roles/manifests/planet_master.pp b/modules/roles/manifests/planet_master.pp index 5114ece75..3d47163e1 100644 --- a/modules/roles/manifests/planet_master.pp +++ b/modules/roles/manifests/planet_master.pp @@ -1,10 +1,10 @@ class roles::planet_master { include apache2::ssl apache2::config { 'puppet-debianhosts': - content => template('roles/conf-debianhostlist.erb'), + ensure => 'absent', } apache2::site { 'planet-master.debian.org': - source => 'puppet:///modules/roles/planet_master/planet-master.debian.org', + template => template('roles/planet_master/planet-master.debian.org.erb') } ssl::service { 'planet-master.debian.org': notify => Exec['service apache2 reload'], diff --git a/modules/roles/templates/planet_master/planet-master.debian.org.erb b/modules/roles/templates/planet_master/planet-master.debian.org.erb new file mode 100644 index 000000000..95afcf03d --- /dev/null +++ b/modules/roles/templates/planet_master/planet-master.debian.org.erb @@ -0,0 +1,41 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +Use common-debian-service-https-redirect * planet-master.debian.org + + ServerName planet-master.debian.org + ServerAdmin debian-admin@lists.debian.org + + Use common-debian-service-ssl planet-master.debian.org + Use common-ssl-HSTS + + + UserDir disabled + + ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log + CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy + ServerSignature On + + DocumentRoot /srv/planet.debian.org/www + + # Localhost + Require ip ::1 + Require ip 127.0.0.1 +<%= + lines = [] + roles = scope.lookupvar('site::roles') + roles['planet_master'].each do |node| + lines << "\t\t# #{scope.lookupvar('site::allnodeinfo')[node]['hostname'][0]}" + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr| + lines << "\t\tRequire ip #{addr}" + end + end + lines.join("\n") +# vim:set et: +# vim:set sts=2 ts=2: +# vim:set shiftwidth=2: +%> + + -- 2.20.1