From 1ee95304e12104807ee105f3b0cb7930fb0143b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Mon, 7 Sep 2020 18:24:36 +0200
Subject: [PATCH] Open access to db-fas01.stg from the stg subnet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See: https://pagure.io/fedora-infrastructure/issue/9304

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 .../db-fas01.stg.iad2.fedoraproject.org          | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
index 3d2031429c..73c4301476 100644
--- a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
@@ -29,13 +29,15 @@ fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran
 # fas3-01.stg and openshift
 #
 custom_rules:
-- '-A INPUT -p tcp -m tcp -s 10.5.128.129 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.137 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.82 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.104 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.105 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.106 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.129 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.137 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.82 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.104 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.105 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.106 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 5432 -j ACCEPT'
+# TODO: lock it down more
+- '-A INPUT -p tcp -m tcp -s 10.3.166.0/24 --dport 5432 -j ACCEPT'
 
 #
 # Large updates pushes cause lots of db threads doing the tag moves, so up this from default.