Merge branch 'master' of git://git.debian.org/mirror/dsa-puppet

[mirror/dsa-puppet.git] / modules / apache2 / manifests / init.pp
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp

index 22a2107..f5c6f80 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -18,8 +18,8 @@ class apache2 {
              }
  
              file { "/etc/php5/conf.d/suhosin.ini":
-                source  => [ "puppet:///apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
-                             "puppet:///apache2/common/etc/php5/conf.d/suhosin.ini" ],
+                source  => [ "puppet:///modules/apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
+                             "puppet:///modules/apache2/common/etc/php5/conf.d/suhosin.ini" ],
                  require => Package["apache2", "php5-suhosin"],
                  notify  => Exec["force-reload-apache2"];
              }
@@ -86,18 +86,18 @@ class apache2 {
              require => Package["apache2"],
                          notify  => Exec["reload-apache2"];
          "/etc/apache2/conf.d/security":
-            source  => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/conf.d/security",
-                         "puppet:///apache2/common/etc/apache2/conf.d/security" ],
+            source  => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/security",
+                         "puppet:///modules/apache2/common/etc/apache2/conf.d/security" ],
              require => Package["apache2"],
              notify  => Exec["reload-apache2"];
          "/etc/apache2/conf.d/local-serverinfo":
-            source  => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo",
-                         "puppet:///apache2/common/etc/apache2/conf.d/local-serverinfo" ],
+            source  => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo",
+                         "puppet:///modules/apache2/common/etc/apache2/conf.d/local-serverinfo" ],
              require => Package["apache2"],
              notify  => Exec["reload-apache2"];
          "/etc/apache2/conf.d/server-status":
-            source  => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/conf.d/server-status",
-                         "puppet:///apache2/common/etc/apache2/conf.d/server-status" ],
+            source  => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/server-status",
+                         "puppet:///modules/apache2/common/etc/apache2/conf.d/server-status" ],
              require => Package["apache2"],
              notify  => Exec["reload-apache2"];
  
@@ -107,8 +107,8 @@ class apache2 {
              notify  => Exec["reload-apache2"];
  
          "/etc/logrotate.d/apache2":
-            source  => [ "puppet:///apache2/per-host/$fqdn/etc/logrotate.d/apache2",
-                         "puppet:///apache2/common/etc/logrotate.d/apache2" ];
+            source  => [ "puppet:///modules/apache2/per-host/$fqdn/etc/logrotate.d/apache2",
+                         "puppet:///modules/apache2/common/etc/logrotate.d/apache2" ];
  
          "/srv/www":
              mode    => 755,
@@ -136,36 +136,92 @@ class apache2 {
              command => "/etc/init.d/apache2 force-reload",
              refreshonly => true;
      }
-
-    @ferm::rule { "dsa-http-limit":
-        prio            => "20",
-        description     => "limit HTTP DOS",
-        rule            => "chain 'http_limit' { mod limit limit-burst 60 limit 15/minute jump ACCEPT; jump DROP; }"
-    }
-    @ferm::rule { "dsa-http-soso":
-        prio            => "21",
-        description     => "slow yahoo spider",
-        rule            => "chain 'limit_sosospider' { mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; jump http_limit; }"
-    }
-    @ferm::rule { "dsa-http-yahoo":
-        prio            => "21",
-        description     => "slow yahoo spider",
-        rule            => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
-    }
-    @ferm::rule { "dsa-http-bing":
-        prio            => "21",
-        description     => "slow bing spider",
-        rule            => "chain 'limit_bing' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
-    }
-    @ferm::rule { "dsa-http-rules":
-        prio            => "22",
-        description     => "http subchain",
-        rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
+    case $hostname {
+        chopin,franck,morricone: {
+            package {
+                "libapache2-mod-macro": ensure => installed;
+            }
+            enable_module {
+                "macro":;
+            }
+            file {
+                "/etc/apache2/conf.d/puppet-builddlist":
+                    content => template("apache2/conf-builddlist.erb"),
+                    require => Package["apache2"],
+                    notify  => Exec["reload-apache2"];
+            }
+        }
      }
-    @ferm::rule { "dsa-http":
-        prio            => "23",
-        description     => "Allow web access",
-        rule            => "proto tcp dport (http https) jump http;"
+
+    case $hostname {
+        busoni,duarte,holter,lindberg,master,merkel,powell,rore: {
+            @ferm::rule { "dsa-http-limit":
+                prio            => "20",
+                description     => "limit HTTP DOS",
+                chain           => 'http_limit',
+                rule            => '
+                                    mod limit limit-burst 60 limit 15/minute jump ACCEPT;
+                                    jump DROP'
+            }
+            @ferm::rule { "dsa-http-soso":
+                prio            => "21",
+                description     => "slow soso spider",
+                chain           => 'limit_sosospider',
+                rule            => '
+                                    mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
+                                    jump http_limit'
+            }
+            @ferm::rule { "dsa-http-yahoo":
+                prio            => "21",
+                description     => "slow yahoo spider",
+                chain           => 'limit_yahoo',
+                rule            => '
+                                    mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+                                    jump http_limit'
+            }
+            @ferm::rule { "dsa-http-google":
+                prio            => "21",
+                description     => "slow google spider",
+                chain           => 'limit_google',
+                rule            => '
+                                    mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
+                                    jump http_limit'
+            }
+            @ferm::rule { "dsa-http-bing":
+                prio            => "21",
+                description     => "slow bing spider",
+                chain           => 'limit_bing',
+                rule            => '
+                                    mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+                                    jump http_limit'
+            }
+            @ferm::rule { "dsa-http-rules":
+                prio            => "22",
+                description     => "http subchain",
+                chain           => 'http',
+                rule            => '
+                                    saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo;
+                                    saddr 124.115.0.0/21 jump limit_sosospider;
+                                    saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
+                                    saddr (66.249.64.0/19) jump limit_google;
+
+                                    mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
+                                    mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
+                                    mod recent name HTTPDOS set jump log_or_drop'
+            }
+            @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "proto tcp dport (http https) jump http"
+            }
+        }
+        default: {
+            @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "&SERVICE(tcp, (http https))"
+            }
+        }
      }
      @ferm::rule { "dsa-http-v6":
          domain          => "(ip6)",