From 6849c0d133f88df75366cf25a663e52409eac389 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 22 Sep 2019 21:05:55 +0200
Subject: [PATCH] danzi: merge dsa-postgres2-danzi and dsa-postgres2-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the debconf cluster. Only
allow access from debussy instead of the whole subnet.
---
 modules/ferm/manifests/per_host.pp | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 92eaa7f4b..10b99f8c9 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -194,14 +194,15 @@ class ferm::per_host {
         domain      => '(ip ip6)',
         rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
       }
-      ferm::rule { 'dsa-postgres2-danzi':
-        description => 'Allow postgress access2',
-        rule        => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
-      }
-      ferm::rule { 'dsa-postgres2-danzi6':
-        domain      => 'ip6',
-        description => 'Allow postgress access2',
-        rule        => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
+      ferm::rule { 'dsa-postgres-debconf':
+        description => 'Allow postgress access to cluster: debconf',
+        domain      => '(ip ip6)',
+        rule        => @("EOF"/$)
+          &SERVICE_RANGE(tcp, 5434, (
+            ${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") }
+            \$HOST_PGBACKUPHOST
+          ))
+          | EOF
       }
       ferm::rule { 'dsa-postgres-wannabuild':
         description => 'Allow postgress access to cluster: wannabuild',
-- 
2.20.1