Unified Diff: modules/fail2ban/manifests/init.pp
Issue 29364214:
Issue 2487 - Introduce fail2ban module (Closed)
Patch Set: For comment 22 and 23
Created Dec. 2, 2016, 2:22 p.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« modules/fail2ban/manifests/filter.pp ('k')
|
modules/fail2ban/templates/filter.erb » ('j')
|
no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: modules/fail2ban/manifests/init.pp |
| =================================================================== |
| new file mode 100644 |
| --- /dev/null |
| +++ b/modules/fail2ban/manifests/init.pp |
| @@ -0,0 +1,101 @@ |
| +# == Class: fail2ban |
| +# |
| +# Create and maintain fail2ban (http://www.fail2ban.org/) setups. |
| +# |
| +# == Parameters: |
| +# |
| +# [*jails*] |
| +# Provisions a jail.local adjacent to the default configuration. |
| +# By default entries will have the following parameters: |
| +# 'enabled' => 'true', |
| +# 'port' => 'all', |
| +# 'maxretry' => 6, |
| +# 'banaction' => 'iptables-allports', |
| +# 'bantime' => 3600, |
| +# |
| +# For the default banaction iptables-allports, the port parameter |
| +# is not used and only set here for documentation purposes. Note |
| +# that if 'banaction' is set to iptables-multiport, it requires that |
| +# the 'port' parameter contains one or more comma-separated ports or protocols. |
| +# |
| +# [*package*] |
| +# Overwrite the default package options, to fine-tune the target version (i.e. |
| +# ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged') |
| +# |
| +# [*service*] |
| +# Overwrite the default service options. |
| +# |
| +# [*filters*] |
| +# Adds adittional filters to the filters.d folder. |
| +# |
| +# === Examples: |
| +# |
| +# class {'fail2ban': |
| +# package => {ensure => 'present',}, |
| +# service => {}, |
| +# jails => { |
| +# 'CVE-2013-0235' => { |
| +# 'logpath' => '/var/log/nginx/access_log_hg', |
| +# 'banaction' => 'iptables-multiport', |
| +# 'port' => 'https, http', |
| +# } |
| +# }, |
| +# filters => { |
| +# 'CVE-2013-0235' => { |
| +# regexes => [ |
| +# '^<HOST>.*\"WordPress\/.*', |
| +# ], |
| +# } |
| +# }, |
| +# } |
| +# |
| +class fail2ban ( |
| + $package = hiera('fail2ban::package', {}), |
| + $service = hiera('fail2ban::service', {}), |
| + $jails = hiera('fail2ban::jails', {}), |
| + $filters = hiera('fail2ban::filters', {}), |
| +) { |
| + |
| + include stdlib |
| + |
| + $jail_default = { |
| + 'enabled' => 'true', |
| + 'port' => 'all', |
| + 'maxretry' => 6, |
| + 'banaction' => 'iptables-allports', |
| + 'bantime' => 3600, |
| + } |
| + |
| + ensure_resource('package', $title, $package) |
| + |
| + $ensure = getparam(Package[$title], 'ensure') ? { |
| + /^(absent|purged)$/ => 'absent', |
| + default => 'present', |
| + } |
| + |
| + if ($ensure == 'present') { |
| + |
| + ensure_resource('service', $title, merge({ |
| + hasrestart => true, |
| + hasstatus => true, |
| + }, $service)) |
| + |
| + # See modules/fail2ban/manifests/filter.pp |
| + create_resources('fail2ban::filter', $filters) |
| + |
| + file {'/etc/fail2ban/jail.local': |
| + ensure => present, |
| + group => 'root', |
| + mode => '0644', |
| + owner => 'root', |
| + content => template("fail2ban/jail.erb"), |
| + notify => Service['fail2ban'], |
| + require => Package['fail2ban'], |
| + } |
| + |
| + Package[$title] -> File['/etc/fail2ban/jail.local'] |
| + Service[$title] <~ Package[$title] |
| + } |
| + |
| +} |
| + |
« no previous file with comments
|
« modules/fail2ban/manifests/filter.pp ('k')
|
modules/fail2ban/templates/filter.erb » ('j')
|
no next file with comments »
