Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the debconf cluster. Only
allow access from debussy instead of the whole subnet.
domain => '(ip ip6)',
rule => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
}
domain => '(ip ip6)',
rule => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
}
- ferm::rule { 'dsa-postgres2-danzi':
- description => 'Allow postgress access2',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
- }
- ferm::rule { 'dsa-postgres2-danzi6':
- domain => 'ip6',
- description => 'Allow postgress access2',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
+ ferm::rule { 'dsa-postgres-debconf':
+ description => 'Allow postgress access to cluster: debconf',
+ domain => '(ip ip6)',
+ rule => @("EOF"/$)
+ &SERVICE_RANGE(tcp, 5434, (
+ ${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") }
+ \$HOST_PGBACKUPHOST
+ ))
+ | EOF
}
ferm::rule { 'dsa-postgres-wannabuild':
description => 'Allow postgress access to cluster: wannabuild',
}
ferm::rule { 'dsa-postgres-wannabuild':
description => 'Allow postgress access to cluster: wannabuild',