modules/fail2ban/manifests/init.pp - Issue 29364214: Issue 2487 - Introduce fail2ban module

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Side by Side Diff: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)

Patch Set: For comments 18 and 19 Created Dec. 1, 2016, 10:16 a.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 # == Class: fail2ban

	2 #

	3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.

	4 #

	5 # == Parameters:

	6 #

	7 # [jail_config]
	mathias 2016/12/02 13:16:21 One last point: I'd like to rename this one to "ja One last point: I'd like to rename this one to "jails". Background: One of the follow-ups for this ticket will be the introduction of a named type called fail2ban::jail (which will compose the target configuration file using the concat module). The idea is that having these parts as distinct resources allows for the introduction of a combined type (i.e. fail2ban::monitor or fail2ban::concern or something) that eases the creation of filers and jails in the most common form, where they have a 1:1 relationship (so one does not need to separate that over multiple configuration items). Does that sound reasonable? f.lopez 2016/12/02 14:16:13 Yeah sounds good to me, that was actually my first Show quoted text On 2016/12/02 13:16:21, mathias wrote: > One last point: I'd like to rename this one to "jails". Background: One of the > follow-ups for this ticket will be the introduction of a named type called > fail2ban::jail (which will compose the target configuration file using the > concat module). The idea is that having these parts as distinct resources allows > for the introduction of a combined type (i.e. fail2ban::monitor or > fail2ban::concern or something) that eases the creation of filers and jails in > the most common form, where they have a 1:1 relationship (so one does not need > to separate that over multiple configuration items). Does that sound reasonable? Yeah sounds good to me, that was actually my first idea about the config file.
	8 # Provisions a jail.local adjacent to the default configuration.

	9 # By default entries will have the following parameters:

	10 # 'enabled' => 'true',

	11 # 'port' => 'all',

	12 # 'maxretry' => 6,

	13 # 'banaction' => 'iptables-allports',

	14 # 'bantime' => 3600,

	15 #

	16 # For the default banaction iptables-allports, the port parameter

	17 # is not used and only set here for documentation purposes. Note

	18 # that if 'banaction' is set to iptables-multiport, it requires that

	19 # the 'port' parameter contains one or more comma-separated ports or protocols .

	20 #

	21 # [package]

	22 # Overwrite the default package options, to fine-tune the target version (i.e.

	23 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')

	24 #

	25 # [service]

	26 # Overwrite the default service options.

	27 #

	28 # [filters]

	29 # Adds adittional filters to the filters.d folder.

	30 #

	31 # === Examples:

	32 #

	33 # class {'fail2ban':

	34 # package => {ensure => 'present',},

	35 # service => {},

	36 # jail_config => {

	37 # 'CVE-2013-0235' => {

	38 # 'logpath' => '/var/log/nginx/access_log_hg',

	39 # 'banaction' => 'iptables-multiport',

	40 # 'port' => 'https, http',

	41 # }

	42 # },

	43 # filters => {

	44 # 'CVE-2013-0235' => {

	45 # regexes => [

	46 # '^<HOST>.\"WordPress\/.',

	47 # ],

	48 # }

	49 # },

	50 # }

	51 #

	52 class fail2ban (

	53 $package = hiera('fail2ban::package', {}),

	54 $service = hiera('fail2ban::service', {}),

	55 $jail_config = hiera('fail2ban::jail_config', {}),

	56 $filters = hiera('fail2ban::filters', {}),

	57 ) {

	58

	59 include stdlib

	60

	61 $jail_default = {

	62 'enabled' => 'true',

	63 'port' => 'all',

	64 'maxretry' => 6,

	65 'banaction' => 'iptables-allports',

	66 'bantime' => 3600,

	67 }

	68

	69 ensure_resource('package', $title, $package)

	70

	71 $ensure = getparam(Package[$title], 'ensure') ? {

	72 /^(absent\|purged)$/ => 'absent',

	73 default => 'present',

	74 }

	75

	76 if ($ensure == 'present') {

	77

	78 ensure_resource('service', $title, merge({

	79 hasrestart => true,

	80 hasstatus => true,

	81 }, $service))

	82

	83 # See modules/fail2ban/manifests/filter.pp

	84 create_resources('fail2ban::filter', $filters)

	85

	86 file {'/etc/fail2ban/jail.local':

	87 ensure => present,

	88 group => 'root',

	89 mode => '0644',

	90 owner => 'root',

	91 content => template("fail2ban/jail.erb"),

	92 notify => Service['fail2ban'],

	93 require => Package['fail2ban'],

	94 }

	95

	96 Package[$title] -> File['/etc/fail2ban/jail.local']

	97 Service[$title] <~ Package[$title]

	98 }

	99

	100 }

	101

OLD	NEW

« no previous file with comments | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | no next file with comments »