do not use role-based ssh restrict

For now we fall back to and continue to use hostnames, but we should
switch this to something more sane longterm.

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 73970da..615f633 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -8,7 +8,7 @@ nodeinfo = scope.lookupvar('deprecated::nodeinfo')
 out = []
 
 restricted_purposes = ['kvm host', 'ganeti/kvm host', 'central syslog server', 'puppet master', 'jumphost', 'buildd', 'static-mirror', 'anycast mirror']
-restrict_ssh = %w{tchaikovsky draghi adayevskaya static-master-grnet-01 static-master-ubc-01}
+restrict_ssh = %w{tchaikovsky draghi adayevskaya static-master-grnet-01 static-master-ubc-01 geo1 geo2 geo3 denis}
 
 if (nodeinfo['ldap'].has_key?('purpose')) then
        nodeinfo['ldap']['purpose'].each do |purp|
@@ -22,11 +22,6 @@ ssh4allowed = []
 ssh6allowed = []
 
 should_restrict = restrict_ssh.include?(@hostname)
-%w{dns_primary dns_geo}.each do |role_restrict|
-       if scope.function_has_role([role_restrict]) then
-               should_restrict = true
-       end
-end
 
 
 if should_restrict then