To followup on myself and after an excellent suggestion from Seth...
Another way to do this is to just move vpn over to bastion02, don't
change dns or email. 'gateway' and 'bastion' stay pointed at bastion03.
This means a change to the vpn client.conf on all machines, but we can
push that out. It also means no DNS changes, which is good.
We can also change back by just changing which machine is running
openvpn server on it.
Here's the change for that:
diff --git a/manifests/nodes/bastion02.phx2.fedoraproject.org.pp
b/manifests/nodes/bastion02.phx2.fe index 4018ec9..1a0ee7c 100644
--- a/manifests/nodes/bastion02.phx2.fedoraproject.org.pp
+++ b/manifests/nodes/bastion02.phx2.fedoraproject.org.pp
@@ -1,6 +1,5 @@
node bastion02{
- # Moving openvpn over to bastion03
- $enable_openvpn = false
+ $enable_openvpn = true
include phx
$syncFasAliases = true
include gateway
diff --git a/manifests/nodes/bastion03.phx2.fedoraproject.org.pp
b/manifests/nodes/bastion03.phx2.fe index 8c5fca9..b7b0f32 100644
--- a/manifests/nodes/bastion03.phx2.fedoraproject.org.pp
+++ b/manifests/nodes/bastion03.phx2.fedoraproject.org.pp
@@ -3,7 +3,7 @@ node bastion03{
# comment out the line below when bastion02 is down or going to be
down. # Under normal situations, only one bastion host should be
running openvpn # or we'll end up with a split-brain problem in the
network
- #$enable_openvpn = false
+ $enable_openvpn = false
include phx
$syncFasAliases = true
include gateway
diff --git a/modules/openvpn/files/client.conf
b/modules/openvpn/files/client.conf index b1b2d95..d274e72 100644
--- a/modules/openvpn/files/client.conf
+++ b/modules/openvpn/files/client.conf
@@ -6,7 +6,7 @@ proto udp
# Specify multiple vpn servers here
remote gateway
-remote bastion01
+remote bastion02
resolv-retry infinite
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
