Issue 2487 - Introduce fail2ban module

modules/fail2ban/manifests/filter.pp

 # == Type: fail2ban::filter
 #
-# Manage filter information and files for any custom filter we create

[mathias, 2016/11/24 16:08:48]

Please use un-personalized text in documentation, i.e. "filter created" vs
"filter we create" - or just "filter". And full sentences (including periods)
are appreciated as well ;-)

[f.lopez, 2016/11/25 15:13:49]

Acknowledged.

+# Manage filter information and files for any custom filter.
 #
 # == Parameters:
 #
-# [*failregex*]
-#   The regular expressions used to detect break-in attempts, password failures, etc.
-#   One per line

[mathias, 2016/11/24 16:08:48]

A bit too specific. Something like "The regular expression applied by the
filter." is more than enough. And what do you mean by "One per line"?

[f.lopez, 2016/11/25 15:13:48]

Acknowledged.

+# [*regexes*]
+#   Array of strings containing the regular expressions applied to
+#   the filter.
+#
+# [*ensure*]
+#   Translates directly into the state of the file resource.
 #
 # === Examples:
 #
-#   filters => {
-#     'wordpress' => {
-#       failregex => [
-#         '^<HOST>.*\"WordPress\/.*',
-#       ],
-#     }
-#   },

[mathias, 2016/11/24 16:08:48]

The example is not valid Puppet code, a snippet at best, but even then not
matching the fail2ban::filter type.

[f.lopez, 2016/11/25 15:13:48]

Acknowledged.

+#   fail2ban::filter {'CVE-2013-0235':
+#     regexes => [
+#       '^<HOST>.*\"WordPress\/.*',
+#       '^.*\"WordPress\/.*<HOST>.*',
+#     ],
+#     'ensure' => 'present',
+#   }
+#
 define fail2ban::filter (
-  $failregex = undef,
+  $regexes = [],
   $ensure = 'present',

[mathias, 2016/11/24 16:08:48]

The $ensure parameter is not documented yet.

[f.lopez, 2016/11/25 15:13:49]

Acknowledged.

 ) {
 
   include fail2ban
   include stdlib
 
-  if $failregex != undef {

[mathias, 2016/11/24 16:08:48]

This condition does not make much sense in this context. What if $ensure =
'absent'? Nothing will happen. I think the better approach would be to fail() if
$ensure = 'present' and $failregex == undef, and have the resource definition
below the conditional statement.

[f.lopez, 2016/11/25 15:13:49]

There can be cases where an already existing filter is in the folder so one
might want to remove it.

-    file {"/etc/fail2ban/filter.d/$title.conf":
-      ensure => $ensure,
-      content => template("fail2ban/filter.erb"),
-      group => 'root',
-      mode => '0644',
-      owner => 'root',
-      require => Package['fail2ban'],
-      notify => Service['fail2ban'],
-    }
+  if (size($regexes) == 0) and ($ensure == 'present') {
+    fail("An array of one or more regular expressions is needed.")
   }
-}
+
+  # The $name parameter is used to compose the file name.
+  file {"/etc/fail2ban/filter.d/$name.conf":
+    ensure => $ensure,
+    content => template("fail2ban/filter.erb"),
+    group => 'root',
+    mode => '0644',
+    owner => 'root',
+    require => Package['fail2ban'],
+    notify => Service['fail2ban'],
+  }
+}
+