retire old-style firewalling for mirrormaster sshing to the mirror nodes

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 17253c3..e4990b1 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -59,9 +59,6 @@ roles:
     # XXX - ONLY used by ferm templates/defs.conf.erb
     - mailly.debian.org
     - muffat.debian.org
-  mirrormaster:
-    # XXX - used by ferm templates/defs.conf.erb
-    - melartin.debian.org
   muninmaster:
     # XXX - used by ferm templates/defs.conf.erb
     - menotti.debian.org

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 365fdc8..08beaa0 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
   roles = scope.lookupvar('deprecated::roles')
 
-  %w{mailrelay nagiosmaster  muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role|
+  %w{mailrelay nagiosmaster  muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -65,8 +65,6 @@
 @def $HOST_PORTSMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ports_master']]).uniq.join(' ') %>);
 @def $HOST_ARCHIVEMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['historical_master']]).uniq.join(' ') %>);
 @def $HOST_ARCHIVEMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['historical_master']]).uniq.join(' ') %>);
-@def $HOST_MIRRORMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['mirrormaster']]).uniq.join(' ') %>);
-@def $HOST_MIRRORMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['mirrormaster']]).uniq.join(' ') %>);
 @def $HOST_SYNCPROXY_V4 = (<%= scope.function_filter_ipv4([rolehost['syncproxy']]).uniq.join(' ') %>);
 @def $HOST_SYNCPROXY_V6 = (<%= scope.function_filter_ipv6([rolehost['syncproxy']]).uniq.join(' ') %>);
 #                                             syncproxy.au           syncproxy2.eu              syncproxy3.eu           syncproxy4.eu

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 072c2c0..6bd95df 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -41,14 +41,6 @@ if should_restrict then
                ssh6allowed << %w{$HOST_DEBIAN_V6}
        end
 
-       if scope.function_has_role(['debian_mirror']) or
-          scope.function_has_role(['security_mirror']) or
-          scope.function_has_role(['debug_mirror']) or
-          scope.function_has_role(['historical_mirror']) or
-          scope.function_has_role(['syncproxy']) then
-               ssh4allowed << '$HOST_MIRRORMASTER_V4'
-               ssh6allowed << '$HOST_MIRRORMASTER_V6'
-       end
        if scope.function_has_role(['debian_mirror']) or
           scope.function_has_role(['syncproxy']) then
                ssh4allowed << '$HOST_SYNCPROXY_V4'