SSH rules for allowing MD signers server to r1.komreg.net

global/overlay/etc/hiera/data/common.yaml

@@ -34,6 +34,18 @@ mgmt_addresses:
     - 2001:6b0:64:5::242 # jump-fre-3.komreg.net
     - 89.45.233.82       # jmp.komreg.net
 
+md_signers:
+    - 94.176.224.197 #natmd-1.komreg.net
+    - 94.176.224.69  #natmd-2.komreg.net
+    - 94.176.224.198 #eumd-1.komreg.net
+    - 94.176.224.70  #eumd-2.komreg.net
+    - 89.45.233.92   #md1.komreg.net (QA)
+    - 89.45.233.208  #md-eu1.qa.komreg.net
+    - 89.45.236.215  #natmd-test-1.komreg.net
+    - 89.45.237.80   #natmd-test-2.komreg.net
+    - 89.45.237.138  #eumd-test-1.komreg.net
+    - 89.45.236.73   #eumd-test-2.komreg.net
+
 ssh_authorized_keys:
 
   'mariah+CA747E57':

global/overlay/etc/puppet/manifests/cosmos-site.pp

@@ -313,6 +313,11 @@ class md_repo_server($hostname) {
    }
    ensure_resource('class','webserver',{})
    ensure_resource('class','https_server',{})
+   $md_signers_ip = hiera_array('md_signers',[])
+   sunet::misc::ufw_allow { 'allow_ssh_md_signers':
+      from => $md_signers_ip,
+      port => '22',
+    }
 }
 
 class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {