X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Finit.pp;h=196a39e9187133dd4c8e3aa19930ccb0b5faa220;hb=d14bef114ef2ccf4032591cf97b973fdf525eff3;hp=adf1fc88a16996e030953779abdf48c1c723616d;hpb=e152ea9072eba0cf0b3920c779e3fdb8ad3880fd;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index adf1fc88a..196a39e91 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -1,63 +1,135 @@
+# = Class: ferm
+#
+# This class installs ferm and sets up rules
+#
+# == Sample Usage:
+#
+#   include ferm
 #
-
 class ferm {
-	package { "ferm" :
-		ensure		=> installed,
-	}
-
-	file { "/etc/ferm/dsa.d" :
-		ensure		=> directory,
-		owner		=> root,
-		group		=> root,
-		mode		=> 0700,
-		require 	=> Package["ferm"],
-	}
-
-	file { "/etc/ferm/conf.d" :
-		ensure		=>directory,
-		owner		=> root,
-		group		=> root,
-		mode		=> 0700,
-		require		=> Package["ferm"],
-	}
-
-	file { "/etc/ferm/ferm.conf" :
-		ensure		=> present,
-		owner		=> root,
-		group		=> root,
-		mode		=> 0600,
-		require		=> Package["ferm"],
-		notify		=> Exec["ferm reload"],
-		source		=> "puppet:///ferm/ferm.conf",
-	}
-
-	file { "/etc/ferm/defs.conf" :
-		ensure		=> present,
-		owner		=> root,
-		group		=> root,
-		mode		=> 0600,
-		require		=> Package["ferm"],
-		notify		=> Exec["ferm reload"],
-		source		=> "puppet:///ferm/defs.conf",
-	}
-
-	exec { "ferm reload":
-		path		=> "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-		refreshonly	=> true,
-	}
-
-	# used as, e.g.:
-	# ferm::rule { "dsa-ssh":
-	# 	description	=> "Allow SSH from DSA",
-	# 	rule		=> "proto tcp dport ssh saddr 1.2.3.4 ACCEPT"
-	# }
-	define rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") {
-		file { "/etc/ferm/dsa.d/${prio}_${name}":
-			ensure	=> present,
-			owner	=> root,
-			group	=> root,
-			mode	=> 0600,
-			content => template("ferm/ferm-rule.erb"),
-		}
+	# realize (i.e. enable) all @ferm::rule virtual resources
+	Ferm::Rule <| |>
+	Ferm::Conf <| |>
+
+	File { mode => '0400' }
+
+	package { 'ferm':
+		ensure => installed
+	}
+	package { 'ulogd2':
+		ensure => installed
+	}
+	package { 'ulogd':
+		# Remove instead of purge ulogd because it deletes log files on purge.
+		ensure => absent
+	}
+
+	service { 'ferm':
+		hasstatus   => false,
+		status      => '/bin/true',
+	}
+	exec {
+		"ferm reload":
+			command     => "service ferm reload",
+			refreshonly => true,
+	}
+
+
+	$munin_ips = getfromhash($site::nodeinfo, 'misc', 'v4addrs')
+		.map |$addr| { "ip_${addr}" }
+
+	munin::check { $munin_ips: script => 'ip_', }
+
+	$munin6_ips = getfromhash($site::nodeinfo, 'misc', 'v6addrs')
+		.map |$addr| { "ip_${addr}" }
+	munin::ipv6check { $munin6_ips: }
+
+	file { '/etc/ferm':
+		ensure  => directory,
+		notify  => Exec['ferm reload'],
+		require => Package['ferm'],
+		mode    => '0755'
+	}
+	file { '/etc/ferm/dsa.d':
+		ensure => directory,
+		mode   => '0555',
+		purge   => true,
+		force   => true,
+		recurse => true,
+		source  => 'puppet:///files/empty/',
 	}
+	file { '/etc/ferm/conf.d':
+		ensure => directory,
+		mode   => '0555',
+		purge   => true,
+		force   => true,
+		recurse => true,
+		source  => 'puppet:///files/empty/',
+	}
+	file { '/etc/default/ferm':
+		source  => 'puppet:///modules/ferm/ferm.default',
+		require => Package['ferm'],
+		notify  => Exec['ferm reload'],
+		mode    => '0444',
+	}
+	file { '/etc/ferm/ferm.conf':
+		content => template('ferm/ferm.conf.erb'),
+		notify  => Exec['ferm reload'],
+	}
+	file { '/etc/ferm/conf.d/00-init.conf':
+		content => template('ferm/00-init.conf.erb'),
+		notify  => Exec['ferm reload'],
+	}
+	file { '/etc/ferm/conf.d/me.conf':
+		content => template('ferm/me.conf.erb'),
+		notify  => Exec['ferm reload'],
+	}
+	file { '/etc/ferm/conf.d/defs.conf':
+		content => template('ferm/defs.conf.erb'),
+		notify  => Exec['ferm reload'],
+	}
+
+	file { '/etc/ferm/conf.d/50-munin-interfaces.conf':
+		content => template('ferm/conf.d-munin-interfaces.conf.erb'),
+		notify  => Exec['ferm reload'],
+	}
+	@ferm::rule { 'dsa-munin-interfaces-in':
+		prio        => '001',
+		description => 'munin accounting',
+		chain       => 'INPUT',
+		domain      => '(ip ip6)',
+		rule        => 'daddr ($MUNIN_IPS) NOP'
+	}
+	@ferm::rule { 'dsa-munin-interfaces-out':
+		prio        => '001',
+		description => 'munin accounting',
+		chain       => 'OUTPUT',
+		domain      => '(ip ip6)',
+		rule        => 'saddr ($MUNIN_IPS) NOP'
+	}
+
+	file { '/etc/ferm/dsa.d/010-base.conf':
+		content => template('ferm/dsa.d-010-base.conf.erb'),
+		notify  => Exec['ferm reload'],
+	}
+
+	augeas { 'logrotate_ulogd2':
+		context => '/files/etc/logrotate.d/ulogd2',
+		changes => [
+			'set rule/schedule daily',
+			'set rule/delaycompress delaycompress',
+			'set rule/rotate 10',
+			'set rule/ifempty notifempty',
+		],
+	}
+	file { '/etc/logrotate.d/ulogd':
+		ensure  => absent,
+	}
+	file { '/etc/logrotate.d/ulogd.dpkg-bak':
+		ensure  => absent,
+	}
+	file { '/etc/logrotate.d/ulogd.dpkg-dist':
+		ensure  => absent,
+	}
+
 }