projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
79c2022
)
pg@danzi: use a list of hosts instead of whitelisting the whole subnet
author
Aurelien Jarno
<aurelien@aurel32.net>
Fri, 27 Sep 2019 21:46:23 +0000
(23:46 +0200)
committer
Aurelien Jarno
<aurelien@aurel32.net>
Fri, 27 Sep 2019 21:46:23 +0000
(23:46 +0200)
modules/ferm/manifests/per_host.pp
patch
|
blob
|
history
diff --git
a/modules/ferm/manifests/per_host.pp
b/modules/ferm/manifests/per_host.pp
index
350ec3f
..
c4d47d7
100644
(file)
--- a/
modules/ferm/manifests/per_host.pp
+++ b/
modules/ferm/manifests/per_host.pp
@@
-177,10
+177,16
@@
class ferm::per_host {
| EOF
}
ferm::rule { 'dsa-postgres-main':
| EOF
}
ferm::rule { 'dsa-postgres-main':
- # ubc, wuiet
description => 'Allow postgress access to cluster: main',
domain => '(ip ip6)',
description => 'Allow postgress access to cluster: main',
domain => '(ip ip6)',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
+ rule => @("EOF"/$)
+ &SERVICE_RANGE(tcp, 5433, (
+ ${ join(getfromhash($deprecated::allnodeinfo, 'diabelli.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($deprecated::allnodeinfo, 'reger.debian.org', 'ipHostNumber'), " ") }
+ \$HOST_PGBACKUPHOST
+ ))
+ | EOF
}
ferm::rule { 'dsa-postgres-debconf':
description => 'Allow postgress access to cluster: debconf',
}
ferm::rule { 'dsa-postgres-debconf':
description => 'Allow postgress access to cluster: debconf',