From 53cba9c46f2ba494f2376b765c38bc4813c03cd3 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 22 Sep 2019 20:59:47 +0200
Subject: [PATCH] danzi: merge dsa-postgres-danzi and dsa-postgres-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the main cluster. Drop the
old IP addresses of wuiet and the old UBC subnet. Ideally we should have
a least of host there, but that's already an improvement.
---
 modules/ferm/manifests/per_host.pp | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 140ac7e35..92eaa7f4b 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -188,17 +188,12 @@ class ferm::per_host {
           ))
           | EOF
       }
-      ferm::rule { 'dsa-postgres-danzi':
+      ferm::rule { 'dsa-postgres-main':
         # ubc, wuiet
-        description => 'Allow postgress access',
-        rule        => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
-      }
-      ferm::rule { 'dsa-postgres-danzi6':
-        domain      => 'ip6',
-        description => 'Allow postgress access',
-        rule        => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
+        description => 'Allow postgress access to cluster: main',
+        domain      => '(ip ip6)',
+        rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
       }
-
       ferm::rule { 'dsa-postgres2-danzi':
         description => 'Allow postgress access2',
         rule        => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
-- 
2.20.1