Left: | ||
Right: |
OLD | NEW |
---|---|
(Empty) | |
1 # == Class: fail2ban | |
2 # | |
3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups. | |
4 # | |
5 # == Parameters: | |
6 # | |
7 # [*jail_config*] | |
mathias
2016/12/02 13:16:21
One last point: I'd like to rename this one to "ja
f.lopez
2016/12/02 14:16:13
Yeah sounds good to me, that was actually my first
| |
8 # Provisions a jail.local adjacent to the default configuration. | |
9 # By default entries will have the following parameters: | |
10 # 'enabled' => 'true', | |
11 # 'port' => 'all', | |
12 # 'maxretry' => 6, | |
13 # 'banaction' => 'iptables-allports', | |
14 # 'bantime' => 3600, | |
15 # | |
16 # For the default banaction iptables-allports, the port parameter | |
17 # is not used and only set here for documentation purposes. Note | |
18 # that if 'banaction' is set to iptables-multiport, it requires that | |
19 # the 'port' parameter contains one or more comma-separated ports or protocols . | |
20 # | |
21 # [*package*] | |
22 # Overwrite the default package options, to fine-tune the target version (i.e. | |
23 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged') | |
24 # | |
25 # [*service*] | |
26 # Overwrite the default service options. | |
27 # | |
28 # [*filters*] | |
29 # Adds adittional filters to the filters.d folder. | |
30 # | |
31 # === Examples: | |
32 # | |
33 # class {'fail2ban': | |
34 # package => {ensure => 'present',}, | |
35 # service => {}, | |
36 # jail_config => { | |
37 # 'CVE-2013-0235' => { | |
38 # 'logpath' => '/var/log/nginx/access_log_hg', | |
39 # 'banaction' => 'iptables-multiport', | |
40 # 'port' => 'https, http', | |
41 # } | |
42 # }, | |
43 # filters => { | |
44 # 'CVE-2013-0235' => { | |
45 # regexes => [ | |
46 # '^<HOST>.*\"WordPress\/.*', | |
47 # ], | |
48 # } | |
49 # }, | |
50 # } | |
51 # | |
52 class fail2ban ( | |
53 $package = hiera('fail2ban::package', {}), | |
54 $service = hiera('fail2ban::service', {}), | |
55 $jail_config = hiera('fail2ban::jail_config', {}), | |
56 $filters = hiera('fail2ban::filters', {}), | |
57 ) { | |
58 | |
59 include stdlib | |
60 | |
61 $jail_default = { | |
62 'enabled' => 'true', | |
63 'port' => 'all', | |
64 'maxretry' => 6, | |
65 'banaction' => 'iptables-allports', | |
66 'bantime' => 3600, | |
67 } | |
68 | |
69 ensure_resource('package', $title, $package) | |
70 | |
71 $ensure = getparam(Package[$title], 'ensure') ? { | |
72 /^(absent|purged)$/ => 'absent', | |
73 default => 'present', | |
74 } | |
75 | |
76 if ($ensure == 'present') { | |
77 | |
78 ensure_resource('service', $title, merge({ | |
79 hasrestart => true, | |
80 hasstatus => true, | |
81 }, $service)) | |
82 | |
83 # See modules/fail2ban/manifests/filter.pp | |
84 create_resources('fail2ban::filter', $filters) | |
85 | |
86 file {'/etc/fail2ban/jail.local': | |
87 ensure => present, | |
88 group => 'root', | |
89 mode => '0644', | |
90 owner => 'root', | |
91 content => template("fail2ban/jail.erb"), | |
92 notify => Service['fail2ban'], | |
93 require => Package['fail2ban'], | |
94 } | |
95 | |
96 Package[$title] -> File['/etc/fail2ban/jail.local'] | |
97 Service[$title] <~ Package[$title] | |
98 } | |
99 | |
100 } | |
101 | |
OLD | NEW |