dinislage/puppet-fail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved main configuration from fail2ban.conf to fail2ban.local

Browse Source 
Fail2ban's documentation suggests that modifications to the main configuration be
done in a .local file instead of modificating the main fail2ban.conf file.

If upgrading from a previous version of the module, you will probably end up with both
files having the same content. This is pretty harmless, but can be confusing at first.
Changes to the fail2ban.local file will have precedence over those in fail2ban.conf
so no matter if you previously had a modified fail2ban.conf file, the new values will
be used.

This change modifies the previous behaviour of the module where the main configuration
file was overwritten, but ensures future compatibility with fail2ban.
This commit is contained in:
Javier Bértoli
2013-08-07 17:29:19 -03:00
parent 4b7f4fd097
commit 3e015d6635
7 changed files with 75 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Modulefile
View File

@@ -1,5 +1,5 @@
name 'netmanagers-fail2ban'
version '1.0.5'
version '1.1.0'
author 'Javier Bertoli'
license 'Apache2'
project_page 'http://www.netmanagers.com.ar'

8
README.md
View File

@@ -89,7 +89,7 @@ For detailed info about the logic and usage patterns of Example42 modules check
* Use custom sources for main config file
class { 'fail2ban':
source => [ "puppet:///modules/example42/fail2ban/fail2ban.conf-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.conf" ],
source => [ "puppet:///modules/example42/fail2ban/fail2ban.local-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.local" ],
}
@@ -100,10 +100,12 @@ For detailed info about the logic and usage patterns of Example42 modules check
source_dir_purge => false, # Set to true to purge any existing file not present in $source_dir
}
* Use custom template for main config file. Note that template and source arguments are alternative.
* Use custom template for main config file. Note that template and source arguments are alternative.
In this new version, and following fail2ban recommendations, fail2ban.conf is untouched and
fail2ban.local is created instead, overriding parameters.
class { 'fail2ban':
template => 'example42/fail2ban/fail2ban.conf.erb',
template => 'example42/fail2ban/fail2ban.local.erb',
}
* Automatically include a custom subclass

68
manifests/init.pp
View File

@@ -15,12 +15,12 @@
#
# [*source*]
# Sets the content of source parameter for main configuration file
# (fail2ban.conf)
# (fail2ban.local)
# If defined, fail2ban main config file will have the param: source => $source
# Can be defined also by the (top scope) variable $fail2ban_source
#
# [*source_dir*]
# If defined, the whole fail2ban configuration directory content is retrieved
# If defined, the whole fail2ban.configuration directory content is retrieved
# recursively from the specified source
# (source => $source_dir , recurse => true)
# Can be defined also by the (top scope) variable $fail2ban_source_dir
@@ -427,19 +427,24 @@ class fail2ban (
noop => $fail2ban::bool_noops,
}
file { 'fail2ban.conf':
ensure => $fail2ban::manage_file,
path => $fail2ban::config_file,
mode => $fail2ban::config_file_mode,
owner => $fail2ban::config_file_owner,
group => $fail2ban::config_file_group,
require => Package[$fail2ban::package],
notify => $fail2ban::manage_service_autorestart,
source => $fail2ban::manage_file_source,
content => $fail2ban::manage_file_content,
replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit,
noop => $fail2ban::bool_noops,
if $fail2ban::manage_file_source
or $fail2ban::manage_file_content
or $manage_file == 'absent'
or $fail2ban::bool_noops {
file { 'fail2ban.local':
ensure => $fail2ban::manage_file,
path => $fail2ban::config_file,
mode => $fail2ban::config_file_mode,
owner => $fail2ban::config_file_owner,
group => $fail2ban::config_file_group,
require => Package[$fail2ban::package],
notify => $fail2ban::manage_service_autorestart,
source => $fail2ban::manage_file_source,
content => $fail2ban::manage_file_content,
replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit,
noop => $fail2ban::bool_noops,
}
}
# How to manage fail2ban jail.local configuration
@@ -462,23 +467,28 @@ class fail2ban (
default => template($fail2ban::jails_template),
}
file { 'jail.local':
ensure => $fail2ban::manage_file,
path => $fail2ban::jails_file,
mode => $fail2ban::jails_file_mode,
owner => $fail2ban::jails_file_owner,
group => $fail2ban::jails_file_group,
require => Package[$fail2ban::package],
notify => $fail2ban::manage_service_autorestart,
source => $fail2ban::manage_file_jails_source,
content => $fail2ban::manage_file_jails_content,
replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit,
noop => $fail2ban::bool_noops,
if $fail2ban::manage_file_jails_source
or $fail2ban::manage_file_jails_content
or $manage_file == 'absent'
or $fail2ban::bool_noops {
file { 'jail.local':
ensure => $fail2ban::manage_file,
path => $fail2ban::jails_file,
mode => $fail2ban::jails_file_mode,
owner => $fail2ban::jails_file_owner,
group => $fail2ban::jails_file_group,
require => Package[$fail2ban::package],
notify => $fail2ban::manage_service_autorestart,
source => $fail2ban::manage_file_jails_source,
content => $fail2ban::manage_file_jails_content,
replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit,
noop => $fail2ban::bool_noops,
}
}
}
# The whole fail2ban configuration directory can be recursively overriden
# The whole fail2ban.configuration directory can be recursively overriden
if $fail2ban::source_dir {
file { 'fail2ban.dir':
ensure => directory,

2
manifests/params.pp
View File

@@ -45,7 +45,7 @@ class fail2ban::params {
}
$config_file = $::operatingsystem ? {
default => '/etc/fail2ban/fail2ban.conf',
default => '/etc/fail2ban/fail2ban.local',
}
$config_file_mode = $::operatingsystem ? {

2
manifests/spec.pp
View File

@@ -15,7 +15,7 @@ class fail2ban::spec inherits fail2ban {
# Note that you can achieve this same result with just:
# class { "fail2ban": template => "fail2ban/spec.erb" }
File['fail2ban.conf'] {
File['fail2ban.local'] {
content => template('fail2ban/spec.erb'),
}

40
spec/classes/fail2ban_spec.rb
View File

@@ -10,7 +10,8 @@ describe 'fail2ban' do
it { should contain_package('fail2ban').with_ensure('present') }
it { should contain_service('fail2ban').with_ensure('running') }
it { should contain_service('fail2ban').with_enable('true') }
it { should contain_file('fail2ban.conf').with_ensure('present') }
it { should_not contain_file('fail2ban.local') }
it { should_not contain_file('jail.local') }
end
describe 'Test jails config undefined' do
@@ -49,7 +50,8 @@ enabled = true/) }
it { should contain_package('fail2ban').with_ensure('present') }
it { should contain_service('fail2ban').with_ensure('running') }
it { should contain_service('fail2ban').with_enable('true') }
it { should contain_file('fail2ban.conf').with_ensure('present') }
it { should_not contain_file('fail2ban.local') }
it { should_not contain_file('jail.local') }
it { should contain_monitor__process('fail2ban_process').with_enable('true') }
end
@@ -58,7 +60,7 @@ enabled = true/) }
it 'should remove Package[fail2ban]' do should contain_package('fail2ban').with_ensure('absent') end
it 'should stop Service[fail2ban]' do should contain_service('fail2ban').with_ensure('stopped') end
it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end
it 'should remove fail2ban configuration file' do should contain_file('fail2ban.conf').with_ensure('absent') end
it 'should remove fail2ban configuration file' do should contain_file('fail2ban.local').with_ensure('absent') end
it { should contain_monitor__process('fail2ban_process').with_enable('false') }
end
@@ -67,7 +69,8 @@ enabled = true/) }
it { should contain_package('fail2ban').with_ensure('present') }
it 'should stop Service[fail2ban]' do should contain_service('fail2ban').with_ensure('stopped') end
it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end
it { should contain_file('fail2ban.conf').with_ensure('present') }
it { should_not contain_file('fail2ban.local') }
it { should_not contain_file('jail.local') }
it { should contain_monitor__process('fail2ban_process').with_enable('false') }
end
@@ -77,7 +80,8 @@ enabled = true/) }
it { should_not contain_service('fail2ban').with_ensure('present') }
it { should_not contain_service('fail2ban').with_ensure('absent') }
it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end
it { should contain_file('fail2ban.conf').with_ensure('present') }
it { should_not contain_file('fail2ban.local') }
it { should_not contain_file('jail.local') }
it { should contain_monitor__process('fail2ban_process').with_enable('false') }
end
@@ -85,7 +89,7 @@ enabled = true/) }
let(:params) { {:noops => true, :monitor => true } }
it { should contain_package('fail2ban').with_noop('true') }
it { should contain_service('fail2ban').with_noop('true') }
it { should contain_file('fail2ban.conf').with_noop('true') }
it { should contain_file('fail2ban.local').with_noop('true') }
it { should contain_monitor__process('fail2ban_process').with_noop('true') }
it { should contain_monitor__process('fail2ban_process').with_noop('true') }
end
@@ -93,18 +97,18 @@ enabled = true/) }
describe 'Test customizations - template' do
let(:params) { {:template => "fail2ban/spec.erb" , :options => { 'opt_a' => 'value_a' } } }
it 'should generate a valid template' do
content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:content]
content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content]
content.should match "fqdn: rspec.example42.com"
end
it 'should generate a template that uses custom options' do
content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:content]
content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content]
content.should match "value_a"
end
end
describe 'Test customizations - source' do
let(:params) { {:source => "puppet:///modules/fail2ban/spec"} }
it { should contain_file('fail2ban.conf').with_source('puppet:///modules/fail2ban/spec') }
it { should contain_file('fail2ban.local').with_source('puppet:///modules/fail2ban/spec') }
end
describe 'Test customizations - source_dir' do
@@ -115,14 +119,24 @@ enabled = true/) }
end
describe 'Test customizations - custom class' do
let(:params) { {:my_class => "fail2ban::spec" } }
it { should contain_file('fail2ban.conf').with_content(/rspec.example42.com/) }
let(:params) do
{
:my_class => "fail2ban::spec",
:template => "fail2ban/spec.erb"
}
end
it { should contain_file('fail2ban.local').with_content(/rspec.example42.com/) }
end
describe 'Test service autorestart' do
let(:params) { {:service_autorestart => "no" } }
let(:params) do
{
:service_autorestart => "no",
:template => "fail2ban/spec.erb"
}
end
it 'should not automatically restart the service, when service_autorestart => false' do
content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:notify]
content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:notify]
content.should be_nil
end
end

3
templates/fail2ban.conf.erb → templates/fail2ban.local.erb
View File

@@ -2,7 +2,6 @@
#
[Definition]
loglevel = <%= scope.lookupvar('fail2ban::log_level') %>
logtarget = <%= scope.lookupvar('fail2ban::log_file') %>
socket = <%= scope.lookupvar('fail2ban::socket') %>
pidfile = <%= scope.lookupvar('fail2ban::pid_file') %>