jobrunner: allow changeprop to access port 9006

miraheze · Mar 24, 2024 · eba2e9c · eba2e9c
1 parent 17f186e
commit eba2e9c
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/modules/mediawiki/manifests/jobrunner.pp b/modules/mediawiki/manifests/jobrunner.pp
@@ -55,4 +55,27 @@
         priority => 1,
         content  => template('mediawiki/jobrunner.conf.erb'),
     }
+
+    $firewall_rules_str = join(
+        query_facts('Class[Role::Changeprop]', ['networking'])
+        .map |$key, $value| {
+            if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) {
+                "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}"
+            } elsif ( $value['networking']['interfaces']['ens18'] ) {
+                "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}"
+            } else {
+                "${value['networking']['ip']} ${value['networking']['ip6']}"
+            }
+        }
+        .flatten()
+        .unique()
+        .sort(),
+        ' '
+    )
+    ferm::service { 'jobrunner':
+        proto   => 'tcp',
+        port    => '9006',
+        srange  => "(${firewall_rules_str})",
+        notrack => true,
+    }
 }