From f5bdff6b668ca7c9e51c2a6d557c76b19cb8187d Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 10 Oct 2018 10:00:40 +0200 Subject: [PATCH] Start with removing some moszumanska entries (in particular about pg backups). re: #7513) --- modules/exim/files/common/whitelist | 1 - modules/exim/templates/eximconf.erb | 2 +- modules/ferm/manifests/per_host.pp | 10 +++++----- modules/named/manifests/init.pp | 4 ++-- modules/postgres/manifests/backup_server.pp | 11 +---------- .../backup_server/postgres-make-base-backups.erb | 3 --- .../templates/backup_server/sshkeys-manual.erb | 2 +- .../static-mirroring/staticsync-authorized_keys.erb | 2 +- 8 files changed, 11 insertions(+), 24 deletions(-) diff --git a/modules/exim/files/common/whitelist b/modules/exim/files/common/whitelist index c51587398..e9589df3f 100644 --- a/modules/exim/files/common/whitelist +++ b/modules/exim/files/common/whitelist @@ -3,6 +3,5 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## -5.153.231.21 *.debconf.org *.spi-inc.org diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index b2732623d..69b289acc 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -917,7 +917,7 @@ check_message: <%- end -%> <%- if @is_packagesqamaster -%> - deny !hosts = +debianhosts : 5.153.231.21 + deny !hosts = +debianhosts condition = ${if eq {$acl_m_prf}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} message = messages to the PTS require an X-PTS-Approved header diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index 11f17b9ca..18f8b5ab8 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -128,13 +128,13 @@ class ferm::per_host { ullmann: { @ferm::rule { 'dsa-postgres-udd': description => 'Allow postgress access', - # quantz, moszumanska, master, coccia - rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))' + # quantz, master, coccia + rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 82.195.75.110/32 5.153.231.11/32 ))' } @ferm::rule { 'dsa-postgres-udd6': domain => '(ip6)', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))' + rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 ))' } } fasolo: { @@ -170,12 +170,12 @@ class ferm::per_host { } @ferm::rule { 'dsa-postgres-dak': description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))' + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))' } @ferm::rule { 'dsa-postgres-dak6': domain => 'ip6', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))' + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))' } @ferm::rule { 'dsa-postgres-wannabuild': # wuiet, ullmann diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp index f731dffcf..be557c8d8 100644 --- a/modules/named/manifests/init.pp +++ b/modules/named/manifests/init.pp @@ -26,12 +26,12 @@ class named { @ferm::rule { '01-dsa-bind-4': domain => '(ip)', description => 'Allow nameserver access', - rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 $HOST_NETNOD_V4 5.153.231.21 ) )', + rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 $HOST_NETNOD_V4 ) )', } @ferm::rule { '01-dsa-bind-6': domain => '(ip6)', description => 'Allow nameserver access', - rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 $HOST_NETNOD_V6 2001:41c8:1000:21::21:21 ) )', + rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 $HOST_NETNOD_V6 ) )', } } else { @ferm::rule { '01-dsa-bind': diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp index 377dc861d..a5361b1e1 100644 --- a/modules/postgres/manifests/backup_server.pp +++ b/modules/postgres/manifests/backup_server.pp @@ -102,16 +102,7 @@ class postgres::backup_server { notify => Exec['update dsa-check-backuppg-manual.conf'] } file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/moszumanska.conf': - ensure => ($::hostname in [backuphost]) ? { - true => 'absent', - default => 'present' - }, - content => @(EOF), - --- - backups: - moszumanska: - main: - | EOF + ensure => 'absent', notify => Exec['update dsa-check-backuppg-manual.conf'] } File<<| tag == $postgres::backup_server::globals::tag_dsa_check_backupp |>> diff --git a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb index b0d7d32b4..fa1724daf 100755 --- a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb +++ b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb @@ -166,9 +166,6 @@ bmdb1.debian.org 5440 debian-backup debsources 9.6 fasolo.debian.org 5433 debian-backup dak 9.6 sibelius.debian.org 5433 debian-backup snapshot 9.4 sallinen.debian.org 5473 debian-backup snapshot 9.6 -<%- if @hostname != "backuphost" -%> -moszumanska.debian.org 5432 debian-backup main 9.1 -<%- end -%> # # puppet notice: this is just a partial file. The tail EOF comes # from a different concat fragment diff --git a/modules/postgres/templates/backup_server/sshkeys-manual.erb b/modules/postgres/templates/backup_server/sshkeys-manual.erb index 8e6ff196f..34bebb4f9 100644 --- a/modules/postgres/templates/backup_server/sshkeys-manual.erb +++ b/modules/postgres/templates/backup_server/sshkeys-manual.erb @@ -5,7 +5,7 @@ command="/usr/local/bin/debbackup-ssh-wrap bmdb1 --read-allow=/srv/backups/pg/fa command="/usr/local/bin/debbackup-ssh-wrap danzi",restrict,from="2607:f8f0:614:1::1274:30,209.87.16.30" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUMgnFZUkYiX8ldYKmiX91Z+CD67dhgyq+3CLW3T2Rn+L8yzsZwT+qU0FCPTOz2RTVI1UUlrAST2u1Zcx9Ys3/8qegQ8LTX/Nu2SEVVVeWOgYAbC2HINfmKELEZh77te1te+wyGoGuXIBlIBiUr5+VtzWPWDY08E6xQf1Y2hCUV4ZOYH6//vM1nKldT588r05hoIgX1um1GKfmGXAVS0z2qcZbRR8mCxrNyIV23pM28urJgF4LgqQFk3chRkyv/Yq7Han4aqnUg32S21bAMsH47B00+wk4zkRoTxyF6TeO6/WsAM1cezx7fMwODd/Ipn6miLtkb1SVgDP/qP1ironZ postgres@danzi (20101211) command="/usr/local/bin/debbackup-ssh-wrap chopin",restrict,from="2001:8d8:580:400:6564:a62::3,195.20.242.124" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtJ54j48JZRNVRaCeIsRwuw3/gfBgpz9TCR1PUd+NfugscrR9xlYAac+DD7GuGkVb1FZuZLGTkrrg+Ziis5ZOEaib/WxjmdTM0FLLw+3shTaBbPP4snWj+H31wA+SS6b9bqVikaZYq3ZRO3Nt8eScphpoU4sw3BgUGE+lNgjFCx+Y6zasRon/KU+YKHtKYKMg/8Ams551oaCBPP0tXGWAeoiDAHq/PUWaaK4jyu+a2BAP/fQ2OovXsM6t+0pRpdtxCBV1kgKtgJnbV1xEFpFRvpBMQv+BQb8M4eVUJ1DgyOT4Ew3Zl1XYNvCT/YMoYOElOmRio1aD9+dh7CZCfWlYMw== postgres@chopin (20101213) command="/usr/local/bin/debbackup-ssh-wrap lw07 --read-allow=/srv/backups/pg/sallinen",restrict,from="185.17.185.187,2001:1af8:4020:b030:deb::187" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLZIqnyKrsfoT1sQdbuUsOoqW1t71Sv8hpJj9yLzrSFq/YCnho9G2Q/LJm4sMB4W64uQMUX6oLsqsgIBbOZw71CBRou41zwS/D+7+sjiPy1aVXp+L+fAXqLdemCUYqXAm0bGTLboGmlDSG3/r3v3B2+vqwAoHaC/GwuoNgvHq+sfxZPo/9cDRlTyE0ktyxwdUN+czxyLtDPqz3CucOHX03p8F3lNEwFUCGIVAkP4zxZsiEjD+eCbWam0bVFoWnfXYcmf2GYKEy2PQp0ksXmbsnRIblW5zoKdEXeDjwSStFHtjqkJw2TdPLUGSXljCgy9OCXYVMUrFnXw2Ak88KYpV postgres@lw07 (20140713) -command="/usr/local/bin/debbackup-ssh-wrap moszumanska",restrict,from="5.153.231.21,2001:41c8:1000:21::21:21" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD7mdgD1lNyehdDE/yBlbMUVWwNWz7Lr77sIaK61ct3UjFaYGwJZ2nMph3yylcJF1svuQUZ1qNOgZxTx2reOGMbNx1dO2q9O42z6GMoAp1QAKF43EEFJWGgQb9LCvjRZRQnK65KdP1Lv5igc+c9tFbF0y/u1sf1uMuGtBYN4r5mFbn8t1toMAxiUQJzljbRxDrLWZbEH+jwtJBxjZfpWLX9zB2dSMgIawVrTalN9r6fkWvkxC9POtqmZXGyFhljbi8vOsdFXKCs0kI3QLUyRSKvSSCN2+WstMg5hPAo6q0AplrJwilTQiyntSutd1o9KF7qQh5dSCi2yxR5d6R7jbw/ postgres@moszumanska (20150321) +# command="/usr/local/bin/debbackup-ssh-wrap moszumanska",restrict,from="5.153.231.21,2001:41c8:1000:21::21:21" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD7mdgD1lNyehdDE/yBlbMUVWwNWz7Lr77sIaK61ct3UjFaYGwJZ2nMph3yylcJF1svuQUZ1qNOgZxTx2reOGMbNx1dO2q9O42z6GMoAp1QAKF43EEFJWGgQb9LCvjRZRQnK65KdP1Lv5igc+c9tFbF0y/u1sf1uMuGtBYN4r5mFbn8t1toMAxiUQJzljbRxDrLWZbEH+jwtJBxjZfpWLX9zB2dSMgIawVrTalN9r6fkWvkxC9POtqmZXGyFhljbi8vOsdFXKCs0kI3QLUyRSKvSSCN2+WstMg5hPAo6q0AplrJwilTQiyntSutd1o9KF7qQh5dSCi2yxR5d6R7jbw/ postgres@moszumanska (20150321) command="/usr/local/bin/debbackup-ssh-wrap seger",restrict,from="82.195.75.93,2001:41b8:202:deb::311:93" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuLyOZP0eJvTEVXoI0K5xJw2OLZkaJ3yl7Gko/YfhhBebxEB9R0xu97zkiKqitmWm61BZSapdIqlUeMd+t/UgjcqpffXkGz0nx99YZgY0lq3WA4MLZiRrZGnfSzjSvcdSFXDlmv20+txEuf05h26BJUAsjQaugNd0641WPWoLK3+sHc4ZXga7//M6bia8b7n3iYCeVc8UHyjWsSPq/+QyTa49+ZXYLIraGOpZbQG276ywLm4eDc8VWalw7mB0cWJTIM9NGTSVQPEP8bvY9MqzvmmnltjyQ4Mk+PQHobMzlb99HXMNGZpM8fpHZgLjcnCurHtFGYiMBt3MlDJzA9Egp postgres@seger command="/usr/local/bin/debbackup-ssh-wrap fasolo",restrict,from="138.16.160.17" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9c7cUVy40BibIwNN0cE2PMPqnU+iSLUj6SE5+2DJiDYuCoB3blFkCkQk2IjvTCAorWwDJGumH4Zu2CVtXOzwVXcxaZQCMnkOos0pTA6IaFX8FQdYTo8O9sOp/i2EWgHCD7jjzLGqXpNX7B5+kbFzQ/KX+2FgLjVob95YGid/b70XgBAeBj9RZKb4A6BmOPh9rB7a/wg/446aQlxf4+1C0kKA3Cs36yj8lNl17k+ClPcj2j0SX3vA8LjzL5sTUOco4PNg1pkOUq3rVz58UruK/4E/1Gb8r6iVjxPQvSPvKC/wlpSUNqVRJXMgxrAE+D8AXiEoMXm61eM4gcm1Mad1L postgres@fasolo (20161022) command="/usr/local/bin/debbackup-ssh-wrap sallinen",restrict,from="193.62.202.26,2001:630:206:4000:1a1a:0:c13e:ca1a" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+kslXxLI6dGRSJoHKnKpWMcTdvlMM4KbrPPDzhijemmxo2lpMRSuvzc98UE2zy4fDSWFbid1drf8XC/BwwNRLnJGFcMjJ42JcDBz9zALQfgmhFzgxFRJFsHgXxq/GJNqvq9i2Mk1dV8wpQgJNToYU5XHJjkLCT2ucV9jUZ1ZRFaLxrnM7uMXPH8HJ1vqTRHMrq/YghUMJHDBLK8ukChs2uEOYJxODJkYdbSFUC//KVScFnDC0WhhDtjCuIn4USY3KNJ9GrxhNSFc/O0XWKFAc2ntzk0d7WDH6O+9izkesXugq/ICFmDIGu4OXCnQYWdQQVsaAlFkD5lgbcw+7wG77 postgres@sallinen (2018-01-04) diff --git a/modules/roles/templates/static-mirroring/staticsync-authorized_keys.erb b/modules/roles/templates/static-mirroring/staticsync-authorized_keys.erb index eecf4c65f..e5048355b 100644 --- a/modules/roles/templates/static-mirroring/staticsync-authorized_keys.erb +++ b/modules/roles/templates/static-mirroring/staticsync-authorized_keys.erb @@ -25,7 +25,7 @@ callers = [] end end -callers << { 'node' => 'moszumanska.debian.org', 'addr' => allnodeinfo['moszumanska.debian.org']['ipHostNumber'], 'key' => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXHFIkIhOC5iDa0d0IN5w6tUUL2T2iXCYcS2+dandE9f550OpKQ/evUZhw4EERNYDA3G7GV3jJzQR0j/KZWJUtDCichmqS94xJqXURmZVNeLXWY9x/N7CB1iG1Iblu6sgyTUrs7N6Wb0fUab3AXAi9KIXdwNLY622reR9T//bRULPVIl5VFpYtGBPT9n3wR7fLQ4ndEcUmEGcM4jRbpLmye4QGgJotuzeBWUpX+U648Yly6U7NlAJIWPUt7hEzMz2AC81SLhGCwTk6sb19n2dO6WN2ndynp8PLG1emtgd1/DaeaRyPcitoWgSoDNgKNk3zLIDtCdSYvFI8xXrm6cK3 staticsync@wagner'} +# callers << { 'node' => 'moszumanska.debian.org', 'addr' => allnodeinfo['moszumanska.debian.org']['ipHostNumber'], 'key' => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXHFIkIhOC5iDa0d0IN5w6tUUL2T2iXCYcS2+dandE9f550OpKQ/evUZhw4EERNYDA3G7GV3jJzQR0j/KZWJUtDCichmqS94xJqXURmZVNeLXWY9x/N7CB1iG1Iblu6sgyTUrs7N6Wb0fUab3AXAi9KIXdwNLY622reR9T//bRULPVIl5VFpYtGBPT9n3wR7fLQ4ndEcUmEGcM4jRbpLmye4QGgJotuzeBWUpX+U648Yly6U7NlAJIWPUt7hEzMz2AC81SLhGCwTk6sb19n2dO6WN2ndynp8PLG1emtgd1/DaeaRyPcitoWgSoDNgKNk3zLIDtCdSYvFI8xXrm6cK3 staticsync@wagner'} lines = [] for m in callers do -- 2.20.1