From 63aa133f8873fbebfa4e1e39cb53bb9b7858c052 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 1 Jun 2018 17:05:55 +0200
Subject: [PATCH] try apache rate limiting on snapshot hosts, 2

---
 hieradata/common.yaml                   | 7 +++++++
 modules/apache2/manifests/init.pp       | 2 +-
 modules/roles/manifests/snapshot_web.pp | 1 -
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 69a63c377..2927640ef 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -351,6 +351,13 @@ roles:
     # Hosts that run apache but where it should not be open to the internet by
     # default
     - casulana.debian.org
+  apache_ratelimited:
+    - beach.debian.org
+    - buxtehude.debian.org
+    - lw07.debian.org
+    - picconi.debian.org
+    - pkgmirror-csail.debian.org
+    - sallinen.debian.org
   cdbuilder_local_mirror:
     - casulana.debian.org
   alioth_archive:
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 8aacde987..4290e02b1 100644
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -154,7 +154,7 @@ class apache2 {
 	}
 
 	if (! has_role('apache_not_public')) {
-		if $::hostname in [beach,buxtehude,picconi,pkgmirror-csail] {
+		if has_role('apache_ratelimited') {
 			include apache2::dynamic
 		} else {
 			@ferm::rule { 'dsa-http':
diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index 582f5076a..ee9ab949f 100644
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -1,6 +1,5 @@
 class roles::snapshot_web {
 	include apache2
-	include apache2::dynamic
 	include apache2::rewrite
 
 	ensure_packages ( [
-- 
2.20.1