modules/ferm/manifests/init.pp

   1 #
   2
   3 class ferm {
   4         package { "ferm" :
   5                 ensure          => installed,
   6         }
   7
   8         file { "/etc/ferm/dsa.d" :
   9                 ensure          => directory,
  10                 owner           => root,
  11                 group           => root,
  12                 mode            => 0700,
  13                 require         => Package["ferm"],
  14         }
  15
  16         file { "/etc/ferm/conf.d" :
  17                 ensure          =>directory,
  18                 owner           => root,
  19                 group           => root,
  20                 mode            => 0700,
  21                 require         => Package["ferm"],
  22         }
  23
  24         file { "/etc/ferm/ferm.conf" :
  25                 ensure          => present,
  26                 owner           => root,
  27                 group           => root,
  28                 mode            => 0600,
  29                 require         => Package["ferm"],
  30                 notify          => Exec["ferm reload"],
  31                 source          => "puppet:///ferm/ferm.conf",
  32         }
  33
  34         file { "/etc/ferm/defs.conf" :
  35                 ensure          => present,
  36                 owner           => root,
  37                 group           => root,
  38                 mode            => 0600,
  39                 require         => Package["ferm"],
  40                 notify          => Exec["ferm reload"],
  41                 source          => "puppet:///ferm/defs.conf",
  42         }
  43
  44         exec { "ferm reload":
  45                 path            => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
  46                 refreshonly     => true,
  47         }
  48
  49         # used as, e.g.:
  50         # ferm::rule { "dsa-ssh":
  51         #       description     => "Allow SSH from DSA",
  52         #       rule            => "proto tcp dport ssh saddr 1.2.3.4 ACCEPT"
  53         # }
  54         define rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") {
  55                 file { "/etc/ferm/dsa.d/${prio}_${name}":
  56                         ensure  => present,
  57                         owner   => root,
  58                         group   => root,
  59                         mode    => 0600,
  60                         content => template("ferm/ferm-rule.erb"),
  61                 }
  62         }
  63 }