diff --git a/Modulefile b/Modulefile index bd1c931..2c331ee 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'netmanagers-fail2ban' -version '1.0.1' +version '1.0.2' author 'Javier Bertoli' license 'Apache2' project_page 'http://www.netmanagers.com.ar' @@ -8,5 +8,4 @@ summary 'Puppet module for fail2ban' description 'This module installs and manages fail2ban. Check README for details.' dependency 'ripienaar/concat', '>=0.2.0' dependency 'example42/puppi', '>= 2.0.0' -# dependency 'example42/monitor', '>= 2.0.0' -# dependency 'example42/firewall', '>= 2.0.0' +dependency 'example42/monitor', '>= 2.0.0' diff --git a/README.md b/README.md index 6824ac5..5a33c8c 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,28 @@ For detailed info about the logic and usage patterns of Example42 modules check class { 'fail2ban': } -* You can configure and set a jail using fail2ban::jail +* Configure jails using your own jail.local file + + class { 'fail2ban': + jails_config => 'file', + jails_source => 'puppet:///path/to/your/jail.local'. + } + +* Configure jails using a template file. An example is provided. In this case, you can enable or + disable jails using an array named "jails" + + class { 'fail2ban': + jails_config => 'file', + jails_template => 'fail2ban/jail.local.erb', + jails => ['ssh', 'imap'], + } + +* You can configure and set a jail using fail2ban::jail. In this case, stanzas for jail.local are + created using R.I.Pienaar's concat module. This method permits you better handling of your jails. + + class { 'fail2ban': + jails_config => 'concat', + } fail2ban::jail { 'sshd': port => '22', diff --git a/manifests/init.pp b/manifests/init.pp index 484fd11..cc60be5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -83,7 +83,7 @@ # # [*jails_config*] # Define how you want to manage jails configuration: -# "file" - To provide jail.local as a normal file. If you choose this option, +# "file" - To provide jail.local as a normal file. If you choose this option, # set ONE of [*jails_source*] or [*jails_template*] # "concat" - To build it up using different fragments # - This option, (preferred), permits the use of the fail2ban::jail define @@ -438,43 +438,39 @@ class fail2ban ( } # How to manage fail2ban jail.local configuration - case $fail2ban::jails_config { - 'concat': { include fail2ban::jailsconcat } - 'file': { - $array_jails = is_array($fail2ban::jails) ? { - false => $fail2ban::jails ? { - '' => [], - default => [$fail2ban::jails], - }, - default => $fail2ban::jails, - } - - $manage_file_jails_source = $fail2ban::jails_source ? { - '' => undef, - default => $fail2ban::jails_source, - } - - $manage_file_jails_content = $fail2ban::jails_template ? { - '' => undef, - default => template($fail2ban::jails_template), - } - - file { 'jail.local': - ensure => $fail2ban::manage_file, - path => $fail2ban::jails_file, - mode => $fail2ban::jails_file_mode, - owner => $fail2ban::jails_file_owner, - group => $fail2ban::jails_file_group, - require => Package[$fail2ban::package], - notify => $fail2ban::manage_service_autorestart, - source => $fail2ban::manage_file_jails_source, - content => $fail2ban::manage_file_jails_content, - replace => $fail2ban::manage_file_replace, - audit => $fail2ban::manage_audit, - noop => $fail2ban::bool_noops, - } + if $fail2ban::jails_config == 'file' { + $array_jails = is_array($fail2ban::jails) ? { + false => $fail2ban::jails ? { + '' => [], + default => [$fail2ban::jails], + }, + default => $fail2ban::jails, + } + + $manage_file_jails_source = $fail2ban::jails_source ? { + '' => undef, + default => $fail2ban::jails_source, + } + + $manage_file_jails_content = $fail2ban::jails_template ? { + '' => undef, + default => template($fail2ban::jails_template), + } + + file { 'jail.local': + ensure => $fail2ban::manage_file, + path => $fail2ban::jails_file, + mode => $fail2ban::jails_file_mode, + owner => $fail2ban::jails_file_owner, + group => $fail2ban::jails_file_group, + require => Package[$fail2ban::package], + notify => $fail2ban::manage_service_autorestart, + source => $fail2ban::manage_file_jails_source, + content => $fail2ban::manage_file_jails_content, + replace => $fail2ban::manage_file_replace, + audit => $fail2ban::manage_audit, + noop => $fail2ban::bool_noops, } - default: { } } # The whole fail2ban configuration directory can be recursively overriden diff --git a/manifests/jail.pp b/manifests/jail.pp index f61087f..d7ad5d8 100644 --- a/manifests/jail.pp +++ b/manifests/jail.pp @@ -2,16 +2,16 @@ # # Adds a custom fail2ban jail # Supported arguments: -# $jailname - The name you want to give the jail. +# $jailname - The name you want to give the jail. # If not set, defaults to == $title -# $order - The order in the jail.local file. +# $order - The order in the jail.local file. # Default 50. Generally you don't need to change it # $status - enabled / disabled. If disabled, the rule _IS ADDED_ to the jail.local file # but it will not be active. Compare with the next one. # Defaults to enabled # $enable - true / false. If false, the rule _IS NOT ADDED_ to the jail.local file # Defaults to true -# $filter - The filter rule to use. +# $filter - The filter rule to use. # If empty, defaults to == $jailname. # $port - The port to filter. It can be an array of ports. # $logpath - The log file to monitor @@ -32,8 +32,8 @@ define fail2ban::jail ( $bantime = '', $enable = true ) { - include fail2ban include concat::setup + include fail2ban $real_jailname = $jailname ? { '' => $title, @@ -90,6 +90,32 @@ define fail2ban::jail ( $ensure = bool2ensure($enable) + + if ! defined(Concat[$fail2ban::jails_file]) { + + concat { $fail2ban::jails_file: + mode => $fail2ban::jails_file_mode, + warn => true, + owner => $fail2ban::jails_file_owner, + group => $fail2ban::jails_file_group, + notify => Service['fail2ban'], + } + + concat::fragment{ 'fail2ban_jails_header': + target => $fail2ban::jails_file, + content => template($fail2ban::jails_template_header), + order => 01, + notify => Service['fail2ban'], + } + + # The jail.local footer + concat::fragment{ 'fail2ban_jails_footer': + target => $fail2ban::jails_file, + content => template($fail2ban::jails_template_footer), + order => 99, + notify => Service['fail2ban'], + } + } concat::fragment{ "fail2ban_jail_$name": ensure => $ensure, target => $fail2ban::jails_file, diff --git a/manifests/jailsconcat.pp b/manifests/jailsconcat.pp deleted file mode 100644 index 59ed874..0000000 --- a/manifests/jailsconcat.pp +++ /dev/null @@ -1,46 +0,0 @@ -# -# Class fail2ban::concat -# -# This class builds the fail2ban jails.local file using RIPienaar's concat module -# We build it using several fragments. -# Being the sequence of lines important we define these boundaries: -# 01 - General header -# Note that the fail2ban::jail define -# inserts (by default) its rules with priority 50. -# -class fail2ban::jailsconcat { - - include fail2ban - include concat::setup - - concat { $fail2ban::jails_file: - mode => $fail2ban::jails_file_mode, - owner => $fail2ban::jails_file_owner, - group => $fail2ban::jails_file_group, - notify => Service['fail2ban'], - } - - # The File Header. With Puppet comment - concat::fragment{ 'fail2ban_header': - target => $fail2ban::jails_file, - content => "# File Managed by Puppet\n", - order => 01, - notify => Service['fail2ban'], - } - - # The DEFAULT header with the default policies - concat::fragment{ 'fail2ban_jails_header': - target => $fail2ban::jails_file, - content => template($fail2ban::jails_template_header), - order => 05, - notify => Service['fail2ban'], - } - - # The jail.local footer - concat::fragment{ 'fail2ban_jails_footer': - target => $fail2ban::jails_file, - content => template($fail2ban::jails_template_footer), - order => 99, - notify => Service['fail2ban'], - } -}