From 78ceca7ca6540a83d24a89016263235c923543db Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Sat, 20 Feb 2010 22:38:08 +0000 Subject: [PATCH] this should virtually work Signed-off-by: Stephen Gran --- manifests/site.pp | 3 +-- modules/apache2/manifests/init.pp | 2 +- modules/exim/manifests/init.pp | 2 +- modules/ferm/manifests/init.pp | 36 ++++++++++++++++++++++++---- modules/ferm/manifests/real.pp | 30 ----------------------- modules/munin-node/manifests/init.pp | 2 +- modules/nagios/manifests/client.pp | 2 +- modules/named/manifests/init.pp | 2 +- modules/ntp/manifests/init.pp | 2 +- modules/ssh/manifests/init.pp | 4 ++-- 10 files changed, 40 insertions(+), 45 deletions(-) delete mode 100644 modules/ferm/manifests/real.pp diff --git a/manifests/site.pp b/manifests/site.pp index fb85a46d..1c719fe7 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -21,7 +21,6 @@ node default { $mxinfo = allnodeinfo("mXRecord") - include ferm include munin-node include sudo include ssh @@ -81,7 +80,7 @@ node default { } case $hostname { - logtest01: { include ferm::real } + logtest01: { include ferm } } case $hostname { geo1,geo2,geo3: { include named::geodns } diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 1f413569..cd2a4e40 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -129,7 +129,7 @@ class apache2 { command => "/etc/init.d/apache2 force-reload", refreshonly => true, } - ferm::rule { "dsa-apache": + @ferm::rule { "dsa-apache": domain => "(ip ip6)", description => "Allow web access", rule => "proto tcp mod state state (NEW) dport (80) ACCEPT" diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index 8ab4f625..85852790 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -156,7 +156,7 @@ class exim { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-exim": + @ferm::rule { "dsa-exim": domain => "(ip ip6)", description => "Allow smtp access", rule => "proto tcp mod state state (NEW) dport (25) ACCEPT" diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 0fa60634..709effc4 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -10,15 +10,41 @@ class ferm { } } + # realize (i.e. enable) all @ferm::rule virtual resources + Rule <| |> + + package { ferm: ensure => installed } + file { - "/etc/ferm": - ensure => directory; - "/etc/ferm/dsa.d": - ensure => directory; + "/etc/ferm/dsa.d": + ensure => directory, + purge => true, + force => true, + recurse => true, + source => "puppet:///files/empty/", + require => Package["ferm"]; + "/etc/ferm/conf.d": + ensure => directory, + require => Package["ferm"]; + "/etc/ferm/ferm.conf": + source => "puppet:///ferm/ferm.conf", + require => Package["ferm"], + mode => 0400, + notify => Exec["ferm restart"]; + "/etc/ferm/conf.d/me.conf": + content => template("ferm/me.conf.erb"), + require => Package["ferm"], + mode => 0400, + notify => Exec["ferm restart"]; + "/etc/ferm/conf.d/defs.conf": + source => "puppet:///ferm/defs.conf", + require => Package["ferm"], + mode => 0400, + notify => Exec["ferm restart"]; } exec { "ferm restart": - command => "/bin/true", + command => "/etc/init.d/ferm restart", refreshonly => true, } diff --git a/modules/ferm/manifests/real.pp b/modules/ferm/manifests/real.pp deleted file mode 100644 index 447ab751..00000000 --- a/modules/ferm/manifests/real.pp +++ /dev/null @@ -1,30 +0,0 @@ -class ferm::real inherits ferm { - - package { ferm: ensure => installed } - - file { - "/etc/ferm/conf.d": - ensure => directory, - require => Package["ferm"]; - "/etc/ferm/ferm.conf": - source => "puppet:///ferm/ferm.conf", - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/me.conf": - content => template("ferm/me.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/defs.conf": - source => "puppet:///ferm/defs.conf", - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - } - - Exec["ferm restart"] { - command => "/etc/init.d/ferm restart", - refreshonly => true, - } -} diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp index 93a4af70..5ddbf6eb 100644 --- a/modules/munin-node/manifests/init.pp +++ b/modules/munin-node/manifests/init.pp @@ -75,7 +75,7 @@ class munin-node { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-munin": + @ferm::rule { "dsa-munin": description => "Allow munin from munin master", rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN) ACCEPT; }" } diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index edfbbfad..9cea3378 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -45,7 +45,7 @@ class nagios::client inherits nagios { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-nagios": + @ferm::rule { "dsa-nagios": description => "Allow nrpe from nagios master", rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }" } diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp index 0bbcde32..65d4cc5f 100644 --- a/modules/named/manifests/init.pp +++ b/modules/named/manifests/init.pp @@ -25,7 +25,7 @@ class named { mode => 775, ; } - ferm::rule { "dsa-bind": + @ferm::rule { "dsa-bind": domain => "(ip ip6)", description => "Allow nameserver access", rule => "proto (udp tcp) mod state state (NEW) dport (53) ACCEPT" diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index fb564641..ace2f8f8 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -25,7 +25,7 @@ class ntp { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-ntp": + @ferm::rule { "dsa-ntp": domain => "(ip ip6)", description => "Allow ntp access", rule => "proto udp mod state state (NEW) dport (123) ACCEPT" diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index 452ce5df..c6d1646a 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -38,11 +38,11 @@ class ssh { refreshonly => true, } - ferm::rule { "dsa-ssh": + @ferm::rule { "dsa-ssh": description => "Allow SSH from DSA", rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }" } - ferm::rule { "dsa-ssh-v6": + @ferm::rule { "dsa-ssh-v6": description => "Allow SSH from DSA", domain => "ip6", rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }" -- 2.39.2