projects / mirror / dsa-puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fail2ban: lint fixes
[mirror/dsa-puppet.git] / modules / fail2ban / manifests / init.pp
1 # fail2ban setup
2 #
3 # Checks that are only used on particular systems are defined elsewhere,
4 # generally in subclasses.
5 class fail2ban {
6         package { 'fail2ban':
7                 ensure => installed,
8         }
9
10         service { 'fail2ban':
11                 ensure  => running,
12         }
13
14         file { '/etc/fail2ban/jail.d/dsa-00-default.conf':
15                 source => 'puppet:///modules/fail2ban/jail/dsa-00-default.conf',
16                 notify => Service['fail2ban'],
17         }
18
19         ferm::conf { 'f2b':
20                 content  => @(EOF),
21                                 @hook post  "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
22                                 @hook flush "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
23                                 | EOF
24         }
25
26         ferm::rule { 'dsa-f2b-setup1':
27                 prio        => '005',
28                 description => 'f2b master rule',
29                 chain       => 'dsa-f2b',
30                 domain      => '(ip ip6)',
31                 rule        => '',
32                 notarule    => true,
33         }
34         ferm::rule { 'dsa-f2b-setup2':
35                 prio        => '005',
36                 description => 'f2b master rule',
37                 chain       => 'INPUT',
38                 domain      => '(ip ip6)',
39                 rule        => 'jump dsa-f2b',
40         }
41
42         # XXX Maybe this will be automatically done in buster, it is certainly needed in stretch. So maybe:  versioncmp($::lsbmajdistrelease, '9') <= 0
43         concat::fragment { 'puppet-crontab--fail2ban-cleanup':
44                 target  => '/etc/cron.d/puppet-crontab',
45                 content => @(EOF)
46                         17 * * * * root chronic python3 -c "import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.INFO); from fail2ban.server.database import Fail2BanDb; db = Fail2BanDb('/var/lib/fail2ban/fail2ban.sqlite3'); db.purge(); db._db.cursor().execute('VACUUM')"
47                         | EOF
48         }
49
50 }
Unnamed repository; edit this file 'description' to name the repository.