Issue 2487 - Introduce fail2ban module

modules/fail2ban/manifests/init.pp

 # == Class: fail2ban
 #
 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.
 #
 # == Parameters:
 #
-# [*jail_config*]
-#   Adds jail.local to the default configuration of fail2ban
+# [*jails*]
+#   Provisions a jail.local adjacent to the default configuration.
+#   By default entries will have the following parameters:
+#     'enabled' => 'true',
+#     'port' => 'all',
+#     'maxretry' => 6,
+#     'banaction' => 'iptables-allports',
+#     'bantime' => 3600,
+#
+#   For the default banaction iptables-allports, the port parameter
+#   is not used and only set here for documentation purposes. Note
+#   that if 'banaction' is set to iptables-multiport, it requires that
+#   the 'port' parameter contains one or more comma-separated ports or protocols.
 #
 # [*package*]
 #   Overwrite the default package options, to fine-tune the target version (i.e.
 #   ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
 #
 # [*service*]
 #   Overwrite the default service options.
 #
 # [*filters*]
-#   Adds adittional filters to the filters.d folder
+#   Adds adittional filters to the filters.d folder.
+#
 # === Examples:
 #
-#   class {'fail2ban':
-#     package => {ensure => 'present',},
-#     service => {},
-#     jail_config => {

[f.nicolaisen, 2016/11/25 16:23:29]

We should require setting a port here, and if not we should switch to using the
iptables-allports.conf action.

[f.lopez, 2016/11/25 17:41:10]

That is the actual motive for this kinda of configuration, to use whatever we
feel like, see matze's comment on the jail.local template file, I still don't
know how to make that work but then it would work flawlessly

-#       'wordpress' => {
-#         logpath => '/var/log/nginx/access.log',
-#       },
-#     },
-#     filters => {
-#       'wordpress' => {
-#         failregex => [
-#           '^<HOST>.*\"WordPress\/.*',
-#         ],
-#       }
-#     },
-#   }
+#  class {'fail2ban':
+#    package => {ensure => 'present',},
+#    service => {},
+#    jails => {
+#      'CVE-2013-0235' => {
+#        'logpath' => '/var/log/nginx/access_log_hg',
+#        'banaction' => 'iptables-multiport',
+#        'port' => 'https, http',
+#      }
+#    },
+#    filters => {
+#      'CVE-2013-0235' => {
+#        regexes => [
+#          '^<HOST>.*\"WordPress\/.*',
+#        ],
+#      }
+#    },
+#  }
+#
 class fail2ban (
-  $package = hiera('fail2ban::package', 'present'),
+  $package = hiera('fail2ban::package', {}),
   $service = hiera('fail2ban::service', {}),
-  $jail_config = hiera('fail2ban::jail_config', {}),
+  $jails = hiera('fail2ban::jails', {}),
   $filters = hiera('fail2ban::filters', {}),
 ) {
 
   include stdlib
 
-  ensure_resource('package', $title, {ensure => $package})
+  $jail_default = {
+    'enabled' => 'true',
+    'port' => 'all',
+    'maxretry' => 6,
+    'banaction' => 'iptables-allports',
+    'bantime' => 3600,
+  }
 
-  # Used as default $ensure parameter for most resources below
+  ensure_resource('package', $title, $package)
+
   $ensure = getparam(Package[$title], 'ensure') ? {
     /^(absent|purged)$/ => 'absent',
     default => 'present',
   }
 
-  # Service resources don't properly support the concept of absence
   if ($ensure == 'present') {
 
-    ensure_resource('service', $title, $service)
+    ensure_resource('service', $title, merge({
+      hasrestart => true,
+      hasstatus => true,
+    }, $service))
+
     # See modules/fail2ban/manifests/filter.pp
     create_resources('fail2ban::filter', $filters)
 
-    # According to the docs one can also enable filters that are
-    # already in there, so the config file should be done indepentently
-    # of the filters, another thing to consider is the possibility of
-    # having the filters configured but not activated, so no conf is
-    # passed.
-    if jail_config != undef {
-      file {'/etc/fail2ban/jail.local':

[f.nicolaisen, 2016/11/25 16:23:29]

Like stated earlier, if no ports have been configured, we should set action to
use /etc/fail2ban/action.d/iptables-allports.conf instead of default action
(iptables).

-        ensure => present,
-        group => 'root',
-        mode => '0644',
-        owner => 'root',
-        content => template("fail2ban/jail.erb"),
-        notify => Service[$title],
-      }
+    file {'/etc/fail2ban/jail.local':
+      ensure => present,
+      group => 'root',
+      mode => '0644',
+      owner => 'root',
+      content => template("fail2ban/jail.erb"),
+      notify => Service['fail2ban'],
+      require => Package['fail2ban'],
     }
 
     Package[$title] -> File['/etc/fail2ban/jail.local']
-
+    Service[$title] <~ Package[$title]
   }
 
 }
+