From 72db3093d04931cd4710ff0a5af2b0811f9321f1 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri, 27 Sep 2019 23:46:23 +0200
Subject: [PATCH] pg@danzi: use a list of hosts instead of whitelisting the
 whole subnet

---
 modules/ferm/manifests/per_host.pp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 350ec3fdd..c4d47d725 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -177,10 +177,16 @@ class ferm::per_host {
           | EOF
       }
       ferm::rule { 'dsa-postgres-main':
-        # ubc, wuiet
         description => 'Allow postgress access to cluster: main',
         domain      => '(ip ip6)',
-        rule        => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
+        rule        => @("EOF"/$)
+          &SERVICE_RANGE(tcp, 5433, (
+            ${ join(getfromhash($deprecated::allnodeinfo, 'diabelli.debian.org', 'ipHostNumber'), " ") }
+            ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
+            ${ join(getfromhash($deprecated::allnodeinfo, 'reger.debian.org', 'ipHostNumber'), " ") }
+            \$HOST_PGBACKUPHOST
+          ))
+          | EOF
       }
       ferm::rule { 'dsa-postgres-debconf':
         description => 'Allow postgress access to cluster: debconf',
-- 
2.20.1