Issue 2487 - Introduce fail2ban module

modules/fail2ban/manifests/init.pp

 # == Class: fail2ban
 #
 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.
 #
 # == Parameters:
 #
-# [*jail_config*]
+# [*jails*]
 #   Provisions a jail.local adjacent to the default configuration.
 #   By default entries will have the following parameters:
 #     'enabled' => 'true',
 #     'port' => 'all',
 #     'maxretry' => 6,
 #     'banaction' => 'iptables-allports',
 #     'bantime' => 3600,
 #
 #   For the default banaction iptables-allports, the port parameter
 #   is not used and only set here for documentation purposes. Note
 #   that if 'banaction' is set to iptables-multiport, it requires that
 #   the 'port' parameter contains one or more comma-separated ports or protocols.
 #
 # [*package*]
 #   Overwrite the default package options, to fine-tune the target version (i.e.
 #   ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
 #
 # [*service*]
 #   Overwrite the default service options.
 #
 # [*filters*]
 #   Adds adittional filters to the filters.d folder.
+#
 # === Examples:
 #
 #  class {'fail2ban':
 #    package => {ensure => 'present',},
 #    service => {},
-#    jail_config => {
+#    jails => {
 #      'CVE-2013-0235' => {
 #        'logpath' => '/var/log/nginx/access_log_hg',
-#        'banaction' => 'iptables-multiport',
-#        'port' => 'https, http',

[f.nicolaisen, 2016/11/29 11:01:05]

lines not aligned?

+#        'banaction' => 'iptables-multiport',
+#        'port' => 'https, http',
 #      }
 #    },
 #    filters => {
 #      'CVE-2013-0235' => {
-#        failregex => [
+#        regexes => [
 #          '^<HOST>.*\"WordPress\/.*',
 #        ],
 #      }
 #    },
 #  }
+#
 class fail2ban (
-  $package = {},
-  $service = {},
-  $jail_config = {},
-  $filters = {},
+  $package = hiera('fail2ban::package', {}),
+  $service = hiera('fail2ban::service', {}),
+  $jails = hiera('fail2ban::jails', {}),
+  $filters = hiera('fail2ban::filters', {}),
 ) {
 
   include stdlib
 
   $jail_default = {
     'enabled' => 'true',
     'port' => 'all',
     'maxretry' => 6,
     'banaction' => 'iptables-allports',
     'bantime' => 3600,
   }
 
   ensure_resource('package', $title, $package)
 
-  # Used as default $ensure parameter for most resources below
   $ensure = getparam(Package[$title], 'ensure') ? {
     /^(absent|purged)$/ => 'absent',
     default => 'present',
   }
 
-  # Service resources don't properly support the concept of absence
   if ($ensure == 'present') {
 
-    ensure_resource('service', $title, $service)
+    ensure_resource('service', $title, merge({
+      hasrestart => true,
+      hasstatus => true,
+    }, $service))
+
     # See modules/fail2ban/manifests/filter.pp
     create_resources('fail2ban::filter', $filters)
 
-    # Filters already present in the fail2ban distribution can
-    # also be activated.
-    # Another thing to consider is the possibility of
-    # having the filters configured but not activated, so no conf is
-    # passed.

[f.nicolaisen, 2016/11/29 11:01:05]

I still don't understand when I should consider this possibility :)

"so no conf is passed" is not clear grammar. Who is passing what conf where?

-    if jail_config != undef {
-      file {'/etc/fail2ban/jail.local':
-        ensure => present,
-        group => 'root',
-        mode => '0644',
-        owner => 'root',
-        content => template("fail2ban/jail.erb"),
-        notify => Service[$title],
-      }
+    file {'/etc/fail2ban/jail.local':
+      ensure => present,
+      group => 'root',
+      mode => '0644',
+      owner => 'root',
+      content => template("fail2ban/jail.erb"),
+      notify => Service['fail2ban'],
+      require => Package['fail2ban'],
     }
 
     Package[$title] -> File['/etc/fail2ban/jail.local']
+    Service[$title] <~ Package[$title]
   }
 
 }
+