From 998f7ac8c13606fc330c44f105806ed1559586ed Mon Sep 17 00:00:00 2001
From: Maria Haider <mariah@sunet.se>
Date: Fri, 12 Aug 2022 12:18:40 +0200
Subject: [PATCH] SSH rules for allowing MD signers server to r1.komreg.net

---
 global/overlay/etc/hiera/data/common.yaml          | 12 ++++++++++++
 global/overlay/etc/puppet/manifests/cosmos-site.pp |  5 +++++
 2 files changed, 17 insertions(+)

diff --git a/global/overlay/etc/hiera/data/common.yaml b/global/overlay/etc/hiera/data/common.yaml
index 59ffc044..d418d68d 100644
--- a/global/overlay/etc/hiera/data/common.yaml
+++ b/global/overlay/etc/hiera/data/common.yaml
@@ -34,6 +34,18 @@ mgmt_addresses:
     - 2001:6b0:64:5::242 # jump-fre-3.komreg.net
     - 89.45.233.82       # jmp.komreg.net
 
+md_signers:
+    - 94.176.224.197 #natmd-1.komreg.net
+    - 94.176.224.69  #natmd-2.komreg.net
+    - 94.176.224.198 #eumd-1.komreg.net
+    - 94.176.224.70  #eumd-2.komreg.net
+    - 89.45.233.92   #md1.komreg.net (QA)
+    - 89.45.233.208  #md-eu1.qa.komreg.net
+    - 89.45.236.215  #natmd-test-1.komreg.net
+    - 89.45.237.80   #natmd-test-2.komreg.net
+    - 89.45.237.138  #eumd-test-1.komreg.net
+    - 89.45.236.73   #eumd-test-2.komreg.net
+
 ssh_authorized_keys:
 
   'mariah+CA747E57':
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 18381646..49e5d9d0 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -313,6 +313,11 @@ class md_repo_server($hostname) {
    }
    ensure_resource('class','webserver',{})
    ensure_resource('class','https_server',{})
+   $md_signers_ip = hiera_array('md_signers',[])
+   sunet::misc::ufw_allow { 'allow_ssh_md_signers':
+      from => $md_signers_ip,
+      port => '22',
+    }
 }
 
 class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {