Giuseppe Lavagetto has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/383519 )
Change subject: base::firewall: rename to profile::base::firewall ...................................................................... base::firewall: rename to profile::base::firewall Change-Id: I4a30e491f5861aa00c959d04a4974abe053d55b6 --- M manifests/site.pp M modules/contint/manifests/firewall.pp M modules/dumps/manifests/nfs.pp M modules/dumps/manifests/web/xmldumps.pp R modules/profile/files/base/firewall/check_conntrack.py R modules/profile/files/base/firewall/check_ferm R modules/profile/files/base/firewall/main-input-default-drop.conf R modules/profile/files/base/firewall/main-minimal.conf R modules/profile/files/base/firewall/nf_conntrack.conf M modules/profile/manifests/backup/director.pp M modules/profile/manifests/backup/host.pp M modules/profile/manifests/backup/storage.pp R modules/profile/manifests/base/firewall.pp M modules/profile/manifests/dnsrecursor.pp M modules/profile/manifests/etherpad.pp M modules/profile/manifests/gerrit/server.pp M modules/profile/manifests/lists.pp M modules/profile/manifests/microsites/annualreport.pp M modules/profile/manifests/microsites/static_bugzilla.pp M modules/profile/manifests/microsites/transparency.pp M modules/profile/manifests/ores/redis.pp M modules/profile/manifests/otrs.pp M modules/profile/manifests/planet/venus.pp M modules/profile/manifests/pmacct.pp M modules/profile/manifests/requesttracker/server.pp M modules/profile/manifests/statistics/cruncher.pp M modules/profile/manifests/statistics/web.pp M modules/profile/manifests/url_downloader.pp M modules/profile/manifests/yubiauth/server.pp R modules/profile/templates/base/firewall/defs.erb R modules/profile/templates/base/firewall/defs.labs.erb M modules/role/manifests/aqs.pp M modules/role/manifests/archiva.pp M modules/role/manifests/authdns/server.pp M modules/role/manifests/bastionhost/general.pp M modules/role/manifests/bastionhost/opsonly.pp M modules/role/manifests/bastionhost/twofa.pp M modules/role/manifests/beta/mediawiki.pp M modules/role/manifests/builder.pp M modules/role/manifests/cache/canary.pp M modules/role/manifests/cluster/management.pp M modules/role/manifests/configcluster.pp M modules/role/manifests/debug_proxy.pp M modules/role/manifests/deployment_server.pp M modules/role/manifests/deployment_server/base.pp M modules/role/manifests/discovery/dashboards.pp M modules/role/manifests/docker/registry.pp M modules/role/manifests/dumps/web/htmldumps.pp M modules/role/manifests/elasticsearch/cirrus.pp M modules/role/manifests/elasticsearch/relforge.pp M modules/role/manifests/etcd/kubernetes.pp M modules/role/manifests/etcd/networking.pp M modules/role/manifests/eventbus/eventbus.pp M modules/role/manifests/failoid.pp M modules/role/manifests/ganeti.pp M modules/role/manifests/ganglia/web.pp M modules/role/manifests/grafana/base.pp M modules/role/manifests/graphite/production.pp M modules/role/manifests/icinga.pp M modules/role/manifests/iegreview/app.pp M modules/role/manifests/installserver/dhcp.pp M modules/role/manifests/installserver/http.pp M modules/role/manifests/installserver/proxy.pp M modules/role/manifests/installserver/tftp.pp M modules/role/manifests/jobqueue_redis/master.pp M modules/role/manifests/jobqueue_redis/slave.pp M modules/role/manifests/kafka/jumbo/broker.pp M modules/role/manifests/kafka/simple/broker.pp M modules/role/manifests/kubernetes/master.pp M modules/role/manifests/kubernetes/staging/etcd.pp M modules/role/manifests/kubernetes/staging/master.pp M modules/role/manifests/kubernetes/staging/worker.pp M modules/role/manifests/kubernetes/worker.pp M modules/role/manifests/labs/db/proxy.pp M modules/role/manifests/labs/db/replica.pp M modules/role/manifests/labs/novaproxy.pp M modules/role/manifests/labs/puppetmaster/backend.pp M modules/role/manifests/labs/puppetmaster/frontend.pp M modules/role/manifests/logging/mediawiki/udp2log.pp M modules/role/manifests/logstash/collector.pp M modules/role/manifests/logstash/elasticsearch.pp M modules/role/manifests/mail/mx.pp M modules/role/manifests/maps/master.pp M modules/role/manifests/maps/slave.pp M modules/role/manifests/maps/test/master.pp M modules/role/manifests/maps/test/slave.pp M modules/role/manifests/mariadb/core.pp M modules/role/manifests/mariadb/dbstore.pp M modules/role/manifests/mariadb/dbstore_multiinstance.pp M modules/role/manifests/mariadb/labs_deprecated.pp M modules/role/manifests/mariadb/misc.pp M modules/role/manifests/mariadb/misc/eventlogging.pp M modules/role/manifests/mariadb/misc/phabricator.pp M modules/role/manifests/mariadb/parsercache.pp M modules/role/manifests/mariadb/sanitarium_multiinstance.pp M modules/role/manifests/mariadb/sanitarium_multisource.pp M modules/role/manifests/mediawiki/imagescaler.pp M modules/role/manifests/mediawiki/videoscaler.pp M modules/role/manifests/mediawiki_maintenance.pp M modules/role/manifests/memcached.pp M modules/role/manifests/microsites/peopleweb.pp M modules/role/manifests/mirrors.pp M modules/role/manifests/mw_rc_irc.pp M modules/role/manifests/network/monitor.pp M modules/role/manifests/ocg.pp M modules/role/manifests/openldap/corp.pp M modules/role/manifests/openldap/labs.pp M modules/role/manifests/openldap/labtest.pp M modules/role/manifests/ores/stresstest.pp M modules/role/manifests/osm/master.pp M modules/role/manifests/osm/slave.pp M modules/role/manifests/package/builder.pp M modules/role/manifests/parsoid.pp M modules/role/manifests/paws_internal/jupyterhub.pp M modules/role/manifests/phabricator_server.pp M modules/role/manifests/poolcounter/server.pp M modules/role/manifests/postgres/master.pp M modules/role/manifests/prometheus/global.pp M modules/role/manifests/prometheus/ops.pp M modules/role/manifests/prometheus/services.pp M modules/role/manifests/puppet/self.pp M modules/role/manifests/puppetmaster/backend.pp M modules/role/manifests/puppetmaster/frontend.pp M modules/role/manifests/puppetmaster/puppetdb.pp M modules/role/manifests/pybaltest.pp M modules/role/manifests/releases.pp M modules/role/manifests/requesttracker/upgradetest.pp M modules/role/manifests/restbase/base.pp M modules/role/manifests/restbase/production_ng.pp M modules/role/manifests/sca.pp M modules/role/manifests/scb.pp M modules/role/manifests/security/tools.pp M modules/role/manifests/snapshot/common.pp M modules/role/manifests/spare/system.pp M modules/role/manifests/swift/proxy.pp M modules/role/manifests/swift/storage.pp M modules/role/manifests/syslog/centralserver.pp M modules/role/manifests/tendril.pp M modules/role/manifests/test.pp M modules/role/manifests/thumbor/mediawiki.pp M modules/role/manifests/toollabs/elasticsearch.pp M modules/role/manifests/toollabs/etcd/flannel.pp M modules/role/manifests/toollabs/etcd/k8s.pp M modules/role/manifests/toollabs/k8s/master.pp M modules/role/manifests/toollabs/logging/centralserver.pp M modules/role/manifests/tor_relay.pp M modules/role/manifests/wdqs.pp M modules/role/manifests/wdqs/labs.pp M modules/role/manifests/webperf.pp M modules/role/manifests/wikimania_scholarships.pp M modules/toollabs/manifests/proxy.pp 151 files changed, 220 insertions(+), 220 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/19/383519/1 diff --git a/manifests/site.pp b/manifests/site.pp index b61ca36..0e6981d 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -44,7 +44,7 @@ analytics_cluster::users) include ::standard - include ::base::firewall + include ::profile::base::firewall } @@ -63,14 +63,14 @@ analytics_cluster::database::meta::backup_dest) include ::standard - include ::base::firewall + include ::profile::base::firewall } node 'analytics1003.eqiad.wmnet' { role(analytics_cluster::coordinator) include ::standard - include ::base::firewall + include ::profile::base::firewall } # analytics1028-analytics1068 are Hadoop worker nodes. @@ -82,7 +82,7 @@ node /analytics10(2[89]|3[0-9]|4[0-9]|5[0-9]|6[0-9]).eqiad.wmnet/ { role(analytics_cluster::hadoop::worker) - include ::base::firewall + include ::profile::base::firewall include ::standard } @@ -160,7 +160,7 @@ striker::web, labs::instance_info_dumper) include ::standard - include ::base::firewall + include ::profile::base::firewall include ::openstack::horizon::puppetpanel include ::ldap::role::client::labs @@ -311,7 +311,7 @@ node /^(diadem|dysprosium)\.wikimedia\.org$/ { include ::standard - include ::base::firewall + include ::profile::base::firewall } node 'dataset1001.wikimedia.org' { @@ -659,7 +659,7 @@ # tendril db node 'db1011.eqiad.wmnet' { role(mariadb::tendril) - include ::base::firewall + include ::profile::base::firewall } node 'dbstore1001.eqiad.wmnet' { @@ -776,7 +776,7 @@ node /^druid100[123].eqiad.wmnet$/ { role(druid::analytics::worker) - include ::base::firewall + include ::profile::base::firewall include ::standard } @@ -787,7 +787,7 @@ node /^druid100[456].eqiad.wmnet$/ { role(spare::system) - include ::base::firewall + include ::profile::base::firewall include ::standard } @@ -884,14 +884,14 @@ node 'es2001.codfw.wmnet' { role(mariadb::otrsbackups) include ::standard - include ::base::firewall + include ::profile::base::firewall # temporary measure until mysql is uninstalled include ::mariadb::mysqld_safe } node /^es200[234]\.codfw\.wmnet/ { include ::standard - include ::base::firewall + include ::profile::base::firewall # temporary measure until mysql is uninstalled include ::mariadb::mysqld_safe } @@ -953,14 +953,14 @@ logging::mediawiki::errors) include ::standard - include ::base::firewall + include ::profile::base::firewall interface::add_ip6_mapped { 'main': } } # EventLogging Analytics does not (yet?) run in codfw. node 'eventlog2001.codfw.wmnet' { include ::standard - include ::base::firewall + include ::profile::base::firewall } # virtual machine for mailman list server @@ -1046,7 +1046,7 @@ labs::dnsrecursor, labs::dns_floating_ip_updater) include ::standard - include ::base::firewall + include ::profile::base::firewall include ::ldap::role::client::labs } @@ -1055,7 +1055,7 @@ labs::dns, labs::dnsrecursor) include ::standard - include ::base::firewall + include ::profile::base::firewall include ::ldap::role::client::labs } @@ -1072,19 +1072,19 @@ node 'labtestmetal2001.codfw.wmnet' { # WIP include ::standard - include ::base::firewall + include ::profile::base::firewall } node 'labtestnet2002.codfw.wmnet' { # WIP include ::standard - include ::base::firewall + include ::profile::base::firewall } node 'labtestneutron2002.codfw.wmnet' { # WIP include ::standard - include ::base::firewall + include ::profile::base::firewall } node 'labtestnet2001.codfw.wmnet' { @@ -1094,7 +1094,7 @@ node 'labtestcontrol2001.wikimedia.org' { include ::standard - include ::base::firewall + include ::profile::base::firewall role(wmcs::openstack::labtest::control) # Labtest is weird; the mysql server is on labtestcontrol2001. So @@ -1126,7 +1126,7 @@ node 'labtestcontrol2003.wikimedia.org' { role(wmcs::openstack::labtestn::control) - include ::base::firewall + include ::profile::base::firewall include ::standard } @@ -1143,13 +1143,13 @@ openldap::labtest, labs::dns_floating_ip_updater) include ::standard - include ::base::firewall + include ::profile::base::firewall interface::add_ip6_mapped { 'main': } } node /labtestservices200[23]\.wikimedia\.org/ { role(wmcs::openstack::labtestn::services) - include ::base::firewall + include ::profile::base::firewall include ::standard interface::add_ip6_mapped { 'main': } } @@ -1157,7 +1157,7 @@ node /labweb100[12]\.eqiad\.wmnet/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall include ::ldap::role::client::labs interface::add_ip6_mapped { 'main': } @@ -1233,7 +1233,7 @@ ipsec) include ::standard - include ::base::firewall + include ::profile::base::firewall } # Kafka Brokers - main-eqiad and main-codfw Kafka clusters. @@ -1282,14 +1282,14 @@ } node /labcontrol100[34]\.wikimedia\.org/ { - include ::base::firewall + include ::profile::base::firewall include ::standard } node 'labcontrol1001.wikimedia.org' { role(wmcs::openstack::main::control) - include ::base::firewall + include ::profile::base::firewall include ::standard include ::ldap::role::client::labs } @@ -1302,7 +1302,7 @@ node 'labcontrol1002.wikimedia.org' { role(wmcs::openstack::main::control) - include ::base::firewall + include ::profile::base::firewall include ::standard include ::ldap::role::client::labs } @@ -1315,7 +1315,7 @@ labs::openstack::nova::manager, mariadb::wikitech, horizon) - include ::base::firewall + include ::profile::base::firewall include ::standard include ::openstack::horizon::puppetpanel include ::ldap::role::client::labs @@ -1327,7 +1327,7 @@ node 'labmon1001.eqiad.wmnet' { role(labs::graphite, labs::prometheus, grafana::labs) include ::standard - include ::base::firewall + include ::profile::base::firewall } # role spare until pushed into service via T165784 @@ -1342,7 +1342,7 @@ node /labnet100[34]\.eqiad\.wmnet/ { include ::standard - include ::base::firewall + include ::profile::base::firewall } @@ -1355,7 +1355,7 @@ $nagios_contact_group = 'admins,contint' role(labs::openstack::nodepool) include ::standard - include ::base::firewall + include ::profile::base::firewall } ## labsdb dbs @@ -1388,47 +1388,47 @@ # soon to be recommissioned in T158196 include ::standard # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node 'labstore1003.eqiad.wmnet' { role(labs::nfs::misc) include ::standard # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node /labstore100[45]\.eqiad\.wmnet/ { role(labs::nfs::secondary) include ::standard # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node /labstore100[67]\.wikimedia\.org/ { role(dumps::public::server) # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node /labstore200[1-2]\.codfw\.wmnet/ { include ::standard # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node 'labstore2003.codfw.wmnet' { role(labs::nfs::secondary_backup::tools) include ::standard # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node 'labstore2004.codfw.wmnet' { role(labs::nfs::secondary_backup::misc) include ::standard # Do not enable yet - # include ::base::firewall + # include ::profile::base::firewall } node 'lithium.eqiad.wmnet' { @@ -1662,43 +1662,43 @@ # They replace mw1017 and mw1099 node /^mwdebug100[12]\.eqiad\.wmnet$/ { role(mediawiki::canary_appserver) - include ::base::firewall + include ::profile::base::firewall } # mw1161-1167 are job runners node /^mw116[1-7]\.eqiad\.wmnet$/ { role(mediawiki::jobrunner) - include ::base::firewall + include ::profile::base::firewall } # mw1180-1188 are apaches node /^mw118[0-8]\.eqiad\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } # mw1189-1208 are api apaches node /^mw1(189|19[0-9]|20[0-8])\.eqiad\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } # mw1209-1216, 1218-1220 are apaches node /^mw12(09|1[012345689]|20)\.eqiad\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } #mw1221-mw1235 are api apaches node /^mw12(2[1-9]|3[0-5])\.eqiad\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } #mw1238-mw1258 are apaches node /^mw12(3[8-9]|4[0-9]|5[0-8])\.eqiad\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } #mw1259-60 are videoscalers @@ -1712,24 +1712,24 @@ node /^mw126[1-5]\.eqiad\.wmnet$/ { role(mediawiki::canary_appserver) - include ::base::firewall + include ::profile::base::firewall } node /^mw12(6[6-9]|7[0-5])\.eqiad\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } # ROW A eqiad api appserver # mw1276 - mw1290 node /^mw127[6-9]\.eqiad\.wmnet$/ { role(mediawiki::appserver::canary_api) - include ::base::firewall + include ::profile::base::firewall } node /^mw12(8[0-9]|90)\.eqiad\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } # ROW A eqiad imagescalers @@ -1740,26 +1740,26 @@ # ROW A eqiad jobrunners node /^mw1(299|30[0-6])\.eqiad\.wmnet$/ { role(mediawiki::jobrunner) - include ::base::firewall + include ::profile::base::firewall } # T165519 # ROW C eqiad appservers node /^mw13(19|2[0-8])\.eqiad\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } # ROW B eqiad api-appservers node /^mw13(1[2-7])\.eqiad\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } # ROW A eqiad jobrunners node /^mw13(0[89]|1[01])\.eqiad\.wmnet$/ { role(mediawiki::jobrunner) - include ::base::firewall + include ::profile::base::firewall } # ROW A videoscaler @@ -1778,19 +1778,19 @@ # mw2017/mw2099 are codfw test appservers node /^mw20(17|99)\.codfw\.wmnet$/ { role(mediawiki::canary_appserver) - include ::base::firewall + include ::profile::base::firewall } #mw2097, mw2100-mw2117 are appservers node /^mw2(097|10[0-9]|11[0-7])\.codfw\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } #mw2120-2147 are api appservers node /^mw21([2-3][0-9]|4[0-7])\.codfw\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } # ROW B codfw appservers @@ -1814,19 +1814,19 @@ #mw2153-62 are jobrunners node /^mw21(5[3-9]|6[0-2])\.codfw\.wmnet$/ { role(mediawiki::jobrunner) - include ::base::firewall + include ::profile::base::firewall } #mw2163-mw2199 are appservers node /^mw21(6[3-9]|[6-9][0-9])\.codfw\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } #mw2200-2214 are api appservers node /^mw22(0[0-9]|1[0-4])\.codfw\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } # New Appservers, in row A3/A4 @@ -1834,13 +1834,13 @@ #mw2215-2223 are api appservers node /^mw22(1[5-9]|2[0123])\.codfw\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } # mw2224-42 are appservers node /^mw22(2[4-9]|3[0-9]|4[0-2])\.codfw\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } #mw2244-mw2245 are imagescalers @@ -1856,26 +1856,26 @@ # mw2247-2250 are jobrunners node /^mw22(4[3789]|50)\.codfw\.wmnet$/ { role(mediawiki::jobrunner) - include ::base::firewall + include ::profile::base::firewall } #mw2251-2253 are api-appservers node /^mw225[1-3]\.codfw\.wmnet$/ { role(mediawiki::appserver::api) - include ::base::firewall + include ::profile::base::firewall } #mw2254-2258 are appservers node /^mw225[4-8]\.codfw\.wmnet$/ { role(mediawiki::appserver) - include ::base::firewall + include ::profile::base::firewall } # mw logging host codfw node 'mwlog2001.codfw.wmnet' { role(xenon) - include ::base::firewall + include ::profile::base::firewall include ::standard class { 'role::logging::mediawiki::udp2log': @@ -1887,7 +1887,7 @@ node 'mwlog1001.eqiad.wmnet' { role(xenon) - include ::base::firewall + include ::profile::base::firewall include ::standard class { 'role::logging::mediawiki::udp2log': @@ -1986,7 +1986,7 @@ { role(logging::kafkatee::webrequest::ops) - include ::base::firewall + include ::profile::base::firewall include ::standard } @@ -2043,7 +2043,7 @@ node /^prometheus200[34]\.codfw\.wmnet$/ { role(prometheus::ops, prometheus::global, prometheus::services) - include ::base::firewall + include ::profile::base::firewall include ::standard include ::lvs::realserver @@ -2199,7 +2199,7 @@ node /^(seaborgium|serpens)\.wikimedia\.org$/ { role(openldap::labs) include ::standard - include ::base::firewall + include ::profile::base::firewall } # Silver is the new home of the wikitech web server. @@ -2207,7 +2207,7 @@ role(wmcs::openstack::main::wikitech, labs::openstack::nova::manager, mariadb::wikitech) - include ::base::firewall + include ::profile::base::firewall include ::standard interface::add_ip6_mapped { 'main': } @@ -2245,7 +2245,7 @@ include ::standard - include ::base::firewall + include ::profile::base::firewall } # Failoid service (Ganeti VM) diff --git a/modules/contint/manifests/firewall.pp b/modules/contint/manifests/firewall.pp index 2de84bf..5118b33 100644 --- a/modules/contint/manifests/firewall.pp +++ b/modules/contint/manifests/firewall.pp @@ -1,7 +1,7 @@ # vim: set ts=4 sw=4 et: class contint::firewall { - include ::base::firewall + include ::profile::base::firewall include ::network::constants # Restrict some services to be only reacheable from localhost over both diff --git a/modules/dumps/manifests/nfs.pp b/modules/dumps/manifests/nfs.pp index 21d6990..6f0fb73 100644 --- a/modules/dumps/manifests/nfs.pp +++ b/modules/dumps/manifests/nfs.pp @@ -47,7 +47,7 @@ options => "nlm_udpport=${lockd_udp} nlm_tcpport=${lockd_tcp}", } - include ::base::firewall + include ::profile::base::firewall include ::network::constants ferm::service { 'dumps_nfs': diff --git a/modules/dumps/manifests/web/xmldumps.pp b/modules/dumps/manifests/web/xmldumps.pp index 1a445ed..0323f3f 100644 --- a/modules/dumps/manifests/web/xmldumps.pp +++ b/modules/dumps/manifests/web/xmldumps.pp @@ -39,7 +39,7 @@ mode => '0444', } - include ::base::firewall + include ::profile::base::firewall ferm::service { 'xmldumps_http': proto => 'tcp', diff --git a/modules/base/files/firewall/check_conntrack.py b/modules/profile/files/base/firewall/check_conntrack.py similarity index 100% rename from modules/base/files/firewall/check_conntrack.py rename to modules/profile/files/base/firewall/check_conntrack.py diff --git a/modules/base/files/firewall/check_ferm b/modules/profile/files/base/firewall/check_ferm similarity index 100% rename from modules/base/files/firewall/check_ferm rename to modules/profile/files/base/firewall/check_ferm diff --git a/modules/base/files/firewall/main-input-default-drop.conf b/modules/profile/files/base/firewall/main-input-default-drop.conf similarity index 100% rename from modules/base/files/firewall/main-input-default-drop.conf rename to modules/profile/files/base/firewall/main-input-default-drop.conf diff --git a/modules/base/files/firewall/main-minimal.conf b/modules/profile/files/base/firewall/main-minimal.conf similarity index 100% rename from modules/base/files/firewall/main-minimal.conf rename to modules/profile/files/base/firewall/main-minimal.conf diff --git a/modules/base/files/firewall/nf_conntrack.conf b/modules/profile/files/base/firewall/nf_conntrack.conf similarity index 100% rename from modules/base/files/firewall/nf_conntrack.conf rename to modules/profile/files/base/firewall/nf_conntrack.conf diff --git a/modules/profile/manifests/backup/director.pp b/modules/profile/manifests/backup/director.pp index 9f8c5cd..a199cf3 100644 --- a/modules/profile/manifests/backup/director.pp +++ b/modules/profile/manifests/backup/director.pp @@ -12,7 +12,7 @@ $dbhost = hiera('profile::backup::director::database'), $dbpass = hiera('profile::backup::director::dbpass'), ){ - include ::base::firewall + include ::profile::base::firewall class { 'bacula::director': sqlvariant => 'mysql', diff --git a/modules/profile/manifests/backup/host.pp b/modules/profile/manifests/backup/host.pp index f28c048..c58660d 100644 --- a/modules/profile/manifests/backup/host.pp +++ b/modules/profile/manifests/backup/host.pp @@ -36,7 +36,7 @@ } File <| tag == 'backup-motd' |> - # If the machine includes ::base::firewall then let director connect to us + # If the machine includes ::profile::base::firewall then let director connect to us # TODO The IPv6 IP should be converted into a DNS AAAA resolve once we # enabled the DNS record on the director ferm::service { 'bacula-file-demon': diff --git a/modules/profile/manifests/backup/storage.pp b/modules/profile/manifests/backup/storage.pp index 925169b..9139228 100644 --- a/modules/profile/manifests/backup/storage.pp +++ b/modules/profile/manifests/backup/storage.pp @@ -6,7 +6,7 @@ class profile::backup::storage( $director = hiera('profile::backup::director'), ) { - include ::base::firewall + include ::profile::base::firewall include ::standard mount { '/srv/baculasd1' : diff --git a/modules/base/manifests/firewall.pp b/modules/profile/manifests/base/firewall.pp similarity index 87% rename from modules/base/manifests/firewall.pp rename to modules/profile/manifests/base/firewall.pp index 2a8af86d..8b316f6 100644 --- a/modules/base/manifests/firewall.pp +++ b/modules/profile/manifests/base/firewall.pp @@ -1,12 +1,12 @@ # Don't include this sub class on all hosts yet # NOTE: Policy is DROP by default -class base::firewall { +class profile::base::firewall { include ::network::constants include ::ferm $defscontent = $::realm ? { - 'labs' => template('base/firewall/defs.erb', 'base/firewall/defs.labs.erb'), - default => template('base/firewall/defs.erb'), + 'labs' => template('profile/base/firewall/defs.erb', 'profile/base/firewall/defs.labs.erb'), + default => template('profile/base/firewall/defs.erb'), } ferm::conf { 'defs': prio => '00', @@ -30,7 +30,7 @@ ferm::conf { 'main': prio => '00', - source => 'puppet:///modules/base/firewall/main-input-default-drop.conf', + source => 'puppet:///modules/profile/base/firewall/main-input-default-drop.conf', } ferm::rule { 'bastion-ssh': @@ -66,7 +66,7 @@ } file { '/usr/lib/nagios/plugins/check_ferm': - source => 'puppet:///modules/base/firewall/check_ferm', + source => 'puppet:///modules/profile/base/firewall/check_ferm', owner => 'root', group => 'root', mode => '0555', diff --git a/modules/profile/manifests/dnsrecursor.pp b/modules/profile/manifests/dnsrecursor.pp index 18ff727..fca0f26 100644 --- a/modules/profile/manifests/dnsrecursor.pp +++ b/modules/profile/manifests/dnsrecursor.pp @@ -2,7 +2,7 @@ class profile::dnsrecursor { include ::network::constants - include ::base::firewall + include ::profile::base::firewall include ::lvs::configuration class { '::dnsrecursor': diff --git a/modules/profile/manifests/etherpad.pp b/modules/profile/manifests/etherpad.pp index 313b814..32a78a0 100644 --- a/modules/profile/manifests/etherpad.pp +++ b/modules/profile/manifests/etherpad.pp @@ -1,7 +1,7 @@ # sets up an Etherpad lite server class profile::etherpad { - include ::base::firewall + include ::profile::base::firewall include ::passwords::etherpad_lite class { '::etherpad': diff --git a/modules/profile/manifests/gerrit/server.pp b/modules/profile/manifests/gerrit/server.pp index d3a8736..2699e12 100644 --- a/modules/profile/manifests/gerrit/server.pp +++ b/modules/profile/manifests/gerrit/server.pp @@ -33,7 +33,7 @@ contact_group => 'admins,gerrit', } - include ::base::firewall + include ::profile::base::firewall # ssh from users to gerrit ferm::service { 'gerrit_ssh_users': diff --git a/modules/profile/manifests/lists.pp b/modules/profile/manifests/lists.pp index 1675939..de4ca37 100644 --- a/modules/profile/manifests/lists.pp +++ b/modules/profile/manifests/lists.pp @@ -1,5 +1,5 @@ class profile::lists { - include ::base::firewall + include ::profile::base::firewall include ::network::constants include ::mailman include ::privateexim::listserve diff --git a/modules/profile/manifests/microsites/annualreport.pp b/modules/profile/manifests/microsites/annualreport.pp index 07019d6..4ccef7d 100644 --- a/modules/profile/manifests/microsites/annualreport.pp +++ b/modules/profile/manifests/microsites/annualreport.pp @@ -4,7 +4,7 @@ # T599 - https://15.wikipedia.org (aka. annual report 2015) class profile::microsites::annualreport { - include ::base::firewall + include ::profile::base::firewall include ::apache include ::apache::mod::headers diff --git a/modules/profile/manifests/microsites/static_bugzilla.pp b/modules/profile/manifests/microsites/static_bugzilla.pp index 0fc55a3..a07e193 100644 --- a/modules/profile/manifests/microsites/static_bugzilla.pp +++ b/modules/profile/manifests/microsites/static_bugzilla.pp @@ -1,7 +1,7 @@ # static HTML archive of old Bugzilla tickets class profile::microsites::static_bugzilla { include ::bugzilla_static - include ::base::firewall + include ::profile::base::firewall ferm::service { 'bugzilla_static_http': proto => 'tcp', diff --git a/modules/profile/manifests/microsites/transparency.pp b/modules/profile/manifests/microsites/transparency.pp index abbda07..0dc3f7e 100644 --- a/modules/profile/manifests/microsites/transparency.pp +++ b/modules/profile/manifests/microsites/transparency.pp @@ -43,7 +43,7 @@ content => template('role/apache/sites/transparency.wikimedia.org.erb'), } - include ::base::firewall + include ::profile::base::firewall ferm::service { 'transparency_http': proto => 'tcp', diff --git a/modules/profile/manifests/ores/redis.pp b/modules/profile/manifests/ores/redis.pp index 8da21a2..0814198 100644 --- a/modules/profile/manifests/ores/redis.pp +++ b/modules/profile/manifests/ores/redis.pp @@ -6,7 +6,7 @@ $slaveof = hiera('profile::ores::redis::slaveof', undef), ){ include ::standard - include ::base::firewall + include ::profile::base::firewall class { '::ores::redis': password => $password, diff --git a/modules/profile/manifests/otrs.pp b/modules/profile/manifests/otrs.pp index 2cb00ca..9e0b0b5 100644 --- a/modules/profile/manifests/otrs.pp +++ b/modules/profile/manifests/otrs.pp @@ -11,7 +11,7 @@ $exim_database_pass = hiera('profile::otrs::exim_database_pass'), $prometheus_nodes = hiera('prometheus_nodes'), ){ - include ::base::firewall + include ::profile::base::firewall include network::constants include ::profile::prometheus::apache_exporter diff --git a/modules/profile/manifests/planet/venus.pp b/modules/profile/manifests/planet/venus.pp index 7777117..1a88e94 100644 --- a/modules/profile/manifests/planet/venus.pp +++ b/modules/profile/manifests/planet/venus.pp @@ -191,7 +191,7 @@ } # firewalling - include ::base::firewall + include ::profile::base::firewall ferm::service { 'planet-http': proto => 'tcp', port => '80', diff --git a/modules/profile/manifests/pmacct.pp b/modules/profile/manifests/pmacct.pp index 974638a..dab00a8 100644 --- a/modules/profile/manifests/pmacct.pp +++ b/modules/profile/manifests/pmacct.pp @@ -29,7 +29,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall $loopbacks = [ # eqiad diff --git a/modules/profile/manifests/requesttracker/server.pp b/modules/profile/manifests/requesttracker/server.pp index 25f0548..2055fed 100644 --- a/modules/profile/manifests/requesttracker/server.pp +++ b/modules/profile/manifests/requesttracker/server.pp @@ -12,7 +12,7 @@ dbpass => $passwords::misc::rt::rt_mysql_pass, } - include ::base::firewall + include ::profile::base::firewall ferm::service { 'rt-http': proto => 'tcp', diff --git a/modules/profile/manifests/statistics/cruncher.pp b/modules/profile/manifests/statistics/cruncher.pp index 2ad01aa..c4f96c0 100644 --- a/modules/profile/manifests/statistics/cruncher.pp +++ b/modules/profile/manifests/statistics/cruncher.pp @@ -4,7 +4,7 @@ $statistics_servers = hiera('statistics_servers'), ) { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::deployment::umask_wikidev diff --git a/modules/profile/manifests/statistics/web.pp b/modules/profile/manifests/statistics/web.pp index 888ad08..feea21b 100644 --- a/modules/profile/manifests/statistics/web.pp +++ b/modules/profile/manifests/statistics/web.pp @@ -5,7 +5,7 @@ $geowiki_host = hiera('profile::statistics::web::geowiki_host'), ) { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::deployment::umask_wikidev diff --git a/modules/profile/manifests/url_downloader.pp b/modules/profile/manifests/url_downloader.pp index 4b846c7..4659e1a 100644 --- a/modules/profile/manifests/url_downloader.pp +++ b/modules/profile/manifests/url_downloader.pp @@ -23,7 +23,7 @@ ) { include network::constants - include ::base::firewall + include ::profile::base::firewall if $::realm == 'production' { $wikimedia = [ diff --git a/modules/profile/manifests/yubiauth/server.pp b/modules/profile/manifests/yubiauth/server.pp index 53ac8ab..1314af1 100644 --- a/modules/profile/manifests/yubiauth/server.pp +++ b/modules/profile/manifests/yubiauth/server.pp @@ -9,7 +9,7 @@ $auth_servers_ferm = join($auth_servers, ' ') - include ::base::firewall + include ::profile::base::firewall class {'::yubiauth::yhsm_daemon': } diff --git a/modules/base/templates/firewall/defs.erb b/modules/profile/templates/base/firewall/defs.erb similarity index 100% rename from modules/base/templates/firewall/defs.erb rename to modules/profile/templates/base/firewall/defs.erb diff --git a/modules/base/templates/firewall/defs.labs.erb b/modules/profile/templates/base/firewall/defs.labs.erb similarity index 100% rename from modules/base/templates/firewall/defs.labs.erb rename to modules/profile/templates/base/firewall/defs.labs.erb diff --git a/modules/role/manifests/aqs.pp b/modules/role/manifests/aqs.pp index e62d2d3..c2b824d 100644 --- a/modules/role/manifests/aqs.pp +++ b/modules/role/manifests/aqs.pp @@ -13,7 +13,7 @@ include ::passwords::aqs include ::standard - include ::base::firewall + include ::profile::base::firewall # # Set up Cassandra for AQS. diff --git a/modules/role/manifests/archiva.pp b/modules/role/manifests/archiva.pp index 8ec1c4a..f77ffcb 100644 --- a/modules/role/manifests/archiva.pp +++ b/modules/role/manifests/archiva.pp @@ -7,7 +7,7 @@ class role::archiva { system::role { 'archiva': description => 'Apache Archiva Host' } - include ::base::firewall + include ::profile::base::firewall require_package('openjdk-7-jdk') diff --git a/modules/role/manifests/authdns/server.pp b/modules/role/manifests/authdns/server.pp index aecfe94..62cb47d 100644 --- a/modules/role/manifests/authdns/server.pp +++ b/modules/role/manifests/authdns/server.pp @@ -3,7 +3,7 @@ system::role { 'authdns': description => 'Authoritative DNS server' } include ::standard - include ::base::firewall + include ::profile::base::firewall include authdns::ganglia include prometheus::node_gdnsd include role::authdns::data diff --git a/modules/role/manifests/bastionhost/general.pp b/modules/role/manifests/bastionhost/general.pp index 542e04d..fc098a2 100644 --- a/modules/role/manifests/bastionhost/general.pp +++ b/modules/role/manifests/bastionhost/general.pp @@ -6,7 +6,7 @@ include ::bastionhost include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host # Used by parsoid deployers diff --git a/modules/role/manifests/bastionhost/opsonly.pp b/modules/role/manifests/bastionhost/opsonly.pp index 1fafcf1..73519d8 100644 --- a/modules/role/manifests/bastionhost/opsonly.pp +++ b/modules/role/manifests/bastionhost/opsonly.pp @@ -6,7 +6,7 @@ include ::bastionhost include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host backup::set {'home': } diff --git a/modules/role/manifests/bastionhost/twofa.pp b/modules/role/manifests/bastionhost/twofa.pp index 498ddbb..2d679cc 100644 --- a/modules/role/manifests/bastionhost/twofa.pp +++ b/modules/role/manifests/bastionhost/twofa.pp @@ -5,7 +5,7 @@ include ::bastionhost include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host include ::passwords::yubiauth diff --git a/modules/role/manifests/beta/mediawiki.pp b/modules/role/manifests/beta/mediawiki.pp index f3ebc88..b060dc5 100644 --- a/modules/role/manifests/beta/mediawiki.pp +++ b/modules/role/manifests/beta/mediawiki.pp @@ -5,7 +5,7 @@ # # filtertags: labs-project-deployment-prep class role::beta::mediawiki { - include ::base::firewall + include ::profile::base::firewall $ips = join($network::constants::special_hosts[$::realm]['deployment_hosts'], ' ') security::access::config { 'scap-allow-mwdeploy': diff --git a/modules/role/manifests/builder.pp b/modules/role/manifests/builder.pp index 8d015c5..8f89bca 100644 --- a/modules/role/manifests/builder.pp +++ b/modules/role/manifests/builder.pp @@ -1,7 +1,7 @@ # filtertags: labs-project-packaging class role::builder { include ::standard - include ::base::firewall + include ::profile::base::firewall include role::package::builder include ::profile::docker::storage::loopback include ::profile::docker::engine diff --git a/modules/role/manifests/cache/canary.pp b/modules/role/manifests/cache/canary.pp index 966b149..6a633b8 100644 --- a/modules/role/manifests/cache/canary.pp +++ b/modules/role/manifests/cache/canary.pp @@ -1,5 +1,5 @@ class role::cache::canary { - include ::base::firewall + include ::profile::base::firewall include role::cache::text ferm::service { 'nginx-https': diff --git a/modules/role/manifests/cluster/management.pp b/modules/role/manifests/cluster/management.pp index acebb75..7846252 100644 --- a/modules/role/manifests/cluster/management.pp +++ b/modules/role/manifests/cluster/management.pp @@ -17,5 +17,5 @@ include ::profile::switchdc include ::profile::debdeploy include ::standard - include ::base::firewall + include ::profile::base::firewall } diff --git a/modules/role/manifests/configcluster.pp b/modules/role/manifests/configcluster.pp index 865ebf3..00a40b8 100644 --- a/modules/role/manifests/configcluster.pp +++ b/modules/role/manifests/configcluster.pp @@ -1,6 +1,6 @@ class role::configcluster { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::zookeeper::server include ::profile::zookeeper::firewall include ::profile::etcd diff --git a/modules/role/manifests/debug_proxy.pp b/modules/role/manifests/debug_proxy.pp index 55875ee..0b9d55b 100644 --- a/modules/role/manifests/debug_proxy.pp +++ b/modules/role/manifests/debug_proxy.pp @@ -10,7 +10,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall # Backward compatibility $aliases = { diff --git a/modules/role/manifests/deployment_server.pp b/modules/role/manifests/deployment_server.pp index 4f9a6a8..5101409 100644 --- a/modules/role/manifests/deployment_server.pp +++ b/modules/role/manifests/deployment_server.pp @@ -1,7 +1,7 @@ # Mediawiki Deployment Server (prod) class role::deployment_server { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::mediawiki::deployment::server include ::profile::backup::host include ::role::deployment::mediawiki diff --git a/modules/role/manifests/deployment_server/base.pp b/modules/role/manifests/deployment_server/base.pp index 918fc08..f585a32 100644 --- a/modules/role/manifests/deployment_server/base.pp +++ b/modules/role/manifests/deployment_server/base.pp @@ -1,7 +1,7 @@ # Mediawiki Deployment Server (labs) class role::deployment_server::base { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::mediawiki::deployment::server include ::role::deployment::mediawiki } diff --git a/modules/role/manifests/discovery/dashboards.pp b/modules/role/manifests/discovery/dashboards.pp index f8d219c..5345fcb 100644 --- a/modules/role/manifests/discovery/dashboards.pp +++ b/modules/role/manifests/discovery/dashboards.pp @@ -7,7 +7,7 @@ # filtertags: labs-project-search labs-project-shiny-r class role::discovery::dashboards { # include ::standard - # include ::base::firewall + # include ::profile::base::firewall include ::profile::discovery_dashboards::production system::role { 'role::discovery::dashboards': diff --git a/modules/role/manifests/docker/registry.pp b/modules/role/manifests/docker/registry.pp index b8a9b6f..aa1d011 100644 --- a/modules/role/manifests/docker/registry.pp +++ b/modules/role/manifests/docker/registry.pp @@ -1,5 +1,5 @@ class role::docker::registry { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::docker::registry } diff --git a/modules/role/manifests/dumps/web/htmldumps.pp b/modules/role/manifests/dumps/web/htmldumps.pp index a3aa78e..5a44ec7 100644 --- a/modules/role/manifests/dumps/web/htmldumps.pp +++ b/modules/role/manifests/dumps/web/htmldumps.pp @@ -5,7 +5,7 @@ include ::standard include ::profile::dumps::web::htmldumps - include ::base::firewall + include ::profile::base::firewall ferm::service { 'html_dumps_http': proto => 'tcp', diff --git a/modules/role/manifests/elasticsearch/cirrus.pp b/modules/role/manifests/elasticsearch/cirrus.pp index 699e854..6f35b83 100644 --- a/modules/role/manifests/elasticsearch/cirrus.pp +++ b/modules/role/manifests/elasticsearch/cirrus.pp @@ -4,7 +4,7 @@ # class role::elasticsearch::cirrus { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::role::lvs::realserver include ::profile::elasticsearch diff --git a/modules/role/manifests/elasticsearch/relforge.pp b/modules/role/manifests/elasticsearch/relforge.pp index d88e058..1e4484c 100644 --- a/modules/role/manifests/elasticsearch/relforge.pp +++ b/modules/role/manifests/elasticsearch/relforge.pp @@ -4,7 +4,7 @@ # class role::elasticsearch::relforge { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::elasticsearch include ::elasticsearch::nagios::check include ::profile::mjolnir::kafka_daemon diff --git a/modules/role/manifests/etcd/kubernetes.pp b/modules/role/manifests/etcd/kubernetes.pp index a59e9ad..a23e970 100644 --- a/modules/role/manifests/etcd/kubernetes.pp +++ b/modules/role/manifests/etcd/kubernetes.pp @@ -2,7 +2,7 @@ class role::etcd::kubernetes { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::etcd include ::profile::etcd::auth } diff --git a/modules/role/manifests/etcd/networking.pp b/modules/role/manifests/etcd/networking.pp index 3dcee9a..452f77f 100644 --- a/modules/role/manifests/etcd/networking.pp +++ b/modules/role/manifests/etcd/networking.pp @@ -2,6 +2,6 @@ # stacks as flannel and calico. class role::etcd::networking { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::etcd } diff --git a/modules/role/manifests/eventbus/eventbus.pp b/modules/role/manifests/eventbus/eventbus.pp index 83ef472..677aa66 100644 --- a/modules/role/manifests/eventbus/eventbus.pp +++ b/modules/role/manifests/eventbus/eventbus.pp @@ -10,7 +10,7 @@ # # filtertags: labs-project-deployment-prep class role::eventbus::eventbus { - include ::base::firewall + include ::profile::base::firewall require ::eventschemas # for /srv/log dir creation diff --git a/modules/role/manifests/failoid.pp b/modules/role/manifests/failoid.pp index db24b04..e636aac 100644 --- a/modules/role/manifests/failoid.pp +++ b/modules/role/manifests/failoid.pp @@ -5,6 +5,6 @@ system::role { 'failoid': description => 'Failoid service' } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::failoid } diff --git a/modules/role/manifests/ganeti.pp b/modules/role/manifests/ganeti.pp index 0d4075f..ff8773f 100644 --- a/modules/role/manifests/ganeti.pp +++ b/modules/role/manifests/ganeti.pp @@ -38,7 +38,7 @@ # If ganeti_cluster fact is not defined, the node has not been added to a # cluster yet, so don't monitor and don't setup a firewall if $::ganeti_cluster { - include ::base::firewall + include ::profile::base::firewall # Interpolate the ganeti_cluster fact to get the list of nodes in a # cluster $ganeti_nodes = hiera("ganeti::${::ganeti_cluster}::nodes") diff --git a/modules/role/manifests/ganglia/web.pp b/modules/role/manifests/ganglia/web.pp index 86440db..f262e89 100644 --- a/modules/role/manifests/ganglia/web.pp +++ b/modules/role/manifests/ganglia/web.pp @@ -1,6 +1,6 @@ # A role that includes all the needed stuff to run a ganglia web frontend class role::ganglia::web { - include ::base::firewall + include ::profile::base::firewall include ::standard include role::ganglia::config include role::ganglia::views diff --git a/modules/role/manifests/grafana/base.pp b/modules/role/manifests/grafana/base.pp index ba5c255..8b8657c 100644 --- a/modules/role/manifests/grafana/base.pp +++ b/modules/role/manifests/grafana/base.pp @@ -21,7 +21,7 @@ include ::passwords::ldap::production - include ::base::firewall + include ::profile::base::firewall class { '::grafana': config => { diff --git a/modules/role/manifests/graphite/production.pp b/modules/role/manifests/graphite/production.pp index 4b97ee7..3b4aa4b 100644 --- a/modules/role/manifests/graphite/production.pp +++ b/modules/role/manifests/graphite/production.pp @@ -8,7 +8,7 @@ $storage_dir = '/var/lib/carbon' include ::standard - include ::base::firewall + include ::profile::base::firewall class { 'role::graphite::base': storage_dir => $storage_dir, diff --git a/modules/role/manifests/icinga.pp b/modules/role/manifests/icinga.pp index 347fba3..f9587d1 100644 --- a/modules/role/manifests/icinga.pp +++ b/modules/role/manifests/icinga.pp @@ -30,7 +30,7 @@ include ::profile::scap::dsh include mysql include ::standard - include ::base::firewall + include ::profile::base::firewall $monitoring_groups = hiera('monitoring::groups') create_resources(monitoring::group, $monitoring_groups) diff --git a/modules/role/manifests/iegreview/app.pp b/modules/role/manifests/iegreview/app.pp index 1b0eb4d..cff8a7c 100644 --- a/modules/role/manifests/iegreview/app.pp +++ b/modules/role/manifests/iegreview/app.pp @@ -4,7 +4,7 @@ # class role::iegreview::app { - include ::base::firewall + include ::profile::base::firewall class { '::iegreview': hostname => 'iegreview.wikimedia.org', diff --git a/modules/role/manifests/installserver/dhcp.pp b/modules/role/manifests/installserver/dhcp.pp index 97cfa84..f1536d8 100644 --- a/modules/role/manifests/installserver/dhcp.pp +++ b/modules/role/manifests/installserver/dhcp.pp @@ -8,7 +8,7 @@ include install_server::dhcp_server include ::standard - include ::base::firewall + include ::profile::base::firewall ferm::rule { 'dhcp': rule => 'proto udp dport bootps { saddr $PRODUCTION_NETWORKS ACCEPT; }' diff --git a/modules/role/manifests/installserver/http.pp b/modules/role/manifests/installserver/http.pp index 1f1738a..13fa7c0 100644 --- a/modules/role/manifests/installserver/http.pp +++ b/modules/role/manifests/installserver/http.pp @@ -8,7 +8,7 @@ include install_server::web_server include ::standard - include ::base::firewall + include ::profile::base::firewall ferm::service { 'install_http': proto => 'tcp', diff --git a/modules/role/manifests/installserver/proxy.pp b/modules/role/manifests/installserver/proxy.pp index 8cc5448..c7049fe 100644 --- a/modules/role/manifests/installserver/proxy.pp +++ b/modules/role/manifests/installserver/proxy.pp @@ -13,7 +13,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall ferm::service { 'proxy': proto => 'tcp', diff --git a/modules/role/manifests/installserver/tftp.pp b/modules/role/manifests/installserver/tftp.pp index e76fb49..7c39383 100644 --- a/modules/role/manifests/installserver/tftp.pp +++ b/modules/role/manifests/installserver/tftp.pp @@ -23,7 +23,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host include install_server::tftp_server diff --git a/modules/role/manifests/jobqueue_redis/master.pp b/modules/role/manifests/jobqueue_redis/master.pp index c03e526..620f069 100644 --- a/modules/role/manifests/jobqueue_redis/master.pp +++ b/modules/role/manifests/jobqueue_redis/master.pp @@ -1,6 +1,6 @@ class role::jobqueue_redis::master { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::redis::multidc include ::profile::redis::jobqueue diff --git a/modules/role/manifests/jobqueue_redis/slave.pp b/modules/role/manifests/jobqueue_redis/slave.pp index 1067811..1669557 100644 --- a/modules/role/manifests/jobqueue_redis/slave.pp +++ b/modules/role/manifests/jobqueue_redis/slave.pp @@ -1,6 +1,6 @@ class role::jobqueue_redis::slave { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::redis::jobqueue_slave diff --git a/modules/role/manifests/kafka/jumbo/broker.pp b/modules/role/manifests/kafka/jumbo/broker.pp index c9875be..1c2b081 100644 --- a/modules/role/manifests/kafka/jumbo/broker.pp +++ b/modules/role/manifests/kafka/jumbo/broker.pp @@ -10,6 +10,6 @@ if !defined(Class['::standard']) { include ::standard } - include base::firewall - include profile::kafka::broker + include ::profile::base::firewall + include ::profile::kafka::broker } diff --git a/modules/role/manifests/kafka/simple/broker.pp b/modules/role/manifests/kafka/simple/broker.pp index 8f48915..79676f7 100644 --- a/modules/role/manifests/kafka/simple/broker.pp +++ b/modules/role/manifests/kafka/simple/broker.pp @@ -8,6 +8,6 @@ } include standard - include base::firewall - include profile::kafka::broker + include ::profile::base::firewall + include ::profile::kafka::broker } diff --git a/modules/role/manifests/kubernetes/master.pp b/modules/role/manifests/kubernetes/master.pp index d34e274..3c4d9a9 100644 --- a/modules/role/manifests/kubernetes/master.pp +++ b/modules/role/manifests/kubernetes/master.pp @@ -1,6 +1,6 @@ class role::kubernetes::master { include ::standard - include ::base::firewall + include ::profile::base::firewall # Sets up docker on the machine include ::profile::kubernetes::master diff --git a/modules/role/manifests/kubernetes/staging/etcd.pp b/modules/role/manifests/kubernetes/staging/etcd.pp index 906d4f4..8c94259 100644 --- a/modules/role/manifests/kubernetes/staging/etcd.pp +++ b/modules/role/manifests/kubernetes/staging/etcd.pp @@ -2,7 +2,7 @@ class role::kubernetes::staging::etcd { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::etcd include ::profile::etcd::auth } diff --git a/modules/role/manifests/kubernetes/staging/master.pp b/modules/role/manifests/kubernetes/staging/master.pp index bb1934f..027e1c0 100644 --- a/modules/role/manifests/kubernetes/staging/master.pp +++ b/modules/role/manifests/kubernetes/staging/master.pp @@ -1,6 +1,6 @@ class role::kubernetes::staging::master { include ::standard - include ::base::firewall + include ::profile::base::firewall # Sets up docker on the machine include ::profile::kubernetes::master diff --git a/modules/role/manifests/kubernetes/staging/worker.pp b/modules/role/manifests/kubernetes/staging/worker.pp index 510a61c..e142cf4 100644 --- a/modules/role/manifests/kubernetes/staging/worker.pp +++ b/modules/role/manifests/kubernetes/staging/worker.pp @@ -1,6 +1,6 @@ class role::kubernetes::staging::worker { include ::standard - include ::base::firewall + include ::profile::base::firewall # Sets up docker on the machine include ::profile::docker::storage diff --git a/modules/role/manifests/kubernetes/worker.pp b/modules/role/manifests/kubernetes/worker.pp index bdd1e4e..7d155d2 100644 --- a/modules/role/manifests/kubernetes/worker.pp +++ b/modules/role/manifests/kubernetes/worker.pp @@ -1,6 +1,6 @@ class role::kubernetes::worker { include ::standard - include ::base::firewall + include ::profile::base::firewall # Sets up docker on the machine include ::profile::docker::storage diff --git a/modules/role/manifests/labs/db/proxy.pp b/modules/role/manifests/labs/db/proxy.pp index c47aaab..84eeff3 100644 --- a/modules/role/manifests/labs/db/proxy.pp +++ b/modules/role/manifests/labs/db/proxy.pp @@ -9,7 +9,7 @@ include ::standard include passwords::labs::db::proxy - include ::base::firewall + include ::profile::base::firewall $admin_user = $passwords::labs::db::proxy::admin_user $admin_password = $passwords::labs::db::proxy::admin_password diff --git a/modules/role/manifests/labs/db/replica.pp b/modules/role/manifests/labs/db/replica.pp index 943d6cf..8befc00 100644 --- a/modules/role/manifests/labs/db/replica.pp +++ b/modules/role/manifests/labs/db/replica.pp @@ -8,7 +8,7 @@ class { 'mariadb::packages_wmf': } class { 'mariadb::service': } include role::mariadb::monitor - include ::base::firewall + include ::profile::base::firewall ferm::service{ 'mariadb_labs_db_replica': proto => 'tcp', diff --git a/modules/role/manifests/labs/novaproxy.pp b/modules/role/manifests/labs/novaproxy.pp index 34ebe6d..135532c 100644 --- a/modules/role/manifests/labs/novaproxy.pp +++ b/modules/role/manifests/labs/novaproxy.pp @@ -7,7 +7,7 @@ $active_proxy, $use_ssl = true, ) { - include ::base::firewall + include ::profile::base::firewall $proxy_nodes = join($all_proxies, ' ') # Open up redis to all proxies! diff --git a/modules/role/manifests/labs/puppetmaster/backend.pp b/modules/role/manifests/labs/puppetmaster/backend.pp index 91ad863..9b357e5 100644 --- a/modules/role/manifests/labs/puppetmaster/backend.pp +++ b/modules/role/manifests/labs/puppetmaster/backend.pp @@ -18,7 +18,7 @@ $allow_from = flatten([$labs_instance_range, $labs_metal, '.wikimedia.org']) include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::puppetmaster::labsenc include ::profile::puppetmaster::labsencapi diff --git a/modules/role/manifests/labs/puppetmaster/frontend.pp b/modules/role/manifests/labs/puppetmaster/frontend.pp index c14319d..e884a6f 100644 --- a/modules/role/manifests/labs/puppetmaster/frontend.pp +++ b/modules/role/manifests/labs/puppetmaster/frontend.pp @@ -30,7 +30,7 @@ # Only allow puppet access from the instances $allow_from = flatten([$labs_instance_range, $labs_metal, '.wikimedia.org']) - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host include ::profile::puppetmaster::labsenc diff --git a/modules/role/manifests/logging/mediawiki/udp2log.pp b/modules/role/manifests/logging/mediawiki/udp2log.pp index 8268270..a0b9318 100644 --- a/modules/role/manifests/logging/mediawiki/udp2log.pp +++ b/modules/role/manifests/logging/mediawiki/udp2log.pp @@ -13,7 +13,7 @@ description => 'MediaWiki log collector', } - include ::base::firewall + include ::profile::base::firewall # Rsync archived slow-parse logs to dumps.wikimedia.org. # These are available for download at http://dumps.wikimedia.org/other/slow-parse/ diff --git a/modules/role/manifests/logstash/collector.pp b/modules/role/manifests/logstash/collector.pp index 7113d5a..c521093 100644 --- a/modules/role/manifests/logstash/collector.pp +++ b/modules/role/manifests/logstash/collector.pp @@ -13,7 +13,7 @@ ) { include ::role::logstash::elasticsearch include ::logstash - include ::base::firewall + include ::profile::base::firewall nrpe::monitor_service { 'logstash': description => 'logstash process', diff --git a/modules/role/manifests/logstash/elasticsearch.pp b/modules/role/manifests/logstash/elasticsearch.pp index c81695c..d8fe82e 100644 --- a/modules/role/manifests/logstash/elasticsearch.pp +++ b/modules/role/manifests/logstash/elasticsearch.pp @@ -6,7 +6,7 @@ class role::logstash::elasticsearch { include ::standard include ::elasticsearch::monitor::diamond - include ::base::firewall + include ::profile::base::firewall # the logstash cluster has 3 data nodes, and each shard has 3 replica (each #shard is present on each node). If one node is lost, 1/3 of the shards diff --git a/modules/role/manifests/mail/mx.pp b/modules/role/manifests/mail/mx.pp index b8fdce9..295b41f 100644 --- a/modules/role/manifests/mail/mx.pp +++ b/modules/role/manifests/mail/mx.pp @@ -8,7 +8,7 @@ ) { include network::constants include privateexim::aliases::private - include ::base::firewall + include ::profile::base::firewall system::role { 'mail::mx': description => 'Mail router', diff --git a/modules/role/manifests/maps/master.pp b/modules/role/manifests/maps/master.pp index 35fcd58..16f1bb4 100644 --- a/modules/role/manifests/maps/master.pp +++ b/modules/role/manifests/maps/master.pp @@ -1,7 +1,7 @@ # Sets up a maps server master class role::maps::master { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::role::lvs::realserver include ::profile::maps::apps diff --git a/modules/role/manifests/maps/slave.pp b/modules/role/manifests/maps/slave.pp index 664ed3e..9dc3116 100644 --- a/modules/role/manifests/maps/slave.pp +++ b/modules/role/manifests/maps/slave.pp @@ -1,7 +1,7 @@ # Sets up a maps server slave class role::maps::slave { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::role::lvs::realserver include ::profile::maps::apps diff --git a/modules/role/manifests/maps/test/master.pp b/modules/role/manifests/maps/test/master.pp index 6bbce94..1c5984f 100644 --- a/modules/role/manifests/maps/test/master.pp +++ b/modules/role/manifests/maps/test/master.pp @@ -1,7 +1,7 @@ # Sets up a maps server master class role::maps::test::master { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::maps::apps include ::profile::maps::cassandra diff --git a/modules/role/manifests/maps/test/slave.pp b/modules/role/manifests/maps/test/slave.pp index c8e31f1..d76eb51 100644 --- a/modules/role/manifests/maps/test/slave.pp +++ b/modules/role/manifests/maps/test/slave.pp @@ -1,7 +1,7 @@ # Sets up a maps server slave class role::maps::test::slave { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::maps::apps include ::profile::maps::cassandra diff --git a/modules/role/manifests/mariadb/core.pp b/modules/role/manifests/mariadb/core.pp index ccdb2a0..8e99e22 100644 --- a/modules/role/manifests/mariadb/core.pp +++ b/modules/role/manifests/mariadb/core.pp @@ -19,7 +19,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include role::mariadb::monitor include passwords::misc::scripts include role::mariadb::ferm diff --git a/modules/role/manifests/mariadb/dbstore.pp b/modules/role/manifests/mariadb/dbstore.pp index 15746bc..72d9feb 100644 --- a/modules/role/manifests/mariadb/dbstore.pp +++ b/modules/role/manifests/mariadb/dbstore.pp @@ -14,7 +14,7 @@ include mariadb::service include ::standard - include ::base::firewall + include ::profile::base::firewall include passwords::misc::scripts class { 'role::mariadb::grants::production': diff --git a/modules/role/manifests/mariadb/dbstore_multiinstance.pp b/modules/role/manifests/mariadb/dbstore_multiinstance.pp index 6efd1b0..e54374d 100644 --- a/modules/role/manifests/mariadb/dbstore_multiinstance.pp +++ b/modules/role/manifests/mariadb/dbstore_multiinstance.pp @@ -4,7 +4,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall #FIXME: ferm::service { 'dbstore_multiinstance': proto => 'tcp', diff --git a/modules/role/manifests/mariadb/labs_deprecated.pp b/modules/role/manifests/mariadb/labs_deprecated.pp index f2c2e2a..b409a4c 100644 --- a/modules/role/manifests/mariadb/labs_deprecated.pp +++ b/modules/role/manifests/mariadb/labs_deprecated.pp @@ -11,7 +11,7 @@ include role::mariadb::monitor include passwords::misc::scripts include role::mariadb::ferm - include ::base::firewall + include ::profile::base::firewall include role::labs::db::common include role::labs::db::views include role::labs::db::check_private_data diff --git a/modules/role/manifests/mariadb/misc.pp b/modules/role/manifests/mariadb/misc.pp index 8de997c..412c2f8 100644 --- a/modules/role/manifests/mariadb/misc.pp +++ b/modules/role/manifests/mariadb/misc.pp @@ -21,7 +21,7 @@ include ::standard include role::mariadb::monitor include passwords::misc::scripts - include ::base::firewall + include ::profile::base::firewall include role::mariadb::ferm class { 'role::mariadb::groups': mysql_group => 'misc', diff --git a/modules/role/manifests/mariadb/misc/eventlogging.pp b/modules/role/manifests/mariadb/misc/eventlogging.pp index 1bf80c6..58d7b41 100644 --- a/modules/role/manifests/mariadb/misc/eventlogging.pp +++ b/modules/role/manifests/mariadb/misc/eventlogging.pp @@ -18,7 +18,7 @@ include ::standard include role::mariadb::monitor::dba include passwords::misc::scripts - include ::base::firewall + include ::profile::base::firewall include role::mariadb::ferm class {'role::mariadb::groups': diff --git a/modules/role/manifests/mariadb/misc/phabricator.pp b/modules/role/manifests/mariadb/misc/phabricator.pp index 1ed4192..9e528a8 100644 --- a/modules/role/manifests/mariadb/misc/phabricator.pp +++ b/modules/role/manifests/mariadb/misc/phabricator.pp @@ -25,7 +25,7 @@ include role::mariadb::monitor include passwords::misc::scripts - include ::base::firewall + include ::profile::base::firewall include role::mariadb::ferm class { 'role::mariadb::groups': diff --git a/modules/role/manifests/mariadb/parsercache.pp b/modules/role/manifests/mariadb/parsercache.pp index 0fd04c1..34f1095 100644 --- a/modules/role/manifests/mariadb/parsercache.pp +++ b/modules/role/manifests/mariadb/parsercache.pp @@ -6,7 +6,7 @@ ) { include ::standard - include ::base::firewall + include ::profile::base::firewall include role::mariadb::monitor include role::mariadb::ferm include passwords::misc::scripts diff --git a/modules/role/manifests/mariadb/sanitarium_multiinstance.pp b/modules/role/manifests/mariadb/sanitarium_multiinstance.pp index 15507a9..7e133ff 100644 --- a/modules/role/manifests/mariadb/sanitarium_multiinstance.pp +++ b/modules/role/manifests/mariadb/sanitarium_multiinstance.pp @@ -13,7 +13,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall #FIXME: ferm::service { 'sanitarium_multiinstance': proto => 'tcp', diff --git a/modules/role/manifests/mariadb/sanitarium_multisource.pp b/modules/role/manifests/mariadb/sanitarium_multisource.pp index 497f4db..9a65f82 100644 --- a/modules/role/manifests/mariadb/sanitarium_multisource.pp +++ b/modules/role/manifests/mariadb/sanitarium_multisource.pp @@ -15,7 +15,7 @@ include ::standard include passwords::misc::scripts - include ::base::firewall + include ::profile::base::firewall include role::mariadb::ferm include role::labs::db::common include role::labs::db::check_private_data diff --git a/modules/role/manifests/mediawiki/imagescaler.pp b/modules/role/manifests/mediawiki/imagescaler.pp index 61dde79..89cfe19 100644 --- a/modules/role/manifests/mediawiki/imagescaler.pp +++ b/modules/role/manifests/mediawiki/imagescaler.pp @@ -5,6 +5,6 @@ include ::role::mediawiki::webserver include ::profile::prometheus::apache_exporter include ::profile::prometheus::hhvm_exporter - include ::base::firewall + include ::profile::base::firewall include ::threedtopng::deploy } diff --git a/modules/role/manifests/mediawiki/videoscaler.pp b/modules/role/manifests/mediawiki/videoscaler.pp index 62544c5..8c9580c 100644 --- a/modules/role/manifests/mediawiki/videoscaler.pp +++ b/modules/role/manifests/mediawiki/videoscaler.pp @@ -9,7 +9,7 @@ include ::profile::prometheus::apache_exporter include ::profile::prometheus::hhvm_exporter include ::profile::mediawiki::jobrunner - include ::base::firewall + include ::profile::base::firewall # Change the apache2.conf Timeout setting augeas { 'apache timeout': diff --git a/modules/role/manifests/mediawiki_maintenance.pp b/modules/role/manifests/mediawiki_maintenance.pp index aba34f8..c98cfb5 100644 --- a/modules/role/manifests/mediawiki_maintenance.pp +++ b/modules/role/manifests/mediawiki_maintenance.pp @@ -1,6 +1,6 @@ class role::mediawiki_maintenance { include ::standard - include ::base::firewall + include ::profile::base::firewall # Mediawiki include ::role::mediawiki::common diff --git a/modules/role/manifests/memcached.pp b/modules/role/manifests/memcached.pp index 07c19eb..dd214c0 100644 --- a/modules/role/manifests/memcached.pp +++ b/modules/role/manifests/memcached.pp @@ -6,7 +6,7 @@ include ::standard include ::base::mysterious_sysctl - include ::base::firewall + include ::profile::base::firewall include profile::memcached::instance include profile::memcached::memkeys } diff --git a/modules/role/manifests/microsites/peopleweb.pp b/modules/role/manifests/microsites/peopleweb.pp index 30e0ec1..6d45e26 100644 --- a/modules/role/manifests/microsites/peopleweb.pp +++ b/modules/role/manifests/microsites/peopleweb.pp @@ -2,7 +2,7 @@ class role::microsites::peopleweb { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host class { '::publichtml': diff --git a/modules/role/manifests/mirrors.pp b/modules/role/manifests/mirrors.pp index 5b3e3e6..5af8128 100644 --- a/modules/role/manifests/mirrors.pp +++ b/modules/role/manifests/mirrors.pp @@ -9,7 +9,7 @@ include mirrors::serve include mirrors::tails - include ::base::firewall + include ::profile::base::firewall include mirrors::ubuntu nrpe::monitor_service {'check_ubuntu_mirror': diff --git a/modules/role/manifests/mw_rc_irc.pp b/modules/role/manifests/mw_rc_irc.pp index d8b28d0..8480360 100644 --- a/modules/role/manifests/mw_rc_irc.pp +++ b/modules/role/manifests/mw_rc_irc.pp @@ -4,7 +4,7 @@ system::role { 'mw_rc_irc': description => 'MW Changes IRC Broadcast Server' } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::passwords::udpmxircecho include ::profile::mw_rc_irc diff --git a/modules/role/manifests/network/monitor.pp b/modules/role/manifests/network/monitor.pp index 9a02d6c..176ce8a 100644 --- a/modules/role/manifests/network/monitor.pp +++ b/modules/role/manifests/network/monitor.pp @@ -1,7 +1,7 @@ class role::network::monitor { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::passwords::network include ::profile::prometheus::snmp_exporter } diff --git a/modules/role/manifests/ocg.pp b/modules/role/manifests/ocg.pp index d58d9fc..c4679b3 100644 --- a/modules/role/manifests/ocg.pp +++ b/modules/role/manifests/ocg.pp @@ -4,7 +4,7 @@ # # filtertags: labs-project-deployment-prep labs-project-ocg class role::ocg { - include ::base::firewall + include ::profile::base::firewall include ::standard # size of tmpfs filesystem diff --git a/modules/role/manifests/openldap/corp.pp b/modules/role/manifests/openldap/corp.pp index 389ce4f..39c0de0 100644 --- a/modules/role/manifests/openldap/corp.pp +++ b/modules/role/manifests/openldap/corp.pp @@ -4,7 +4,7 @@ class role::openldap::corp { include passwords::openldap::corp include ::profile::backup::host - include ::base::firewall + include ::profile::base::firewall system::role { 'openldap::corp': description => 'Corp OIT openldap Mirror server' diff --git a/modules/role/manifests/openldap/labs.pp b/modules/role/manifests/openldap/labs.pp index 4617665..5fd79f8 100644 --- a/modules/role/manifests/openldap/labs.pp +++ b/modules/role/manifests/openldap/labs.pp @@ -2,7 +2,7 @@ class role::openldap::labs { include passwords::openldap::labs - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host $ldapconfig = hiera_hash('labsldapconfig', {}) diff --git a/modules/role/manifests/openldap/labtest.pp b/modules/role/manifests/openldap/labtest.pp index 172f44e..acd7b0d 100644 --- a/modules/role/manifests/openldap/labtest.pp +++ b/modules/role/manifests/openldap/labtest.pp @@ -3,7 +3,7 @@ class role::openldap::labtest { include passwords::openldap::labtest - include ::base::firewall + include ::profile::base::firewall $ldapconfig = hiera_hash('labsldapconfig', {}) $ldap_labs_hostname = $ldapconfig['hostname'] diff --git a/modules/role/manifests/ores/stresstest.pp b/modules/role/manifests/ores/stresstest.pp index 600ec09..596dc1c 100644 --- a/modules/role/manifests/ores/stresstest.pp +++ b/modules/role/manifests/ores/stresstest.pp @@ -1,7 +1,7 @@ # Temporary role class for T169246 class role::ores::stresstest { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::ores::worker include ::profile::ores::web diff --git a/modules/role/manifests/osm/master.pp b/modules/role/manifests/osm/master.pp index 58fa6dd..09ebb80 100644 --- a/modules/role/manifests/osm/master.pp +++ b/modules/role/manifests/osm/master.pp @@ -21,7 +21,7 @@ include postgresql::postgis include osm include passwords::osm - include ::base::firewall + include ::profile::base::firewall class { 'postgresql::master': diff --git a/modules/role/manifests/osm/slave.pp b/modules/role/manifests/osm/slave.pp index b1f9d17..f59883b 100644 --- a/modules/role/manifests/osm/slave.pp +++ b/modules/role/manifests/osm/slave.pp @@ -4,7 +4,7 @@ include role::osm::common include postgresql::postgis include passwords::osm - include ::base::firewall + include ::profile::base::firewall # Note: This is here to illustrate the fact that the slave is expected to # have the same dbs as the master. #postgresql::spatialdb { 'gis': } diff --git a/modules/role/manifests/package/builder.pp b/modules/role/manifests/package/builder.pp index b528d0b..1e9105b 100644 --- a/modules/role/manifests/package/builder.pp +++ b/modules/role/manifests/package/builder.pp @@ -5,7 +5,7 @@ # filtertags: labs-project-deployment-prep labs-project-packaging labs-project-tools class role::package::builder { include ::package_builder - include ::base::firewall + include ::profile::base::firewall system::role { 'package::builder': description => 'Debian package builder' diff --git a/modules/role/manifests/parsoid.pp b/modules/role/manifests/parsoid.pp index db58d4a..5e71c11 100644 --- a/modules/role/manifests/parsoid.pp +++ b/modules/role/manifests/parsoid.pp @@ -8,7 +8,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall if hiera('has_lvs', true) { include role::lvs::realserver diff --git a/modules/role/manifests/paws_internal/jupyterhub.pp b/modules/role/manifests/paws_internal/jupyterhub.pp index 2ec44a1..d04a612 100644 --- a/modules/role/manifests/paws_internal/jupyterhub.pp +++ b/modules/role/manifests/paws_internal/jupyterhub.pp @@ -4,7 +4,7 @@ # See https://wikitech.wikimedia.org/wiki/PAWS/Internal for more info class role::paws_internal::jupyterhub { - include ::base::firewall + include ::profile::base::firewall include ::statistics::packages class { '::jupyterhub': diff --git a/modules/role/manifests/phabricator_server.pp b/modules/role/manifests/phabricator_server.pp index a0ce220..cbb85df 100644 --- a/modules/role/manifests/phabricator_server.pp +++ b/modules/role/manifests/phabricator_server.pp @@ -9,7 +9,7 @@ include ::standard include ::lvs::realserver - include ::base::firewall + include ::profile::base::firewall include ::apache::mod::remoteip include ::profile::backup::host include ::profile::phabricator::main diff --git a/modules/role/manifests/poolcounter/server.pp b/modules/role/manifests/poolcounter/server.pp index dcea95f..03726f9 100644 --- a/modules/role/manifests/poolcounter/server.pp +++ b/modules/role/manifests/poolcounter/server.pp @@ -2,7 +2,7 @@ class role::poolcounter::server { include ::standard include ::poolcounter - include ::base::firewall + include ::profile::base::firewall system::role { 'poolcounter': description => 'PoolCounter server', diff --git a/modules/role/manifests/postgres/master.pp b/modules/role/manifests/postgres/master.pp index fe06b89..9b57e7a 100644 --- a/modules/role/manifests/postgres/master.pp +++ b/modules/role/manifests/postgres/master.pp @@ -2,7 +2,7 @@ include role::postgres::common include ::postgresql::postgis include ::passwords::postgres - include ::base::firewall + include ::profile::base::firewall class { 'postgresql::master': includes => 'tuning.conf', diff --git a/modules/role/manifests/prometheus/global.pp b/modules/role/manifests/prometheus/global.pp index e2d9fcd..3d7231b 100644 --- a/modules/role/manifests/prometheus/global.pp +++ b/modules/role/manifests/prometheus/global.pp @@ -1,5 +1,5 @@ class role::prometheus::global { - include ::base::firewall + include ::profile::base::firewall # Pull selected metrics from all DC-local Prometheus servers. $federation_jobs = [ diff --git a/modules/role/manifests/prometheus/ops.pp b/modules/role/manifests/prometheus/ops.pp index 1610242..eb7017e 100644 --- a/modules/role/manifests/prometheus/ops.pp +++ b/modules/role/manifests/prometheus/ops.pp @@ -4,7 +4,7 @@ # filtertags: labs-project-monitoring class role::prometheus::ops { include ::standard - include ::base::firewall + include ::profile::base::firewall $targets_path = '/srv/prometheus/ops/targets' $storage_retention = hiera('prometheus::server::storage_retention', '2190h0m0s') diff --git a/modules/role/manifests/prometheus/services.pp b/modules/role/manifests/prometheus/services.pp index 80b7480..3731409 100644 --- a/modules/role/manifests/prometheus/services.pp +++ b/modules/role/manifests/prometheus/services.pp @@ -4,7 +4,7 @@ # filtertags: labs-project-monitoring class role::prometheus::services { include ::standard - include ::base::firewall + include ::profile::base::firewall $targets_path = '/srv/prometheus/services/targets' $storage_retention = hiera('prometheus::server::storage_retention', '2190h0m0s') diff --git a/modules/role/manifests/puppet/self.pp b/modules/role/manifests/puppet/self.pp index 4c32133..431ef1f 100644 --- a/modules/role/manifests/puppet/self.pp +++ b/modules/role/manifests/puppet/self.pp @@ -46,7 +46,7 @@ include puppetmaster::gitsync } - # Allow access to the Puppetmaster when ::base::firewall is applied + # Allow access to the Puppetmaster when ::profile::base::firewall is applied ferm::service { 'puppetmaster-self': proto => 'tcp', port => 8140, diff --git a/modules/role/manifests/puppetmaster/backend.pp b/modules/role/manifests/puppetmaster/backend.pp index eac3ed1..2cebfe9 100644 --- a/modules/role/manifests/puppetmaster/backend.pp +++ b/modules/role/manifests/puppetmaster/backend.pp @@ -6,7 +6,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::puppetmaster::backend diff --git a/modules/role/manifests/puppetmaster/frontend.pp b/modules/role/manifests/puppetmaster/frontend.pp index f6ee73d..b46390d 100644 --- a/modules/role/manifests/puppetmaster/frontend.pp +++ b/modules/role/manifests/puppetmaster/frontend.pp @@ -5,7 +5,7 @@ description => 'Puppetmaster frontend' } - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host diff --git a/modules/role/manifests/puppetmaster/puppetdb.pp b/modules/role/manifests/puppetmaster/puppetdb.pp index 0d5f803..a44eca4 100644 --- a/modules/role/manifests/puppetmaster/puppetdb.pp +++ b/modules/role/manifests/puppetmaster/puppetdb.pp @@ -3,7 +3,7 @@ $shared_buffers = '7680MB' ) { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::passwords::postgres $master = hiera('puppetmaster::puppetdb::master') diff --git a/modules/role/manifests/pybaltest.pp b/modules/role/manifests/pybaltest.pp index ea0ae26..a8bceef 100644 --- a/modules/role/manifests/pybaltest.pp +++ b/modules/role/manifests/pybaltest.pp @@ -3,7 +3,7 @@ description => 'pybal testing/development' } - include ::base::firewall + include ::profile::base::firewall $pybaltest_hosts_ferm = join(hiera('pybaltest::hosts'), ' ') ferm::service { 'pybaltest-http': diff --git a/modules/role/manifests/releases.pp b/modules/role/manifests/releases.pp index 426ddec..826f26f 100644 --- a/modules/role/manifests/releases.pp +++ b/modules/role/manifests/releases.pp @@ -9,7 +9,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host include ::profile::releases::mediawiki include ::profile::releases::reprepro diff --git a/modules/role/manifests/requesttracker/upgradetest.pp b/modules/role/manifests/requesttracker/upgradetest.pp index e5d453e..b1fda3b 100644 --- a/modules/role/manifests/requesttracker/upgradetest.pp +++ b/modules/role/manifests/requesttracker/upgradetest.pp @@ -3,7 +3,7 @@ system::role { 'requesttracker::upgradetest': description => 'temp test setup for RT migration to jessie' } include ::standard - include ::base::firewall + include ::profile::base::firewall include rsync::server # copy db dump from slave via rsync diff --git a/modules/role/manifests/restbase/base.pp b/modules/role/manifests/restbase/base.pp index e96d2d6..a9f131c 100644 --- a/modules/role/manifests/restbase/base.pp +++ b/modules/role/manifests/restbase/base.pp @@ -2,7 +2,7 @@ # class role::restbase::base{ include ::passwords::cassandra - include ::base::firewall + include ::profile::base::firewall include ::standard include ::profile::cassandra diff --git a/modules/role/manifests/restbase/production_ng.pp b/modules/role/manifests/restbase/production_ng.pp index 7e6a20c..468cb39 100644 --- a/modules/role/manifests/restbase/production_ng.pp +++ b/modules/role/manifests/restbase/production_ng.pp @@ -3,7 +3,7 @@ # Configures the production cluster (next-gen) class role::restbase::production_ng { include ::passwords::cassandra - include ::base::firewall + include ::profile::base::firewall include ::standard include ::profile::cassandra system::role { 'restbase': description => 'Restbase (Cassandra 3.x-only)' } diff --git a/modules/role/manifests/sca.pp b/modules/role/manifests/sca.pp index dd0a104..325edd3 100644 --- a/modules/role/manifests/sca.pp +++ b/modules/role/manifests/sca.pp @@ -4,7 +4,7 @@ include role::zotero include ::standard - include ::base::firewall + include ::profile::base::firewall if $::realm == 'production' { include ::lvs::realserver } diff --git a/modules/role/manifests/scb.pp b/modules/role/manifests/scb.pp index 8309a1c..6e75f09 100644 --- a/modules/role/manifests/scb.pp +++ b/modules/role/manifests/scb.pp @@ -14,7 +14,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include role::lvs::realserver # Ores diff --git a/modules/role/manifests/security/tools.pp b/modules/role/manifests/security/tools.pp index 2559f8d..3a176ae 100644 --- a/modules/role/manifests/security/tools.pp +++ b/modules/role/manifests/security/tools.pp @@ -1,5 +1,5 @@ class role::security::tools { include ::standard - include ::base::firewall + include ::profile::base::firewall } diff --git a/modules/role/manifests/snapshot/common.pp b/modules/role/manifests/snapshot/common.pp index e0c929c..bef004b 100644 --- a/modules/role/manifests/snapshot/common.pp +++ b/modules/role/manifests/snapshot/common.pp @@ -1,7 +1,7 @@ class role::snapshot::common { include ::dumps::deprecated::user include ::standard - include ::base::firewall + include ::profile::base::firewall # mw packages and dependencies, dataset server nfs mount, # config files, stages files, dblists, html templates diff --git a/modules/role/manifests/spare/system.pp b/modules/role/manifests/spare/system.pp index 6d69e47..1dbe4d3 100644 --- a/modules/role/manifests/spare/system.pp +++ b/modules/role/manifests/spare/system.pp @@ -10,7 +10,7 @@ # filtertags: labs-project-puppet class role::spare::system { include ::standard - include ::base::firewall + include ::profile::base::firewall system::role { 'spare::system': description => 'Unused spare system' } } diff --git a/modules/role/manifests/swift/proxy.pp b/modules/role/manifests/swift/proxy.pp index b5ef131..5e20e8f 100644 --- a/modules/role/manifests/swift/proxy.pp +++ b/modules/role/manifests/swift/proxy.pp @@ -7,7 +7,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::swift::params include ::swift include ::swift::ring diff --git a/modules/role/manifests/swift/storage.pp b/modules/role/manifests/swift/storage.pp index b385bc5..3aacd49 100644 --- a/modules/role/manifests/swift/storage.pp +++ b/modules/role/manifests/swift/storage.pp @@ -5,7 +5,7 @@ } include ::standard - include ::base::firewall + include ::profile::base::firewall include ::swift::params include ::swift include ::swift::ring diff --git a/modules/role/manifests/syslog/centralserver.pp b/modules/role/manifests/syslog/centralserver.pp index b821e73..ac7b4c1 100644 --- a/modules/role/manifests/syslog/centralserver.pp +++ b/modules/role/manifests/syslog/centralserver.pp @@ -5,7 +5,7 @@ class role::syslog::centralserver { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::backup::host system::role { 'syslog::centralserver': diff --git a/modules/role/manifests/tendril.pp b/modules/role/manifests/tendril.pp index 8a63e00..82c4af9 100644 --- a/modules/role/manifests/tendril.pp +++ b/modules/role/manifests/tendril.pp @@ -2,7 +2,7 @@ # tendril: MariaDB Analytics class role::tendril { - include ::base::firewall + include ::profile::base::firewall include ::standard system::role { 'tendril': description => 'tendril server' } diff --git a/modules/role/manifests/test.pp b/modules/role/manifests/test.pp index 85c9c6c..e6f584e 100644 --- a/modules/role/manifests/test.pp +++ b/modules/role/manifests/test.pp @@ -3,7 +3,7 @@ # filtertags: labs-project-puppet class role::test { include ::standard - include ::base::firewall + include ::profile::base::firewall system::role { 'test': description => 'Unpuppetised system for testing' } } diff --git a/modules/role/manifests/thumbor/mediawiki.pp b/modules/role/manifests/thumbor/mediawiki.pp index 2cfb847..c4ad1d4 100644 --- a/modules/role/manifests/thumbor/mediawiki.pp +++ b/modules/role/manifests/thumbor/mediawiki.pp @@ -6,7 +6,7 @@ class role::thumbor::mediawiki { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::mediawiki::packages::fonts include role::statsite diff --git a/modules/role/manifests/toollabs/elasticsearch.pp b/modules/role/manifests/toollabs/elasticsearch.pp index a1455d5..355e5e3 100644 --- a/modules/role/manifests/toollabs/elasticsearch.pp +++ b/modules/role/manifests/toollabs/elasticsearch.pp @@ -4,7 +4,7 @@ # # filtertags: labs-project-tools class role::toollabs::elasticsearch { - include ::base::firewall + include ::profile::base::firewall include ::elasticsearch class { '::nginx': diff --git a/modules/role/manifests/toollabs/etcd/flannel.pp b/modules/role/manifests/toollabs/etcd/flannel.pp index 5a5a66f..98d8e94 100644 --- a/modules/role/manifests/toollabs/etcd/flannel.pp +++ b/modules/role/manifests/toollabs/etcd/flannel.pp @@ -2,7 +2,7 @@ class role::toollabs::etcd::flannel { include ::etcd - include ::base::firewall + include ::profile::base::firewall include ::role::toollabs::etcd::expose_metrics $worker_hosts = join(hiera('k8s::worker_hosts'), ' ') diff --git a/modules/role/manifests/toollabs/etcd/k8s.pp b/modules/role/manifests/toollabs/etcd/k8s.pp index 0ea5875..31ba71e 100644 --- a/modules/role/manifests/toollabs/etcd/k8s.pp +++ b/modules/role/manifests/toollabs/etcd/k8s.pp @@ -1,7 +1,7 @@ # filtertags: labs-project-tools class role::toollabs::etcd::k8s { include ::etcd - include ::base::firewall + include ::profile::base::firewall include ::role::toollabs::etcd::expose_metrics diff --git a/modules/role/manifests/toollabs/k8s/master.pp b/modules/role/manifests/toollabs/k8s/master.pp index 81647b4..7d2bab8 100644 --- a/modules/role/manifests/toollabs/k8s/master.pp +++ b/modules/role/manifests/toollabs/k8s/master.pp @@ -2,7 +2,7 @@ class role::toollabs::k8s::master( $use_puppet_certs = false, ) { - include ::base::firewall + include ::profile::base::firewall include ::toollabs::infrastructure $master_host = hiera('k8s::master_host', $::fqdn) diff --git a/modules/role/manifests/toollabs/logging/centralserver.pp b/modules/role/manifests/toollabs/logging/centralserver.pp index a0a2e92..b7a345a 100644 --- a/modules/role/manifests/toollabs/logging/centralserver.pp +++ b/modules/role/manifests/toollabs/logging/centralserver.pp @@ -2,7 +2,7 @@ # # filtertags: labs-project-tools class role::toollabs::logging::centralserver { - include ::base::firewall + include ::profile::base::firewall system::role { 'tools::logreceiver': description => 'Central syslog server', diff --git a/modules/role/manifests/tor_relay.pp b/modules/role/manifests/tor_relay.pp index 651b115..387c1c5 100644 --- a/modules/role/manifests/tor_relay.pp +++ b/modules/role/manifests/tor_relay.pp @@ -1,7 +1,7 @@ # set up a Tor relay (https://www.torproject.org/) class role::tor_relay { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::tor::relay system::role { 'tor_relay': diff --git a/modules/role/manifests/wdqs.pp b/modules/role/manifests/wdqs.pp index 1821689..54a98fb 100644 --- a/modules/role/manifests/wdqs.pp +++ b/modules/role/manifests/wdqs.pp @@ -3,7 +3,7 @@ # This class sets up Wikidata Query Service class role::wdqs { include ::standard - include ::base::firewall + include ::profile::base::firewall include ::role::lvs::realserver include ::profile::wdqs diff --git a/modules/role/manifests/wdqs/labs.pp b/modules/role/manifests/wdqs/labs.pp index 3bd48ec..fed5226 100644 --- a/modules/role/manifests/wdqs/labs.pp +++ b/modules/role/manifests/wdqs/labs.pp @@ -7,7 +7,7 @@ require role::labs::lvm::srv include ::standard - include ::base::firewall + include ::profile::base::firewall include ::profile::wdqs system::role { 'wdqs': diff --git a/modules/role/manifests/webperf.pp b/modules/role/manifests/webperf.pp index 80b8388..d26ed59 100644 --- a/modules/role/manifests/webperf.pp +++ b/modules/role/manifests/webperf.pp @@ -6,7 +6,7 @@ class role::webperf { include ::standard - include ::base::firewall + include ::profile::base::firewall $statsd = hiera('statsd') $statsd_parts = split($statsd, ':') diff --git a/modules/role/manifests/wikimania_scholarships.pp b/modules/role/manifests/wikimania_scholarships.pp index 1912b23..eb6954c 100644 --- a/modules/role/manifests/wikimania_scholarships.pp +++ b/modules/role/manifests/wikimania_scholarships.pp @@ -4,7 +4,7 @@ # class role::wikimania_scholarships { - include ::base::firewall + include ::profile::base::firewall class { '::wikimania_scholarships': hostname => 'scholarships.wikimedia.org', diff --git a/modules/toollabs/manifests/proxy.pp b/modules/toollabs/manifests/proxy.pp index 63953dd..a5d2d14 100644 --- a/modules/toollabs/manifests/proxy.pp +++ b/modules/toollabs/manifests/proxy.pp @@ -9,7 +9,7 @@ include ::toollabs::infrastructure include ::redis::client::python - include ::base::firewall + include ::profile::base::firewall if $ssl_install_certificate { sslcert::certificate { $ssl_certificate_name: -- To view, visit https://gerrit.wikimedia.org/r/383519 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4a30e491f5861aa00c959d04a4974abe053d55b6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits