Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code

Unified Diff: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)
Patch Set: For comment 22 and 23 Created Dec. 2, 2016, 2:22 p.m.
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: modules/fail2ban/manifests/init.pp
===================================================================
new file mode 100644
--- /dev/null
+++ b/modules/fail2ban/manifests/init.pp
@@ -0,0 +1,101 @@
+# == Class: fail2ban
+#
+# Create and maintain fail2ban (http://www.fail2ban.org/) setups.
+#
+# == Parameters:
+#
+# [*jails*]
+# Provisions a jail.local adjacent to the default configuration.
+# By default entries will have the following parameters:
+# 'enabled' => 'true',
+# 'port' => 'all',
+# 'maxretry' => 6,
+# 'banaction' => 'iptables-allports',
+# 'bantime' => 3600,
+#
+# For the default banaction iptables-allports, the port parameter
+# is not used and only set here for documentation purposes. Note
+# that if 'banaction' is set to iptables-multiport, it requires that
+# the 'port' parameter contains one or more comma-separated ports or protocols.
+#
+# [*package*]
+# Overwrite the default package options, to fine-tune the target version (i.e.
+# ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
+#
+# [*service*]
+# Overwrite the default service options.
+#
+# [*filters*]
+# Adds adittional filters to the filters.d folder.
+#
+# === Examples:
+#
+# class {'fail2ban':
+# package => {ensure => 'present',},
+# service => {},
+# jails => {
+# 'CVE-2013-0235' => {
+# 'logpath' => '/var/log/nginx/access_log_hg',
+# 'banaction' => 'iptables-multiport',
+# 'port' => 'https, http',
+# }
+# },
+# filters => {
+# 'CVE-2013-0235' => {
+# regexes => [
+# '^<HOST>.*\"WordPress\/.*',
+# ],
+# }
+# },
+# }
+#
+class fail2ban (
+ $package = hiera('fail2ban::package', {}),
+ $service = hiera('fail2ban::service', {}),
+ $jails = hiera('fail2ban::jails', {}),
+ $filters = hiera('fail2ban::filters', {}),
+) {
+
+ include stdlib
+
+ $jail_default = {
+ 'enabled' => 'true',
+ 'port' => 'all',
+ 'maxretry' => 6,
+ 'banaction' => 'iptables-allports',
+ 'bantime' => 3600,
+ }
+
+ ensure_resource('package', $title, $package)
+
+ $ensure = getparam(Package[$title], 'ensure') ? {
+ /^(absent|purged)$/ => 'absent',
+ default => 'present',
+ }
+
+ if ($ensure == 'present') {
+
+ ensure_resource('service', $title, merge({
+ hasrestart => true,
+ hasstatus => true,
+ }, $service))
+
+ # See modules/fail2ban/manifests/filter.pp
+ create_resources('fail2ban::filter', $filters)
+
+ file {'/etc/fail2ban/jail.local':
+ ensure => present,
+ group => 'root',
+ mode => '0644',
+ owner => 'root',
+ content => template("fail2ban/jail.erb"),
+ notify => Service['fail2ban'],
+ require => Package['fail2ban'],
+ }
+
+ Package[$title] -> File['/etc/fail2ban/jail.local']
+ Service[$title] <~ Package[$title]
+ }
+
+}
+
« no previous file with comments | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld