Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code

Side by Side Diff: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)
Patch Set: Issue 2487 - Introduce fail2ban module Created Nov. 29, 2016, 10:48 a.m.
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 # == Class: fail2ban
2 #
3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.
4 #
5 # == Parameters:
6 #
7 # [*jail_config*]
8 # Provisions a jail.local adjacent to the default configuration.
9 # By default entries will have the following parameters:
10 # 'enabled' => 'true',
11 # 'port' => 'all',
12 # 'maxretry' => 6,
13 # 'banaction' => 'iptables-allports',
14 # 'bantime' => 3600,
15 #
16 # For the default banaction iptables-allports, the port parameter
17 # is not used and only set here for documentation purposes. Note
18 # that if 'banaction' is set to iptables-multiport, it requires that
19 # the 'port' parameter contains one or more comma-separated ports or protocols .
20 #
21 # [*package*]
22 # Overwrite the default package options, to fine-tune the target version (i.e.
23 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
24 #
25 # [*service*]
26 # Overwrite the default service options.
27 #
28 # [*filters*]
29 # Adds adittional filters to the filters.d folder.
30 # === Examples:
31 #
32 # class {'fail2ban':
33 # package => {ensure => 'present',},
34 # service => {},
35 # jail_config => {
36 # 'CVE-2013-0235' => {
37 # 'logpath' => '/var/log/nginx/access_log_hg',
38 # 'banaction' => 'iptables-multiport',
39 # 'port' => 'https, http',
f.nicolaisen 2016/11/29 11:01:05 lines not aligned?
40 # }
41 # },
42 # filters => {
43 # 'CVE-2013-0235' => {
44 # failregex => [
45 # '^<HOST>.*\"WordPress\/.*',
46 # ],
47 # }
48 # },
49 # }
50 class fail2ban (
51 $package = {},
52 $service = {},
53 $jail_config = {},
54 $filters = {},
55 ) {
56
57 include stdlib
58
59 $jail_default = {
60 'enabled' => 'true',
61 'port' => 'all',
62 'maxretry' => 6,
63 'banaction' => 'iptables-allports',
64 'bantime' => 3600,
65 }
66
67 ensure_resource('package', $title, $package)
68
69 # Used as default $ensure parameter for most resources below
70 $ensure = getparam(Package[$title], 'ensure') ? {
71 /^(absent|purged)$/ => 'absent',
72 default => 'present',
73 }
74
75 # Service resources don't properly support the concept of absence
76 if ($ensure == 'present') {
77
78 ensure_resource('service', $title, $service)
79 # See modules/fail2ban/manifests/filter.pp
80 create_resources('fail2ban::filter', $filters)
81
82 # Filters already present in the fail2ban distribution can
83 # also be activated.
84 # Another thing to consider is the possibility of
85 # having the filters configured but not activated, so no conf is
86 # passed.
f.nicolaisen 2016/11/29 11:01:05 I still don't understand when I should consider th
87 if jail_config != undef {
88 file {'/etc/fail2ban/jail.local':
89 ensure => present,
90 group => 'root',
91 mode => '0644',
92 owner => 'root',
93 content => template("fail2ban/jail.erb"),
94 notify => Service[$title],
95 }
96 }
97
98 Package[$title] -> File['/etc/fail2ban/jail.local']
99 }
100
101 }
OLDNEW
« no previous file with comments | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld