X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Finit.pp;h=daab55fd39c664f980e89e4b07598fda2603ed5b;hb=d0c098685b92334a611a0c596a35f538b95ead47;hp=904d83a9a21bc261c8b99345866fc66f87c1dedd;hpb=38339aa5456ff34cbc8bb5ba8b7690799d341d48;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 904d83a9a..daab55fd3 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -7,39 +7,42 @@ # include ferm # class ferm { - # realize (i.e. enable) all @ferm::rule virtual resources - Ferm::Rule <| |> - File { mode => '0400' } package { 'ferm': ensure => installed } - package { 'ulogd': + package { 'ulogd2': ensure => installed } + package { 'ulogd': + # Remove instead of purge ulogd because it deletes log files on purge. + ensure => absent + } service { 'ferm': hasstatus => false, status => '/bin/true', } + exec { + "ferm reload": + command => "service ferm reload", + refreshonly => true, + } - $munin_ips = split(regsubst($::v4ips, '([^,]+)', 'ip_\1', 'G'), ',') - munin::check { $munin_ips: script => 'ip_', } + $munin_ips = getfromhash($deprecated::nodeinfo, 'misc', 'v4addrs') + .map |$addr| { "ip_${addr}" } - if $v6ips { - $munin6_ips = split(regsubst($::v6ips, '([^,]+)', 'ip_\1', 'G'), ',') - munin::ipv6check { $munin6_ips: } - } + munin::check { $munin_ips: script => 'ip_', } - # get rid of old stuff - $munin6_ip6s = split(regsubst($::v6ips, '([^,]+)', 'ip6_\1', 'G'), ',') - munin::check { $munin6_ip6s: ensure => absent } + $munin6_ips = getfromhash($deprecated::nodeinfo, 'misc', 'v6addrs') + .map |$addr| { "ip_${addr}" } + munin::ipv6check { $munin6_ips: } file { '/etc/ferm': ensure => directory, - notify => Service['ferm'], + notify => Exec['ferm reload'], require => Package['ferm'], mode => '0755' } @@ -62,29 +65,67 @@ class ferm { file { '/etc/default/ferm': source => 'puppet:///modules/ferm/ferm.default', require => Package['ferm'], - notify => Service['ferm'], + notify => Exec['ferm reload'], mode => '0444', } file { '/etc/ferm/ferm.conf': - source => 'puppet:///modules/ferm/ferm.conf', - notify => Service['ferm'], + content => template('ferm/ferm.conf.erb'), + notify => Exec['ferm reload'], + } + file { '/etc/ferm/conf.d/00-init.conf': + content => template('ferm/00-init.conf.erb'), + notify => Exec['ferm reload'], } file { '/etc/ferm/conf.d/me.conf': content => template('ferm/me.conf.erb'), - notify => Service['ferm'], + notify => Exec['ferm reload'], } file { '/etc/ferm/conf.d/defs.conf': content => template('ferm/defs.conf.erb'), - notify => Service['ferm'], + notify => Exec['ferm reload'], } - file { '/etc/ferm/conf.d/interfaces.conf': - content => template('ferm/interfaces.conf.erb'), - notify => Service['ferm'], + + file { '/etc/ferm/conf.d/50-munin-interfaces.conf': + content => template('ferm/conf.d-munin-interfaces.conf.erb'), + notify => Exec['ferm reload'], + } + ferm::rule { 'dsa-munin-interfaces-in': + prio => '001', + description => 'munin accounting', + chain => 'INPUT', + domain => '(ip ip6)', + rule => 'daddr ($MUNIN_IPS) NOP' + } + ferm::rule { 'dsa-munin-interfaces-out': + prio => '001', + description => 'munin accounting', + chain => 'OUTPUT', + domain => '(ip ip6)', + rule => 'saddr ($MUNIN_IPS) NOP' + } + + file { '/etc/ferm/dsa.d/010-base.conf': + content => template('ferm/dsa.d-010-base.conf.erb'), + notify => Exec['ferm reload'], + } + + augeas { 'logrotate_ulogd2': + context => '/files/etc/logrotate.d/ulogd2', + changes => [ + 'set rule/schedule daily', + 'set rule/delaycompress delaycompress', + 'set rule/rotate 10', + 'set rule/ifempty notifempty', + ], } file { '/etc/logrotate.d/ulogd': - source => 'puppet:///modules/ferm/logrotate-ulogd', - mode => '0444', - require => Package['debian.org'], + ensure => absent, + } + file { '/etc/logrotate.d/ulogd.dpkg-bak': + ensure => absent, + } + file { '/etc/logrotate.d/ulogd.dpkg-dist': + ensure => absent, } }