From: Stephen Gran Date: Sat, 20 Feb 2010 22:38:08 +0000 (+0000) Subject: this should virtually work X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=78ceca7ca6540a83d24a89016263235c923543db;p=mirror%2Fdsa-puppet.git this should virtually work Signed-off-by: Stephen Gran --- diff --git a/manifests/site.pp b/manifests/site.pp index fb85a46d4..1c719fe7f 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -21,7 +21,6 @@ node default { $mxinfo = allnodeinfo("mXRecord") - include ferm include munin-node include sudo include ssh @@ -81,7 +80,7 @@ node default { } case $hostname { - logtest01: { include ferm::real } + logtest01: { include ferm } } case $hostname { geo1,geo2,geo3: { include named::geodns } diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 1f413569c..cd2a4e40a 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -129,7 +129,7 @@ class apache2 { command => "/etc/init.d/apache2 force-reload", refreshonly => true, } - ferm::rule { "dsa-apache": + @ferm::rule { "dsa-apache": domain => "(ip ip6)", description => "Allow web access", rule => "proto tcp mod state state (NEW) dport (80) ACCEPT" diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index 8ab4f6255..858527909 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -156,7 +156,7 @@ class exim { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-exim": + @ferm::rule { "dsa-exim": domain => "(ip ip6)", description => "Allow smtp access", rule => "proto tcp mod state state (NEW) dport (25) ACCEPT" diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 0fa60634d..709effc4d 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -10,15 +10,41 @@ class ferm { } } + # realize (i.e. enable) all @ferm::rule virtual resources + Rule <| |> + + package { ferm: ensure => installed } + file { - "/etc/ferm": - ensure => directory; - "/etc/ferm/dsa.d": - ensure => directory; + "/etc/ferm/dsa.d": + ensure => directory, + purge => true, + force => true, + recurse => true, + source => "puppet:///files/empty/", + require => Package["ferm"]; + "/etc/ferm/conf.d": + ensure => directory, + require => Package["ferm"]; + "/etc/ferm/ferm.conf": + source => "puppet:///ferm/ferm.conf", + require => Package["ferm"], + mode => 0400, + notify => Exec["ferm restart"]; + "/etc/ferm/conf.d/me.conf": + content => template("ferm/me.conf.erb"), + require => Package["ferm"], + mode => 0400, + notify => Exec["ferm restart"]; + "/etc/ferm/conf.d/defs.conf": + source => "puppet:///ferm/defs.conf", + require => Package["ferm"], + mode => 0400, + notify => Exec["ferm restart"]; } exec { "ferm restart": - command => "/bin/true", + command => "/etc/init.d/ferm restart", refreshonly => true, } diff --git a/modules/ferm/manifests/real.pp b/modules/ferm/manifests/real.pp deleted file mode 100644 index 447ab751f..000000000 --- a/modules/ferm/manifests/real.pp +++ /dev/null @@ -1,30 +0,0 @@ -class ferm::real inherits ferm { - - package { ferm: ensure => installed } - - file { - "/etc/ferm/conf.d": - ensure => directory, - require => Package["ferm"]; - "/etc/ferm/ferm.conf": - source => "puppet:///ferm/ferm.conf", - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/me.conf": - content => template("ferm/me.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/defs.conf": - source => "puppet:///ferm/defs.conf", - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - } - - Exec["ferm restart"] { - command => "/etc/init.d/ferm restart", - refreshonly => true, - } -} diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp index 93a4af709..5ddbf6eb3 100644 --- a/modules/munin-node/manifests/init.pp +++ b/modules/munin-node/manifests/init.pp @@ -75,7 +75,7 @@ class munin-node { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-munin": + @ferm::rule { "dsa-munin": description => "Allow munin from munin master", rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN) ACCEPT; }" } diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index edfbbfadc..9cea3378a 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -45,7 +45,7 @@ class nagios::client inherits nagios { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-nagios": + @ferm::rule { "dsa-nagios": description => "Allow nrpe from nagios master", rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }" } diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp index 0bbcde321..65d4cc5f1 100644 --- a/modules/named/manifests/init.pp +++ b/modules/named/manifests/init.pp @@ -25,7 +25,7 @@ class named { mode => 775, ; } - ferm::rule { "dsa-bind": + @ferm::rule { "dsa-bind": domain => "(ip ip6)", description => "Allow nameserver access", rule => "proto (udp tcp) mod state state (NEW) dport (53) ACCEPT" diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index fb564641f..ace2f8f8d 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -25,7 +25,7 @@ class ntp { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - ferm::rule { "dsa-ntp": + @ferm::rule { "dsa-ntp": domain => "(ip ip6)", description => "Allow ntp access", rule => "proto udp mod state state (NEW) dport (123) ACCEPT" diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index 452ce5dfb..c6d1646a6 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -38,11 +38,11 @@ class ssh { refreshonly => true, } - ferm::rule { "dsa-ssh": + @ferm::rule { "dsa-ssh": description => "Allow SSH from DSA", rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }" } - ferm::rule { "dsa-ssh-v6": + @ferm::rule { "dsa-ssh-v6": description => "Allow SSH from DSA", domain => "ip6", rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"