# XXX - used by ferm templates/defs.conf.erb
- backuphost.debian.org
- storace.debian.org
- bgp:
- - mirror-accumu.debian.org
- - mirror-skroutz.debian.org
postgresql_server:
# postgresql instances not managed by puppet otherwise
- bmdb1.debian.org
---
classes:
+ - roles::bgp
- roles::debian_mirror
- roles::debug_mirror
+roles::bgp::peers: ['2001:6b0:1e:2::1c6/128', '130.242.6.198/32']
roles::debian_mirror::listen_addr: ['130.242.6.199', '2001:6b0:1e:2::1c7', '193.31.7.2', '2a02:158:ffff:deb::2']
roles::debian_mirror::healthcheck_name: accumu.debian.backend.mirrors.debian.org
roles::debug_mirror::onion_service: true
---
classes:
+ - roles::bgp
- roles::debian_mirror
+roles::bgp::peers: ['2a03:e40:42:200::151:1/128', '2a03:e40:42:200::151:2/128', '154.57.0.249/32', '154.57.0.250/32']
roles::debian_mirror::listen_addr: ['154.57.0.251', '2a03:e40:42:200::151:3', '193.31.7.2', '2a02:158:ffff:deb::2']
roles::debian_mirror::healthcheck_name: skroutz.debian.backend.mirrors.debian.org
-class roles::bgp {
- $bgp_peers = $::hostname ? {
- mirror-accumu => '2001:6b0:1e:2::1c6/128 130.242.6.198/32',
- mirror-skroutz => '2a03:e40:42:200::151:1/128 2a03:e40:42:200::151:2/128 154.57.0.249/32 154.57.0.250',
- default => undef,
- }
-
- if ! $bgp_peers {
- fail("Do not have bgp_peers set for $::hostname.")
- }
-
- ferm::rule { 'dsa-bgp':
- description => 'Allow BGP from peers',
- domain => '(ip ip6)',
- rule => "&SERVICE_RANGE(tcp, bgp, ($bgp_peers))"
- }
-
- file { '/etc/network/interfaces.d/anycasted':
- content => template('roles/anycast/interfaces.erb')
- }
-
+class roles::bgp(
+ Array[Stdlib::IP::Address] $peers,
+){
+ ferm::rule::simple { 'dsa-bgp':
+ description => 'Allow BGP from peers',
+ ports => 'bgp',
+ saddr => $peers,
+ }
+
+ file { '/etc/network/interfaces.d/anycasted':
+ content => template('roles/anycast/interfaces.erb')
+ }
}
projects / mirror / dsa-puppet.git / commitdiff