From 3e015d663526f18686326880bea3b6251f10e03f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Wed, 7 Aug 2013 17:29:19 -0300 Subject: [PATCH] Moved main configuration from fail2ban.conf to fail2ban.local Fail2ban's documentation suggests that modifications to the main configuration be done in a .local file instead of modificating the main fail2ban.conf file. If upgrading from a previous version of the module, you will probably end up with both files having the same content. This is pretty harmless, but can be confusing at first. Changes to the fail2ban.local file will have precedence over those in fail2ban.conf so no matter if you previously had a modified fail2ban.conf file, the new values will be used. This change modifies the previous behaviour of the module where the main configuration file was overwritten, but ensures future compatibility with fail2ban. --- Modulefile | 2 +- README.md | 8 ++- manifests/init.pp | 68 +++++++++++-------- manifests/params.pp | 2 +- manifests/spec.pp | 2 +- spec/classes/fail2ban_spec.rb | 40 +++++++---- .../{fail2ban.conf.erb => fail2ban.local.erb} | 3 +- 7 files changed, 75 insertions(+), 50 deletions(-) rename templates/{fail2ban.conf.erb => fail2ban.local.erb} (80%) diff --git a/Modulefile b/Modulefile index f6ab2a8..1d949b7 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'netmanagers-fail2ban' -version '1.0.5' +version '1.1.0' author 'Javier Bertoli' license 'Apache2' project_page 'http://www.netmanagers.com.ar' diff --git a/README.md b/README.md index fbe4f25..80523f2 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ For detailed info about the logic and usage patterns of Example42 modules check * Use custom sources for main config file class { 'fail2ban': - source => [ "puppet:///modules/example42/fail2ban/fail2ban.conf-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.conf" ], + source => [ "puppet:///modules/example42/fail2ban/fail2ban.local-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.local" ], } @@ -100,10 +100,12 @@ For detailed info about the logic and usage patterns of Example42 modules check source_dir_purge => false, # Set to true to purge any existing file not present in $source_dir } -* Use custom template for main config file. Note that template and source arguments are alternative. +* Use custom template for main config file. Note that template and source arguments are alternative. + In this new version, and following fail2ban recommendations, fail2ban.conf is untouched and + fail2ban.local is created instead, overriding parameters. class { 'fail2ban': - template => 'example42/fail2ban/fail2ban.conf.erb', + template => 'example42/fail2ban/fail2ban.local.erb', } * Automatically include a custom subclass diff --git a/manifests/init.pp b/manifests/init.pp index a26786e..a6745f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,12 +15,12 @@ # # [*source*] # Sets the content of source parameter for main configuration file -# (fail2ban.conf) +# (fail2ban.local) # If defined, fail2ban main config file will have the param: source => $source # Can be defined also by the (top scope) variable $fail2ban_source # # [*source_dir*] -# If defined, the whole fail2ban configuration directory content is retrieved +# If defined, the whole fail2ban.configuration directory content is retrieved # recursively from the specified source # (source => $source_dir , recurse => true) # Can be defined also by the (top scope) variable $fail2ban_source_dir @@ -427,19 +427,24 @@ class fail2ban ( noop => $fail2ban::bool_noops, } - file { 'fail2ban.conf': - ensure => $fail2ban::manage_file, - path => $fail2ban::config_file, - mode => $fail2ban::config_file_mode, - owner => $fail2ban::config_file_owner, - group => $fail2ban::config_file_group, - require => Package[$fail2ban::package], - notify => $fail2ban::manage_service_autorestart, - source => $fail2ban::manage_file_source, - content => $fail2ban::manage_file_content, - replace => $fail2ban::manage_file_replace, - audit => $fail2ban::manage_audit, - noop => $fail2ban::bool_noops, + if $fail2ban::manage_file_source + or $fail2ban::manage_file_content + or $manage_file == 'absent' + or $fail2ban::bool_noops { + file { 'fail2ban.local': + ensure => $fail2ban::manage_file, + path => $fail2ban::config_file, + mode => $fail2ban::config_file_mode, + owner => $fail2ban::config_file_owner, + group => $fail2ban::config_file_group, + require => Package[$fail2ban::package], + notify => $fail2ban::manage_service_autorestart, + source => $fail2ban::manage_file_source, + content => $fail2ban::manage_file_content, + replace => $fail2ban::manage_file_replace, + audit => $fail2ban::manage_audit, + noop => $fail2ban::bool_noops, + } } # How to manage fail2ban jail.local configuration @@ -462,23 +467,28 @@ class fail2ban ( default => template($fail2ban::jails_template), } - file { 'jail.local': - ensure => $fail2ban::manage_file, - path => $fail2ban::jails_file, - mode => $fail2ban::jails_file_mode, - owner => $fail2ban::jails_file_owner, - group => $fail2ban::jails_file_group, - require => Package[$fail2ban::package], - notify => $fail2ban::manage_service_autorestart, - source => $fail2ban::manage_file_jails_source, - content => $fail2ban::manage_file_jails_content, - replace => $fail2ban::manage_file_replace, - audit => $fail2ban::manage_audit, - noop => $fail2ban::bool_noops, + if $fail2ban::manage_file_jails_source + or $fail2ban::manage_file_jails_content + or $manage_file == 'absent' + or $fail2ban::bool_noops { + file { 'jail.local': + ensure => $fail2ban::manage_file, + path => $fail2ban::jails_file, + mode => $fail2ban::jails_file_mode, + owner => $fail2ban::jails_file_owner, + group => $fail2ban::jails_file_group, + require => Package[$fail2ban::package], + notify => $fail2ban::manage_service_autorestart, + source => $fail2ban::manage_file_jails_source, + content => $fail2ban::manage_file_jails_content, + replace => $fail2ban::manage_file_replace, + audit => $fail2ban::manage_audit, + noop => $fail2ban::bool_noops, + } } } - # The whole fail2ban configuration directory can be recursively overriden + # The whole fail2ban.configuration directory can be recursively overriden if $fail2ban::source_dir { file { 'fail2ban.dir': ensure => directory, diff --git a/manifests/params.pp b/manifests/params.pp index 3e4dd30..1e44941 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -45,7 +45,7 @@ class fail2ban::params { } $config_file = $::operatingsystem ? { - default => '/etc/fail2ban/fail2ban.conf', + default => '/etc/fail2ban/fail2ban.local', } $config_file_mode = $::operatingsystem ? { diff --git a/manifests/spec.pp b/manifests/spec.pp index 874f25b..52f404f 100644 --- a/manifests/spec.pp +++ b/manifests/spec.pp @@ -15,7 +15,7 @@ class fail2ban::spec inherits fail2ban { # Note that you can achieve this same result with just: # class { "fail2ban": template => "fail2ban/spec.erb" } - File['fail2ban.conf'] { + File['fail2ban.local'] { content => template('fail2ban/spec.erb'), } diff --git a/spec/classes/fail2ban_spec.rb b/spec/classes/fail2ban_spec.rb index b67ab3a..fcbb604 100644 --- a/spec/classes/fail2ban_spec.rb +++ b/spec/classes/fail2ban_spec.rb @@ -10,7 +10,8 @@ describe 'fail2ban' do it { should contain_package('fail2ban').with_ensure('present') } it { should contain_service('fail2ban').with_ensure('running') } it { should contain_service('fail2ban').with_enable('true') } - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } end describe 'Test jails config undefined' do @@ -49,7 +50,8 @@ enabled = true/) } it { should contain_package('fail2ban').with_ensure('present') } it { should contain_service('fail2ban').with_ensure('running') } it { should contain_service('fail2ban').with_enable('true') } - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } it { should contain_monitor__process('fail2ban_process').with_enable('true') } end @@ -58,7 +60,7 @@ enabled = true/) } it 'should remove Package[fail2ban]' do should contain_package('fail2ban').with_ensure('absent') end it 'should stop Service[fail2ban]' do should contain_service('fail2ban').with_ensure('stopped') end it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end - it 'should remove fail2ban configuration file' do should contain_file('fail2ban.conf').with_ensure('absent') end + it 'should remove fail2ban configuration file' do should contain_file('fail2ban.local').with_ensure('absent') end it { should contain_monitor__process('fail2ban_process').with_enable('false') } end @@ -67,7 +69,8 @@ enabled = true/) } it { should contain_package('fail2ban').with_ensure('present') } it 'should stop Service[fail2ban]' do should contain_service('fail2ban').with_ensure('stopped') end it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } it { should contain_monitor__process('fail2ban_process').with_enable('false') } end @@ -77,7 +80,8 @@ enabled = true/) } it { should_not contain_service('fail2ban').with_ensure('present') } it { should_not contain_service('fail2ban').with_ensure('absent') } it 'should not enable at boot Service[fail2ban]' do should contain_service('fail2ban').with_enable('false') end - it { should contain_file('fail2ban.conf').with_ensure('present') } + it { should_not contain_file('fail2ban.local') } + it { should_not contain_file('jail.local') } it { should contain_monitor__process('fail2ban_process').with_enable('false') } end @@ -85,7 +89,7 @@ enabled = true/) } let(:params) { {:noops => true, :monitor => true } } it { should contain_package('fail2ban').with_noop('true') } it { should contain_service('fail2ban').with_noop('true') } - it { should contain_file('fail2ban.conf').with_noop('true') } + it { should contain_file('fail2ban.local').with_noop('true') } it { should contain_monitor__process('fail2ban_process').with_noop('true') } it { should contain_monitor__process('fail2ban_process').with_noop('true') } end @@ -93,18 +97,18 @@ enabled = true/) } describe 'Test customizations - template' do let(:params) { {:template => "fail2ban/spec.erb" , :options => { 'opt_a' => 'value_a' } } } it 'should generate a valid template' do - content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content] content.should match "fqdn: rspec.example42.com" end it 'should generate a template that uses custom options' do - content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content] content.should match "value_a" end end describe 'Test customizations - source' do let(:params) { {:source => "puppet:///modules/fail2ban/spec"} } - it { should contain_file('fail2ban.conf').with_source('puppet:///modules/fail2ban/spec') } + it { should contain_file('fail2ban.local').with_source('puppet:///modules/fail2ban/spec') } end describe 'Test customizations - source_dir' do @@ -115,14 +119,24 @@ enabled = true/) } end describe 'Test customizations - custom class' do - let(:params) { {:my_class => "fail2ban::spec" } } - it { should contain_file('fail2ban.conf').with_content(/rspec.example42.com/) } + let(:params) do + { + :my_class => "fail2ban::spec", + :template => "fail2ban/spec.erb" + } + end + it { should contain_file('fail2ban.local').with_content(/rspec.example42.com/) } end describe 'Test service autorestart' do - let(:params) { {:service_autorestart => "no" } } + let(:params) do + { + :service_autorestart => "no", + :template => "fail2ban/spec.erb" + } + end it 'should not automatically restart the service, when service_autorestart => false' do - content = catalogue.resource('file', 'fail2ban.conf').send(:parameters)[:notify] + content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:notify] content.should be_nil end end diff --git a/templates/fail2ban.conf.erb b/templates/fail2ban.local.erb similarity index 80% rename from templates/fail2ban.conf.erb rename to templates/fail2ban.local.erb index 2dc6906..f5e2d0a 100644 --- a/templates/fail2ban.conf.erb +++ b/templates/fail2ban.local.erb @@ -2,7 +2,6 @@ # [Definition] loglevel = <%= scope.lookupvar('fail2ban::log_level') %> - logtarget = <%= scope.lookupvar('fail2ban::log_file') %> - socket = <%= scope.lookupvar('fail2ban::socket') %> +pidfile = <%= scope.lookupvar('fail2ban::pid_file') %>