Add a apache_not_public role where we do not add ferm allow rules and put casulana...

author Peter Palfrader <peter@palfrader.org>

Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)

committer Peter Palfrader <peter@palfrader.org>

Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)
author Peter Palfrader <peter@palfrader.org>
Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)
committer Peter Palfrader <peter@palfrader.org>
Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)
diff --git a/hieradata/common.yaml b/hieradata/common.yaml

index 29d235d..c946236 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -352,3 +352,7 @@ roles:
      - storace.debian.org
    debconf_wafer:
      - debussy.debian.org
+  apache_not_public:
+    # Hosts that run apache but where it should not be open to the internet by
+    # default
+    - casulana.debian.org
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp

index 985620f..8aacde9 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -153,21 +153,23 @@ class apache2 {
                 ensure => installed,
         }
  
-       if $::hostname in [beach,buxtehude,picconi,pkgmirror-csail] {
-               include apache2::dynamic
-       } else {
-               @ferm::rule { 'dsa-http':
-                       prio        => '23',
-                       description => 'Allow web access',
-                       rule        => '&SERVICE(tcp, (http https))'
+       if (! has_role('apache_not_public')) {
+               if $::hostname in [beach,buxtehude,picconi,pkgmirror-csail] {
+                       include apache2::dynamic
+               } else {
+                       @ferm::rule { 'dsa-http':
+                               prio        => '23',
+                               description => 'Allow web access',
+                               rule        => '&SERVICE(tcp, (http https))'
+                       }
                 }
-       }
  
-       @ferm::rule { 'dsa-http-v6':
-               domain          => '(ip6)',
-               prio            => '23',
-               description     => 'Allow web access',
-               rule            => '&SERVICE(tcp, (http https))'
+               @ferm::rule { 'dsa-http-v6':
+                       domain          => '(ip6)',
+                       prio            => '23',
+                       description     => 'Allow web access',
+                       rule            => '&SERVICE(tcp, (http https))'
+               }
         }
  
         exec { 'service apache2 reload':
author	Peter Palfrader <peter@palfrader.org>
	Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)
committer	Peter Palfrader <peter@palfrader.org>
	Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)
hieradata/common.yaml		patch \| blob \| history
modules/apache2/manifests/init.pp		patch \| blob \| history