danzi: merge dsa-postgres2-danzi and dsa-postgres2-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the debconf cluster. Only
allow access from debussy instead of the whole subnet.

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 92eaa7f..10b99f8 100644 (file)
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -194,14 +194,15 @@ class ferm::per_host {
         domain      => '(ip ip6)',
         rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
       }
-      ferm::rule { 'dsa-postgres2-danzi':
-        description => 'Allow postgress access2',
-        rule        => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
-      }
-      ferm::rule { 'dsa-postgres2-danzi6':
-        domain      => 'ip6',
-        description => 'Allow postgress access2',
-        rule        => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
+      ferm::rule { 'dsa-postgres-debconf':
+        description => 'Allow postgress access to cluster: debconf',
+        domain      => '(ip ip6)',
+        rule        => @("EOF"/$)
+          &SERVICE_RANGE(tcp, 5434, (
+            ${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") }
+            \$HOST_PGBACKUPHOST
+          ))
+          | EOF
       }
       ferm::rule { 'dsa-postgres-wannabuild':
         description => 'Allow postgress access to cluster: wannabuild',