diff --git a/Modulefile b/Modulefile index f6ab2a8..1d949b7 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'netmanagers-fail2ban' -version '1.0.5' +version '1.1.0' author 'Javier Bertoli' license 'Apache2' project_page 'http://www.netmanagers.com.ar' diff --git a/README.md b/README.md index fbe4f25..80523f2 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ For detailed info about the logic and usage patterns of Example42 modules check * Use custom sources for main config file class { 'fail2ban': - source => [ "puppet:///modules/example42/fail2ban/fail2ban.conf-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.conf" ], + source => [ "puppet:///modules/example42/fail2ban/fail2ban.local-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.local" ], } @@ -100,10 +100,12 @@ For detailed info about the logic and usage patterns of Example42 modules check source_dir_purge => false, # Set to true to purge any existing file not present in $source_dir } -* Use custom template for main config file. Note that template and source arguments are alternative. +* Use custom template for main config file. Note that template and source arguments are alternative. + In this new version, and following fail2ban recommendations, fail2ban.conf is untouched and + fail2ban.local is created instead, overriding parameters. class { 'fail2ban': - template => 'example42/fail2ban/fail2ban.conf.erb', + template => 'example42/fail2ban/fail2ban.local.erb', } * Automatically include a custom subclass diff --git a/manifests/init.pp b/manifests/init.pp index a26786e..a6745f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,12 +15,12 @@ # # [*source*] # Sets the content of source parameter for main configuration file -# (fail2ban.conf) +# (fail2ban.local) # If defined, fail2ban main config file will have the param: source => $source # Can be defined also by the (top scope) variable $fail2ban_source # # [*source_dir*] -# If defined, the whole fail2ban configuration directory content is retrieved +# If defined, the whole fail2ban.configuration directory content is retrieved # recursively from the specified source # (source => $source_dir , recurse => true) # Can be defined also by the (top scope) variable $fail2ban_source_dir @@ -427,19 +427,24 @@ class fail2ban ( noop => $fail2ban::bool_noops, } - file { 'fail2ban.conf': - ensure => $fail2ban::manage_file, - path => $fail2ban::config_file, - mode => $fail2ban::config_file_mode, - owner => $fail2ban::config_file_owner, - group => $fail2ban::config_file_group, - require => Package[$fail2ban::package], - notify => $fail2ban::manage_service_autorestart, - source => $fail2ban::manage_file_source, - content => $fail2ban::manage_file_content, - replace => $fail2ban::manage_file_replace, - audit => $fail2ban::manage_audit, - noop => $fail2ban::bool_noops, + if $fail2ban::manage_file_source + or $fail2ban::manage_file_content + or $manage_file == 'absent' + or $fail2ban::bool_noops { + file { 'fail2ban.local': + ensure => $fail2ban::manage_file, + path => $fail2ban::config_file, + mode => $fail2ban::config_file_mode, + owner => $fail2ban::config_file_owner, + group => $fail2ban::config_file_group, + require => Package[$fail2ban::package], + notify => $fail2ban::manage_service_autorestart, + source => $fail2ban::manage_file_source, + content => $fail2ban::manage_file_content, + replace => $fail2ban::manage_file_replace, + audit => $fail2ban::manage_audit, + noop => $fail2ban::bool_noops, + } } # How to manage fail2ban jail.local configuration @@ -462,23 +467,28 @@ class fail2ban ( default => template($fail2ban::jails_template), } - file { 'jail.local': - ensure => $fail2ban::manage_file, - path => $fail2ban::jails_file, - mode => $fail2ban::jails_file_mode, - owner => $fail2ban::jails_file_owner, - group => $fail2ban::jails_file_group, - require => Package[$fail2ban::package], - notify => $fail2ban::manage_service_autorestart, - source => $fail2ban::manage_file_jails_source, - content => $fail2ban::manage_file_jails_content, - replace => $fail2ban::manage_file_replace, - audit => $fail2ban::manage_audit, - noop => $fail2ban::bool_noops, + if $fail2ban::manage_file_jails_source + or $fail2ban::manage_file_jails_content + or $manage_file == 'absent' + or $fail2ban::bool_noops { + file { 'jail.local': + ensure => $fail2ban::manage_file, + path => $fail2ban::jails_file, + mode => $fail2ban::jails_file_mode, + owner => $fail2ban::jails_file_owner, + group => $fail2ban::jails_file_group, + require => Package[$fail2ban::package], + notify => $fail2ban::manage_service_autorestart, + source => $fail2ban::manage_file_jails_source, + content => $fail2ban::manage_file_jails_content, + replace => $fail2ban::manage_file_replace, + audit => $fail2ban::manage_audit, + noop => $fail2ban::bool_noops, + } } } - # The whole fail2ban configuration directory can be recursively overriden + # The whole fail2ban.configuration directory can be recursively overriden if $fail2ban::source_dir { file { 'fail2ban.dir': ensure => directory, diff --git a/manifests/params.pp b/manifests/params.pp index 3e4dd30..1e44941 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -45,7 +45,7 @@ class fail2ban::params { } $config_file = $::operatingsystem ? { - default => '/etc/fail2ban/fail2ban.conf', + default => '/etc/fail2ban/fail2ban.local', } $config_file_mode = $::operatingsystem ? { diff --git a/manifests/spec.pp b/manifests/spec.pp index 874f25b..52f404f 100644 --- a/manifests/spec.pp +++ b/manifests/spec.pp @@ -15,7 +15,7 @@ class fail2ban::spec inherits fail2ban { # Note that you can achieve this same result with just: # class { "fail2ban": template => "fail2ban/spec.erb" } - File['fail2ban.conf'] { + File['fail2ban.local'] { content => template('fail2ban/spec.erb'), } diff --git a/spec/classes/fail2ban_spec.rb b/spec/classes/fail2ban_spec.rb index b67ab3a..fcbb604 100644 --- a/spec/classes/fail2ban_spec.rb +++ b/spec/classes/fail2ban_spec.rb @@ -10,7 +10,8 @@ describe 'fail2ban' do it { should contain_package('fail2ban').with_ensure('present') } it { should contain_service('fail2ban').with_ensure('running') } it { should contain_service('fail2ban').with_enable('true') } - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } end describe 'Test jails config undefined' do @@ -49,7 +50,8 @@ enabled = true/) } it { should contain_package('fail2ban').with_ensure('present') } it { should contain_service('fail2ban').with_ensure('running') } it { should contain_service('fail2ban').with_enable('true') } - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } it { should contain_monitor__process('fail2ban_process').with_enable('true') } end @@ -58,7 +60,7 @@ enabled = true/) } it 'should remove Package[fail2ban]' do should contain_package('fail2ban').with_ensure('absent') end it 'should stop Service[fail2ban]' do should contain_service('fail2ban').with_ensure('stopped') end it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end - it 'should remove fail2ban configuration file' do should contain_file('fail2ban.conf').with_ensure('absent') end + it 'should remove fail2ban configuration file' do should contain_file('fail2ban.local').with_ensure('absent') end it { should contain_monitor__process('fail2ban_process').with_enable('false') } end @@ -67,7 +69,8 @@ enabled = true/) } it { should contain_package('fail2ban').with_ensure('present') } it 'should stop Service[fail2ban]' do should contain_service('fail2ban').with_ensure('stopped') end it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } it { should contain_monitor__process('fail2ban_process').with_enable('false') } end @@ -77,7 +80,8 @@ enabled = true/) } it { should_not contain_service('fail2ban').with_ensure('present') } it { should_not contain_service('fail2ban').with_ensure('absent') } it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } it { should contain_monitor__process('fail2ban_process').with_enable('false') } end @@ -85,7 +89,7 @@ enabled = true/) } let(:params) { {:noops => true, :monitor => true } } it { should contain_package('fail2ban').with_noop('true') } it { should contain_service('fail2ban').with_noop('true') } - it { should contain_file('fail2ban.conf').with_noop('true') } + it { should contain_file('fail2ban.local').with_noop('true') } it { should contain_monitor__process('fail2ban_process').with_noop('true') } it { should contain_monitor__process('fail2ban_process').with_noop('true') } end @@ -93,18 +97,18 @@ enabled = true/) } describe 'Test customizations - template' do let(:params) { {:template => "fail2ban/spec.erb" , :options => { 'opt_a' => 'value_a' } } } it 'should generate a valid template' do - content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content] content.should match "fqdn: rspec.example42.com" end it 'should generate a template that uses custom options' do - content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content] content.should match "value_a" end end describe 'Test customizations - source' do let(:params) { {:source => "puppet:///modules/fail2ban/spec"} } - it { should contain_file('fail2ban.conf').with_source('puppet:///modules/fail2ban/spec') } + it { should contain_file('fail2ban.local').with_source('puppet:///modules/fail2ban/spec') } end describe 'Test customizations - source_dir' do @@ -115,14 +119,24 @@ enabled = true/) } end describe 'Test customizations - custom class' do - let(:params) { {:my_class => "fail2ban::spec" } } - it { should contain_file('fail2ban.conf').with_content(/rspec.example42.com/) } + let(:params) do + { + :my_class => "fail2ban::spec", + :template => "fail2ban/spec.erb" + } + end + it { should contain_file('fail2ban.local').with_content(/rspec.example42.com/) } end describe 'Test service autorestart' do - let(:params) { {:service_autorestart => "no" } } + let(:params) do + { + :service_autorestart => "no", + :template => "fail2ban/spec.erb" + } + end it 'should not automatically restart the service, when service_autorestart => false' do - content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:notify] + content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:notify] content.should be_nil end end diff --git a/templates/fail2ban.conf.erb b/templates/fail2ban.local.erb similarity index 80% rename from templates/fail2ban.conf.erb rename to templates/fail2ban.local.erb index 2dc6906..f5e2d0a 100644 --- a/templates/fail2ban.conf.erb +++ b/templates/fail2ban.local.erb @@ -2,7 +2,6 @@ # [Definition] loglevel = <%= scope.lookupvar('fail2ban::log_level') %> - logtarget = <%= scope.lookupvar('fail2ban::log_file') %> - socket = <%= scope.lookupvar('fail2ban::socket') %> +pidfile = <%= scope.lookupvar('fail2ban::pid_file') %>