[repospanner] put in firewall rules for systems

inventory/group_vars/repospanner

@@ -10,4 +10,14 @@ csi_security_category: High
 csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
 csi_purpose: repospanner git syncing host
 
-tcp_ports: [ 8443, 8444]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 8.43.84.211 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 8.43.84.212 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 8.43.85.76 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 140.211.169.210 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 209.132.181.20 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 192.168.1.180 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 192.168.1.184 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 192.168.1.185 --dport 8443:8445 -j ACCEPT',
+	        '-A INPUT -p tcp -m tcp -s 10.5.126.23 --dport 8443:8445 -j ACCEPT']
+
+## End of file

playbooks/groups/repospanner.yml

@@ -21,6 +21,9 @@
   - collectd/base
   - sudo
   - openvpn/client
+##
+## The ansible region is an attempt to share certain zones in batcave
+## with pagure.
   - { role: repospanner/server,
       node: repospanner01,
       region: ansible,
@@ -46,10 +49,13 @@
       when: inventory_hostname == 'repospanner-osuosl01.phx2.fedoraproject.org'
     }
 
+## The RPMs region is used to sync up pkgs from Fedora and CentOS. The
+## CentOS nodes are the spawn leaders for this as they are getting data
+## first.
   - { role: repospanner/server,
       node: fedora01,
       region: rpms,
-      spawn_repospanner_node: true,
+      spawn_repospanner_node: false,
       rpc_port: 8444,
       http_port: 8445,
       when: inventory_hostname == 'repospanner-cc-rdu01.phx2.fedoraproject.org'