Signed-off-by: Stephen Gran <steve@lobefin.net>
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
*.debconf.org
*.spi-inc.org
*.debconf.org
*.spi-inc.org
<%- end -%>
<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%>
<%- end -%>
<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%>
- deny !hosts = +debianhosts : 217.196.43.134
+ deny !hosts = +debianhosts : 5.153.231.21
condition = ${if eq {$acl_m_prf}{PTSMail}}
condition = ${if def:h_X-PTS-Approved:{false}{true}}
message = messages to the PTS require an X-PTS-Approved header
condition = ${if eq {$acl_m_prf}{PTSMail}}
condition = ${if def:h_X-PTS-Approved:{false}{true}}
message = messages to the PTS require an X-PTS-Approved header
samosa: {
@ferm::rule { 'dsa-udd-stunnel':
description => 'port 8080 for udd stunnel',
samosa: {
@ferm::rule { 'dsa-udd-stunnel':
description => 'port 8080 for udd stunnel',
- rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
+ rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 5.153.231.21 ))'
}
bendel: {
@ferm::rule { 'listmaster-ontp-in':
}
bendel: {
@ferm::rule { 'listmaster-ontp-in':
- description => 'ONTP has a broken mail setup',
- table => 'filter',
- chain => 'INPUT',
- rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
+ description => 'ONTP has a broken mail setup',
+ table => 'filter',
+ chain => 'INPUT',
+ rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
}
@ferm::rule { 'listmaster-ontp-out':
}
@ferm::rule { 'listmaster-ontp-out':
- description => 'ONTP has a broken mail setup',
- table => 'filter',
- chain => 'OUTPUT',
- rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
+ description => 'ONTP has a broken mail setup',
+ table => 'filter',
+ chain => 'OUTPUT',
+ rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
}
}
abel,alwyn,rietz,jenkins: {
}
}
abel,alwyn,rietz,jenkins: {
ullmann: {
@ferm::rule { 'dsa-postgres-udd':
description => 'Allow postgress access',
ullmann: {
@ferm::rule { 'dsa-postgres-udd':
description => 'Allow postgress access',
- # quantz, wagner, master, couper, coccia, franck
- rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
+ # quantz, moszumanska, master, couper, coccia, franck
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
}
@ferm::rule { 'dsa-postgres-udd6':
domain => '(ip6)',
description => 'Allow postgress access',
}
@ferm::rule { 'dsa-postgres-udd6':
domain => '(ip6)',
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))'
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
}
# vpn fu
case $::hostname {
}
# vpn fu
case $::hostname {
rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
}
}
rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
}
}
notify no;
file "db.alioth.debian.org";
masters {
notify no;
file "db.alioth.debian.org";
masters {
};
allow-query { any; };
allow-transfer { };
};
allow-query { any; };
allow-transfer { };
# puppetd maintained
# <master> <service> <source host> <directory> <extra push hosts, comma separated>
# puppetd maintained
# <master> <service> <source host> <directory> <extra push hosts, comma separated>
-bizet.debian.org mozilla.debian.net wagner.debian.org /srv/home/groups/pkg-mozilla/htdocs
+bizet.debian.org mozilla.debian.net moszumanska.debian.org /srv/home/groups/pkg-mozilla/htdocs
bizet.debian.org planet.debian.org philp.debian.org /srv/planet.debian.org/www
bizet.debian.org www.debian.org wolkenstein.debian.org /srv/www.debian.org/www
bizet.debian.org bits.debian.org master.debian.org /srv/bits-master.debian.org/htdocs
bizet.debian.org planet.debian.org philp.debian.org /srv/planet.debian.org/www
bizet.debian.org www.debian.org wolkenstein.debian.org /srv/www.debian.org/www
bizet.debian.org bits.debian.org master.debian.org /srv/bits-master.debian.org/htdocs
-callers << { 'node' => 'wagner.debian.org', 'addr' => allnodeinfo['wagner.debian.org']['ipHostNumber'], 'key' => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXHFIkIhOC5iDa0d0IN5w6tUUL2T2iXCYcS2+dandE9f550OpKQ/evUZhw4EERNYDA3G7GV3jJzQR0j/KZWJUtDCichmqS94xJqXURmZVNeLXWY9x/N7CB1iG1Iblu6sgyTUrs7N6Wb0fUab3AXAi9KIXdwNLY622reR9T//bRULPVIl5VFpYtGBPT9n3wR7fLQ4ndEcUmEGcM4jRbpLmye4QGgJotuzeBWUpX+U648Yly6U7NlAJIWPUt7hEzMz2AC81SLhGCwTk6sb19n2dO6WN2ndynp8PLG1emtgd1/DaeaRyPcitoWgSoDNgKNk3zLIDtCdSYvFI8xXrm6cK3 staticsync@wagner'}
+callers << { 'node' => 'moszumanska.debian.org', 'addr' => allnodeinfo['moszumanska.debian.org']['ipHostNumber'], 'key' => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXHFIkIhOC5iDa0d0IN5w6tUUL2T2iXCYcS2+dandE9f550OpKQ/evUZhw4EERNYDA3G7GV3jJzQR0j/KZWJUtDCichmqS94xJqXURmZVNeLXWY9x/N7CB1iG1Iblu6sgyTUrs7N6Wb0fUab3AXAi9KIXdwNLY622reR9T//bRULPVIl5VFpYtGBPT9n3wR7fLQ4ndEcUmEGcM4jRbpLmye4QGgJotuzeBWUpX+U648Yly6U7NlAJIWPUt7hEzMz2AC81SLhGCwTk6sb19n2dO6WN2ndynp8PLG1emtgd1/DaeaRyPcitoWgSoDNgKNk3zLIDtCdSYvFI8xXrm6cK3 staticsync@wagner'}
lines = []
for m in callers do
lines = []
for m in callers do
when "backuphost.debian.org" then
out = ''
scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
when "backuphost.debian.org" then
out = ''
scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
- if %w{vasks.debian.org wagner.debian.org stabile.debian.org}.include?(node) then
+ if %w{moszumanska.debian.org stabile.debian.org}.include?(node) then
out += '# ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'][0] + '
command="/usr/lib/da-backup/da-backup-ssh-wrap ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'][0] + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].join(',') + '" ' + scope.lookupvar('site::allnodeinfo')[node]['sshRSAHostKey'][0] + '
out += '# ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'][0] + '
command="/usr/lib/da-backup/da-backup-ssh-wrap ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'][0] + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].join(',') + '" ' + scope.lookupvar('site::allnodeinfo')[node]['sshRSAHostKey'][0] + '