From: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri, 27 Sep 2019 21:46:23 +0000 (+0200)
Subject: pg@danzi: use a list of hosts instead of whitelisting the whole subnet
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=72db3093d04931cd4710ff0a5af2b0811f9321f1

pg@danzi: use a list of hosts instead of whitelisting the whole subnet
---

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 350ec3fdd..c4d47d725 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -177,10 +177,16 @@ class ferm::per_host {
           | EOF
       }
       ferm::rule { 'dsa-postgres-main':
-        # ubc, wuiet
         description => 'Allow postgress access to cluster: main',
         domain      => '(ip ip6)',
-        rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
+        rule        => @("EOF"/$)
+          &SERVICE_RANGE(tcp, 5433, (
+            ${ join(getfromhash($deprecated::allnodeinfo, 'diabelli.debian.org', 'ipHostNumber'), " ") }
+            ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
+            ${ join(getfromhash($deprecated::allnodeinfo, 'reger.debian.org', 'ipHostNumber'), " ") }
+            \$HOST_PGBACKUPHOST
+          ))
+          | EOF
       }
       ferm::rule { 'dsa-postgres-debconf':
         description => 'Allow postgress access to cluster: debconf',