try apache rate limiting on snapshot hosts, 2

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 69a63c3..2927640 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -351,6 +351,13 @@ roles:
     # Hosts that run apache but where it should not be open to the internet by
     # default
     - casulana.debian.org
+  apache_ratelimited:
+    - beach.debian.org
+    - buxtehude.debian.org
+    - lw07.debian.org
+    - picconi.debian.org
+    - pkgmirror-csail.debian.org
+    - sallinen.debian.org
   cdbuilder_local_mirror:
     - casulana.debian.org
   alioth_archive:

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 8aacde9..4290e02 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -154,7 +154,7 @@ class apache2 {
        }
 
        if (! has_role('apache_not_public')) {
-               if $::hostname in [beach,buxtehude,picconi,pkgmirror-csail] {
+               if has_role('apache_ratelimited') {
                        include apache2::dynamic
                } else {
                        @ferm::rule { 'dsa-http':

diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index 582f507..ee9ab94 100644 (file)
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -1,6 +1,5 @@
 class roles::snapshot_web {
        include apache2
-       include apache2::dynamic
        include apache2::rewrite
 
        ensure_packages ( [