Dinamically allow Puppet Agents to connect to the Puppet Server

profile/manifests/puppet/agent.pp

@@ -2,8 +2,13 @@
 class profile::puppet::agent (
   String $server = 'puppet',
   Optional[String] $server_ip = undef,
+  Stdlib::IP::Address::V4::Nosubnet $ip = lookup('profile::tinc::ip', String, 'first', $facts['networking']['ip']),
 ) {
 
+  class { 'profile::puppet::agent::firewall':
+    ip => $ip,
+  }
+
   file { [
     '/opt',
     '/opt/puppetlabs',

profile/manifests/puppet/agent/firewall.pp

+# A Puppet Agent's firewall
+class profile::puppet::agent::firewall (
+  Stdlib::IP::Address::V4::Nosubnet $ip = lookup('profile::tinc::ip', String, 'first', $facts['networking']['ip']),
+) {
+
+  $tag_environment = "environment:${::environment}"
+
+  # Export a rule so the server allows us to connect to it
+  @@firewall { "100 accept TCP on Puppet Server port from ${::fqdn}":
+    proto       => 'tcp',
+    source      => $ip,
+    action      => 'accept',
+    tag         => [ 'puppet_agent', $tag_environment ],
+  }
+
+}

profile/manifests/puppet/server.pp

 # Run a Puppet Server supported by Gitolite
 class profile::puppet::server (
   String $server = 'puppet',
-  String $server_ip = '127.0.0.1',
+  Stdlib::IP::Address::V4::Nosubnet $server_ip = '127.0.0.1',
   Integer $server_port = 8140,
   Hash $trusted_keys = {},
 ) {

profile/manifests/puppet/server/firewall.pp

 # Firewall rules for a Puppet Server
 class profile::puppet::server::firewall (
-  String $server_ip = '0.0.0.0',
+  Stdlib::IP::Address::V4::Nosubnet $server_ip = '0.0.0.0',
   Integer $server_port = 8140,
 ) {
 
-  if $server_ip != '0.0.0.0' {
-    firewall { '100 accept TCP on Puppet Server port':
-      proto       => 'tcp',
+  $tag_environment = "environment:${::environment}"
+
+  Firewall {
     destination => $server_ip,
     dport       => $server_port,
-      action      => 'accept',
-    }
   }
 
+  # Allow Puppet Agents to connect to our Puppet Server port
+  Firewall <<| tag == 'puppet_agent' and tag == $tag_environment |>>
+
 }