[MediaWiki-commits] [Gerrit] operations/puppet[production]: phabricator: open firewall holes only on active_server

Mon, 07 Aug 2017 10:56:32 -0700 

Dzahn has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/370498 )

Change subject: phabricator: open firewall holes only on active_server
......................................................................


phabricator: open firewall holes only on active_server

Only open the ferm/firewall holes when on the active server,
if on the standby server, block access to http/https/smtp.

Keep the ssh between servers working.

This is, at least for now, to block access to the Apache on phab2001
to prevent cross-dc traffic, since it doesn't use a codfw db backend yet.

Bug: T137928
Change-Id: I3be7ae71db282d134e5ed0dc22d2edc721317abd
---
M modules/profile/manifests/phabricator/main.pp
1 file changed, 10 insertions(+), 4 deletions(-)

Approvals:
  Paladox: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/modules/profile/manifests/phabricator/main.pp 
b/modules/profile/manifests/phabricator/main.pp
index 3e4c8bb..bb123c4 100644
--- a/modules/profile/manifests/phabricator/main.pp
+++ b/modules/profile/manifests/phabricator/main.pp
@@ -34,10 +34,12 @@
         $logmail_ensure = 'present'
         $dump_rsync_ensure = 'present'
         $dump_enabled = true
+        $ferm_ensure = 'present'
     } else {
         $logmail_ensure = 'absent'
         $dump_rsync_ensure ='absent'
         $dump_enabled = false
+        $ferm_ensure = 'absent'
     }
 
     # todo: change the password for app_user
@@ -225,23 +227,27 @@
     }
 
     ferm::service { 'phabmain_http':
-        proto => 'tcp',
-        port  => '80',
+        ensure => $ferm_ensure,
+        proto  => 'tcp',
+        port   => '80',
     }
 
     ferm::service { 'phabmain_https':
-        proto => 'tcp',
-        port  => '443',
+        ensure => $ferm_ensure,
+        proto  => 'tcp',
+        port   => '443',
     }
 
     # receive mail from mail smarthosts
     ferm::service { 'phabmain-smtp':
+        ensure => $ferm_ensure,
         port   => '25',
         proto  => 'tcp',
         srange => inline_template('(<%= @mail_smarthost.map{|x| 
"@resolve(#{x})" }.join(" ") %>)'),
     }
 
     ferm::service { 'phabmain-smtp_ipv6':
+        ensure => $ferm_ensure,
         port   => '25',
         proto  => 'tcp',
         srange => inline_template('(<%= @mail_smarthost.map{|x| 
"@resolve(#{x}, AAAA)" }.join(" ") %>)'),

-- 
To view, visit https://gerrit.wikimedia.org/r/370498
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3be7ae71db282d134e5ed0dc22d2edc721317abd
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Paladox <thomasmulhall...@yahoo.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to