From 58d0fd170746360fe4c91782c9004807a281d148 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 24 Apr 2020 22:18:14 +0100
Subject: [PATCH] Whitelist all rails frontends for nominatim

---
 cookbooks/nominatim/recipes/default.rb          |  1 +
 cookbooks/nominatim/templates/default/nginx.erb | 16 +++++-----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index faf80756c..04cedf1fe 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -367,6 +367,7 @@ nginx_site "nominatim" do
   template "nginx.erb"
   directory build_directory
   variables :pools => node[:nominatim][:fpm_pools],
+            :frontends => search(:node, "recipes:web\\:\\:frontend"),
             :confdir => "#{basedir}/etc"
 end
 
diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb
index 07ff0a52e..3ba964660 100644
--- a/cookbooks/nominatim/templates/default/nginx.erb
+++ b/cookbooks/nominatim/templates/default/nginx.erb
@@ -19,17 +19,11 @@ upstream nominatim_service {
 # Whitelisted IPs
 geo $whitelisted {
     default 0;
-    2001:978:2:2c::172:6 1;
-    2001:978:2:2c::172:7 1;
-    2001:978:2:2c::172:8 1;
-    2001:978:2:2c::172:b 1;
-    2001:978:2:2c::172:c 1;
-    2001:978:2:2c::172:d 1;
-    130.117.76.6 1;
-    130.117.76.7 1;
-    130.117.76.8 1;
-    89.16.162.21 1;
-    89.16.162.22 1;
+<% @frontends.each do |frontend| -%>
+<% frontend.ipaddresses(:role => :external) do |address| -%>
+    <%= address %>;
+<% end -%>
+<% end -%>
     46.235.224.148 1;
     209.132.180.180 1;
     209.132.180.168 1;
-- 
2.43.2