From 6395c342fbcb2968aded5df10dc8e5ab81e5486c Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 16 Sep 2019 08:12:22 +0200 Subject: [PATCH] whitespace/quoting: modules/ferm/manifests/ (make lint happy) --- modules/ferm/manifests/aql.pp | 14 +- modules/ferm/manifests/conf.pp | 66 +-- modules/ferm/manifests/ftp_conntrack.pp | 32 +- modules/ferm/manifests/init.pp | 219 +++++---- modules/ferm/manifests/module.pp | 40 +- modules/ferm/manifests/per_host.pp | 610 ++++++++++++------------ modules/ferm/manifests/rule.pp | 31 +- 7 files changed, 505 insertions(+), 507 deletions(-) diff --git a/modules/ferm/manifests/aql.pp b/modules/ferm/manifests/aql.pp index 466252f96..16540cc3d 100644 --- a/modules/ferm/manifests/aql.pp +++ b/modules/ferm/manifests/aql.pp @@ -1,10 +1,10 @@ class ferm::aql { - ferm::rule { 'dsa-drop-multicast': - domain => 'ip', - description => 'drop multicast traffic to avoid triggering protection', - table => 'filter', - chain => 'OUTPUT', - rule => 'destination 224.0.0.0/4 jump log_or_drop' - } + ferm::rule { 'dsa-drop-multicast': + domain => 'ip', + description => 'drop multicast traffic to avoid triggering protection', + table => 'filter', + chain => 'OUTPUT', + rule => 'destination 224.0.0.0/4 jump log_or_drop' + } } diff --git a/modules/ferm/manifests/conf.pp b/modules/ferm/manifests/conf.pp index 7457094e8..c016e09f3 100644 --- a/modules/ferm/manifests/conf.pp +++ b/modules/ferm/manifests/conf.pp @@ -1,41 +1,41 @@ # define ferm::conf ( - $source=undef, - $content=undef, - $ensure=present, - $prio="xx-10", + $source=undef, + $content=undef, + $ensure=present, + $prio='xx-10', ) { - include ferm + include ferm - case $ensure { - present: { - if ! ($source or $content) { - fail ( "No configuration found for ${name}" ) - } - } - absent: {} - default: { fail ( "Unknown ensure value: '$ensure'" ) } - } + case $ensure { + present: { + if ! ($source or $content) { + fail ( "No configuration found for ${name}" ) + } + } + absent: {} + default: { fail ( "Unknown ensure value: '${ensure}'" ) } + } - if ($source and $content) { - fail ( "Can't define both source and content for ${name}" ) - } + if ($source and $content) { + fail ( "Can't define both source and content for ${name}" ) + } - $fname = "/etc/ferm/conf.d/${prio}_${name}.conf" + $fname = "/etc/ferm/conf.d/${prio}_${name}.conf" - if $content { - file { $fname: - ensure => $ensure, - mode => '0400', - content => $content, - notify => Exec['ferm reload'], - } - } else { - file { $fname: - ensure => $ensure, - mode => '0400', - source => $source, - notify => Exec['ferm reload'], - } - } + if $content { + file { $fname: + ensure => $ensure, + mode => '0400', + content => $content, + notify => Exec['ferm reload'], + } + } else { + file { $fname: + ensure => $ensure, + mode => '0400', + source => $source, + notify => Exec['ferm reload'], + } + } } diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp index d64d40956..ce84e98a3 100644 --- a/modules/ferm/manifests/ftp_conntrack.pp +++ b/modules/ferm/manifests/ftp_conntrack.pp @@ -1,19 +1,19 @@ class ferm::ftp_conntrack { - # Allow non-passive connections to an FTP server - ferm::rule { 'dsa-ftp-conntrack-client': - domain => '(ip ip6)', - description => 'ftp client connection tracking', - table => 'raw', - chain => 'OUTPUT', - rule => 'proto tcp dport 21 CT helper ftp' - } + # Allow non-passive connections to an FTP server + ferm::rule { 'dsa-ftp-conntrack-client': + domain => '(ip ip6)', + description => 'ftp client connection tracking', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto tcp dport 21 CT helper ftp' + } - # Allow passive connections from an FTP client - ferm::rule { 'dsa-ftp-conntrack-server': - domain => '(ip ip6)', - description => 'ftp server connection tracking', - table => 'raw', - chain => 'PREROUTING', - rule => 'proto tcp dport 21 CT helper ftp' - } + # Allow passive connections from an FTP client + ferm::rule { 'dsa-ftp-conntrack-server': + domain => '(ip ip6)', + description => 'ftp server connection tracking', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto tcp dport 21 CT helper ftp' + } } diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index daab55fd3..51cccf39a 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -7,125 +7,124 @@ # include ferm # class ferm { - File { mode => '0400' } + File { mode => '0400' } - package { 'ferm': - ensure => installed - } - package { 'ulogd2': - ensure => installed - } - package { 'ulogd': - # Remove instead of purge ulogd because it deletes log files on purge. - ensure => absent - } + package { 'ferm': + ensure => installed + } + package { 'ulogd2': + ensure => installed + } + package { 'ulogd': + # Remove instead of purge ulogd because it deletes log files on purge. + ensure => absent + } - service { 'ferm': - hasstatus => false, - status => '/bin/true', - } - exec { - "ferm reload": - command => "service ferm reload", - refreshonly => true, - } + service { 'ferm': + hasstatus => false, + status => '/bin/true', + } + exec { 'ferm reload': + command => 'service ferm reload', + refreshonly => true, + } - $munin_ips = getfromhash($deprecated::nodeinfo, 'misc', 'v4addrs') - .map |$addr| { "ip_${addr}" } + $munin_ips = getfromhash($deprecated::nodeinfo, 'misc', 'v4addrs') + .map |$addr| { "ip_${addr}" } - munin::check { $munin_ips: script => 'ip_', } + munin::check { $munin_ips: script => 'ip_', } - $munin6_ips = getfromhash($deprecated::nodeinfo, 'misc', 'v6addrs') - .map |$addr| { "ip_${addr}" } - munin::ipv6check { $munin6_ips: } + $munin6_ips = getfromhash($deprecated::nodeinfo, 'misc', 'v6addrs') + .map |$addr| { "ip_${addr}" } + munin::ipv6check { $munin6_ips: } - file { '/etc/ferm': - ensure => directory, - notify => Exec['ferm reload'], - require => Package['ferm'], - mode => '0755' - } - file { '/etc/ferm/dsa.d': - ensure => directory, - mode => '0555', - purge => true, - force => true, - recurse => true, - source => 'puppet:///files/empty/', - } - file { '/etc/ferm/conf.d': - ensure => directory, - mode => '0555', - purge => true, - force => true, - recurse => true, - source => 'puppet:///files/empty/', - } - file { '/etc/default/ferm': - source => 'puppet:///modules/ferm/ferm.default', - require => Package['ferm'], - notify => Exec['ferm reload'], - mode => '0444', - } - file { '/etc/ferm/ferm.conf': - content => template('ferm/ferm.conf.erb'), - notify => Exec['ferm reload'], - } - file { '/etc/ferm/conf.d/00-init.conf': - content => template('ferm/00-init.conf.erb'), - notify => Exec['ferm reload'], - } - file { '/etc/ferm/conf.d/me.conf': - content => template('ferm/me.conf.erb'), - notify => Exec['ferm reload'], - } - file { '/etc/ferm/conf.d/defs.conf': - content => template('ferm/defs.conf.erb'), - notify => Exec['ferm reload'], - } + file { '/etc/ferm': + ensure => directory, + notify => Exec['ferm reload'], + require => Package['ferm'], + mode => '0755' + } + file { '/etc/ferm/dsa.d': + ensure => directory, + mode => '0555', + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/ferm/conf.d': + ensure => directory, + mode => '0555', + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/default/ferm': + source => 'puppet:///modules/ferm/ferm.default', + require => Package['ferm'], + notify => Exec['ferm reload'], + mode => '0444', + } + file { '/etc/ferm/ferm.conf': + content => template('ferm/ferm.conf.erb'), + notify => Exec['ferm reload'], + } + file { '/etc/ferm/conf.d/00-init.conf': + content => template('ferm/00-init.conf.erb'), + notify => Exec['ferm reload'], + } + file { '/etc/ferm/conf.d/me.conf': + content => template('ferm/me.conf.erb'), + notify => Exec['ferm reload'], + } + file { '/etc/ferm/conf.d/defs.conf': + content => template('ferm/defs.conf.erb'), + notify => Exec['ferm reload'], + } - file { '/etc/ferm/conf.d/50-munin-interfaces.conf': - content => template('ferm/conf.d-munin-interfaces.conf.erb'), - notify => Exec['ferm reload'], - } - ferm::rule { 'dsa-munin-interfaces-in': - prio => '001', - description => 'munin accounting', - chain => 'INPUT', - domain => '(ip ip6)', - rule => 'daddr ($MUNIN_IPS) NOP' - } - ferm::rule { 'dsa-munin-interfaces-out': - prio => '001', - description => 'munin accounting', - chain => 'OUTPUT', - domain => '(ip ip6)', - rule => 'saddr ($MUNIN_IPS) NOP' - } + file { '/etc/ferm/conf.d/50-munin-interfaces.conf': + content => template('ferm/conf.d-munin-interfaces.conf.erb'), + notify => Exec['ferm reload'], + } + ferm::rule { 'dsa-munin-interfaces-in': + prio => '001', + description => 'munin accounting', + chain => 'INPUT', + domain => '(ip ip6)', + rule => 'daddr ($MUNIN_IPS) NOP' + } + ferm::rule { 'dsa-munin-interfaces-out': + prio => '001', + description => 'munin accounting', + chain => 'OUTPUT', + domain => '(ip ip6)', + rule => 'saddr ($MUNIN_IPS) NOP' + } - file { '/etc/ferm/dsa.d/010-base.conf': - content => template('ferm/dsa.d-010-base.conf.erb'), - notify => Exec['ferm reload'], - } + file { '/etc/ferm/dsa.d/010-base.conf': + content => template('ferm/dsa.d-010-base.conf.erb'), + notify => Exec['ferm reload'], + } - augeas { 'logrotate_ulogd2': - context => '/files/etc/logrotate.d/ulogd2', - changes => [ - 'set rule/schedule daily', - 'set rule/delaycompress delaycompress', - 'set rule/rotate 10', - 'set rule/ifempty notifempty', - ], - } - file { '/etc/logrotate.d/ulogd': - ensure => absent, - } - file { '/etc/logrotate.d/ulogd.dpkg-bak': - ensure => absent, - } - file { '/etc/logrotate.d/ulogd.dpkg-dist': - ensure => absent, - } + augeas { 'logrotate_ulogd2': + context => '/files/etc/logrotate.d/ulogd2', + changes => [ + 'set rule/schedule daily', + 'set rule/delaycompress delaycompress', + 'set rule/rotate 10', + 'set rule/ifempty notifempty', + ], + } + file { '/etc/logrotate.d/ulogd': + ensure => absent, + } + file { '/etc/logrotate.d/ulogd.dpkg-bak': + ensure => absent, + } + file { '/etc/logrotate.d/ulogd.dpkg-dist': + ensure => absent, + } } diff --git a/modules/ferm/manifests/module.pp b/modules/ferm/manifests/module.pp index ead8136d7..e5c1d5f90 100644 --- a/modules/ferm/manifests/module.pp +++ b/modules/ferm/manifests/module.pp @@ -1,26 +1,26 @@ define ferm::module ( - $hookstage='pre', - $mod=undef, - $ensure=present + $hookstage='pre', + $mod=undef, + $ensure=present ) { - case $ensure { - present,absent: {} - default: { fail ( "Invalid ensure `${ensure}' for ${name}" ) } - } + case $ensure { + present,absent: {} + default: { fail ( "Invalid ensure `${ensure}' for ${name}" ) } + } - if $mod { - $module = $mod - } else { - $module = $title - } + if $mod { + $module = $mod + } else { + $module = $title + } - if $::kernel == 'Linux' { - file { "/etc/ferm/conf.d/load_${module}.conf": - ensure => $ensure, - content => template('ferm/load_module.erb'), - require => Package['ferm'], - notify => Exec['ferm reload'] - } - } + if $::kernel == 'Linux' { + file { "/etc/ferm/conf.d/load_${module}.conf": + ensure => $ensure, + content => template('ferm/load_module.erb'), + require => Package['ferm'], + notify => Exec['ferm reload'] + } + } } diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index fb38cb3fd..2da64cd5f 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -1,319 +1,319 @@ class ferm::per_host { - if $::hostname in [zandonai,zelenka] { - include ferm::zivit - } + if $::hostname in [zandonai,zelenka] { + include ferm::zivit + } - if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == "aql") { - include ferm::aql - } + if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == 'aql') { + include ferm::aql + } - case $::hostname { - czerny,clementi: { - ferm::rule { 'dsa-upsmon': - description => 'Allow upsmon access', - rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))' - } - } - kaufmann: { - ferm::rule { 'dsa-hkp': - domain => '(ip ip6)', - description => 'Allow hkp access', - rule => '&SERVICE(tcp, 11371)' - } - } - gombert: { - ferm::rule { 'dsa-infinoted': - domain => '(ip ip6)', - description => 'Allow infinoted access', - rule => '&SERVICE(tcp, 6523)' - } - } - draghi: { - ferm::rule { 'dsa-finger': - domain => '(ip ip6)', - description => 'Allow finger access', - rule => '&SERVICE(tcp, 79)' - } - ferm::rule { 'dsa-ldap': - domain => '(ip ip6)', - description => 'Allow ldap access', - rule => '&SERVICE(tcp, 389)' - } - ferm::rule { 'dsa-ldaps': - domain => '(ip ip6)', - description => 'Allow ldaps access', - rule => '&SERVICE(tcp, 636)' - } - } - default: {} - } + case $::hostname { + czerny,clementi: { + ferm::rule { 'dsa-upsmon': + description => 'Allow upsmon access', + rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))' + } + } + kaufmann: { + ferm::rule { 'dsa-hkp': + domain => '(ip ip6)', + description => 'Allow hkp access', + rule => '&SERVICE(tcp, 11371)' + } + } + gombert: { + ferm::rule { 'dsa-infinoted': + domain => '(ip ip6)', + description => 'Allow infinoted access', + rule => '&SERVICE(tcp, 6523)' + } + } + draghi: { + ferm::rule { 'dsa-finger': + domain => '(ip ip6)', + description => 'Allow finger access', + rule => '&SERVICE(tcp, 79)' + } + ferm::rule { 'dsa-ldap': + domain => '(ip ip6)', + description => 'Allow ldap access', + rule => '&SERVICE(tcp, 389)' + } + ferm::rule { 'dsa-ldaps': + domain => '(ip ip6)', + description => 'Allow ldaps access', + rule => '&SERVICE(tcp, 636)' + } + } + default: {} + } - case $::hostname { - bm-bl1,bm-bl2: { - ferm::rule { 'dsa-vrrp': - rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT', - } - ferm::rule { 'dsa-bind-notrack-in': - domain => 'ip', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'PREROUTING', - rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK' - } + case $::hostname { + bm-bl1,bm-bl2: { + ferm::rule { 'dsa-vrrp': + rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT', + } + ferm::rule { 'dsa-bind-notrack-in': + domain => 'ip', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK' + } - ferm::rule { 'dsa-bind-notrack-out': - domain => 'ip', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'OUTPUT', - rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK' - } + ferm::rule { 'dsa-bind-notrack-out': + domain => 'ip', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK' + } - ferm::rule { 'dsa-bind-notrack-in6': - domain => 'ip6', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'PREROUTING', - rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK' - } + ferm::rule { 'dsa-bind-notrack-in6': + domain => 'ip6', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK' + } - ferm::rule { 'dsa-bind-notrack-out6': - domain => 'ip6', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'OUTPUT', - rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK' - } - } - default: {} - } + ferm::rule { 'dsa-bind-notrack-out6': + domain => 'ip6', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK' + } + } + default: {} + } - # postgres stuff - case $::hostname { - ullmann: { - ferm::rule { 'dsa-postgres-udd': - description => 'Allow postgress access', - domain => '(ip ip6)', - # quantz, master, coccia - rule => @("EOF") - &SERVICE_RANGE(tcp, 5452, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'master.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } - } - fasolo: { - ferm::rule { 'dsa-postgres': - description => 'Allow postgress access', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5433, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'bmdb1.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST - )) - | EOF - } - } - bmdb1: { - ferm::rule { 'dsa-postgres-main': - description => 'Allow postgress access to cluster: main', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5435, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'ticharich.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'rusca.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST - )) - | EOF - } - ferm::rule { 'dsa-postgres-dak': - description => 'Allow postgress access to cluster: dak', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5434, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } - ferm::rule { 'dsa-postgres-wannabuild': - description => 'Allow postgress access to cluster: wannabuild', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5436, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST - )) - | EOF - } - ferm::rule { 'dsa-postgres-bacula': - description => 'Allow postgress access to cluster: bacula', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5437, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'dinis.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'storace.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST - )) - | EOF - } - ferm::rule { 'dsa-postgres-dedup': - description => 'Allow postgress access to cluster: dedup', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5439, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'delfin.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } - ferm::rule { 'dsa-postgres-debsources': - description => 'Allow postgress access to cluster: debsources', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5440, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST - )) - | EOF - } - } - danzi: { - ferm::rule { 'dsa-postgres-danzi': - # ubc, wuiet - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))' - } - ferm::rule { 'dsa-postgres-danzi6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))' - } + # postgres stuff + case $::hostname { + ullmann: { + ferm::rule { 'dsa-postgres-udd': + description => 'Allow postgress access', + domain => '(ip ip6)', + # quantz, master, coccia + rule => @("EOF") + &SERVICE_RANGE(tcp, 5452, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'master.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } + )) + | EOF + } + } + fasolo: { + ferm::rule { 'dsa-postgres': + description => 'Allow postgress access', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5433, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'bmdb1.debian.org', 'ipHostNumber'), " ") } + \$HOST_PGBACKUPHOST + )) + | EOF + } + } + bmdb1: { + ferm::rule { 'dsa-postgres-main': + description => 'Allow postgress access to cluster: main', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5435, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'ticharich.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'rusca.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") } + \$HOST_PGBACKUPHOST + )) + | EOF + } + ferm::rule { 'dsa-postgres-dak': + description => 'Allow postgress access to cluster: dak', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5434, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } + )) + | EOF + } + ferm::rule { 'dsa-postgres-wannabuild': + description => 'Allow postgress access to cluster: wannabuild', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5436, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } + \$HOST_PGBACKUPHOST + )) + | EOF + } + ferm::rule { 'dsa-postgres-bacula': + description => 'Allow postgress access to cluster: bacula', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5437, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'dinis.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'storace.debian.org', 'ipHostNumber'), " ") } + \$HOST_PGBACKUPHOST + )) + | EOF + } + ferm::rule { 'dsa-postgres-dedup': + description => 'Allow postgress access to cluster: dedup', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5439, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'delfin.debian.org', 'ipHostNumber'), " ") } + )) + | EOF + } + ferm::rule { 'dsa-postgres-debsources': + description => 'Allow postgress access to cluster: debsources', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5440, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") } + \$HOST_PGBACKUPHOST + )) + | EOF + } + } + danzi: { + ferm::rule { 'dsa-postgres-danzi': + # ubc, wuiet + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))' + } + ferm::rule { 'dsa-postgres-danzi6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))' + } - ferm::rule { 'dsa-postgres2-danzi': - description => 'Allow postgress access2', - rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))' - } - ferm::rule { 'dsa-postgres2-danzi6': - domain => 'ip6', - description => 'Allow postgress access2', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))' - } - } - seger: { - ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' - } - ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' - } - } - sallinen: { - ferm::rule { 'dsa-postgres': - description => 'Allow postgress access', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5473, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'lw07.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'snapshotdb-manda-01.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST - )) - | EOF - } - } - lw07: { - ferm::rule { 'dsa-postgres-snapshot': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))' - } - ferm::rule { 'dsa-postgres-snapshot6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))' - } - } - snapshotdb-manda-01: { - ferm::rule { 'dsa-postgres-snapshot': - domain => '(ip ip6)', - description => 'Allow postgress access from leaseweb (lw07 and friends)', - rule => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))' - } - } - default: {} - } - # vpn fu - case $::hostname { - draghi: { - ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; + ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))' + } + ferm::rule { 'dsa-postgres2-danzi6': + domain => 'ip6', + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))' + } + } + seger: { + ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' + } + ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' + } + } + sallinen: { + ferm::rule { 'dsa-postgres': + description => 'Allow postgress access', + domain => '(ip ip6)', + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5473, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'lw07.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'snapshotdb-manda-01.debian.org', 'ipHostNumber'), " ") } + \$HOST_PGBACKUPHOST + )) + | EOF + } + } + lw07: { + ferm::rule { 'dsa-postgres-snapshot': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))' + } + ferm::rule { 'dsa-postgres-snapshot6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))' + } + } + snapshotdb-manda-01: { + ferm::rule { 'dsa-postgres-snapshot': + domain => '(ip ip6)', + description => 'Allow postgress access from leaseweb (lw07 and friends)', + rule => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))' + } + } + default: {} + } + # vpn fu + case $::hostname { + draghi: { + ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; mod state state (ESTABLISHED RELATED) ACCEPT; interface tun+ ACCEPT; REJECT reject-with icmp-admin-prohibited ' - } - ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } - } - ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: { - ferm::rule { 'dsa-ssh-priv': - description => 'Allow ssh access', - rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))', - } - } - ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: { - ferm::rule { 'dsa-ssh-priv': - description => 'Allow ssh access', - rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))', - } - } - default: {} - } - # tftp - case $::hostname { - abel: { - ferm::rule { 'dsa-tftp': - description => 'Allow tftp access', - rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))' - } - } - master: { - ferm::rule { 'dsa-tftp': - description => 'Allow tftp access', - rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))' - } - } - } + } + ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: { + ferm::rule { 'dsa-ssh-priv': + description => 'Allow ssh access', + rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))', + } + } + ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: { + ferm::rule { 'dsa-ssh-priv': + description => 'Allow ssh access', + rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))', + } + } + default: {} + } + # tftp + case $::hostname { + abel: { + ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))' + } + } + master: { + ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))' + } + } + } } diff --git a/modules/ferm/manifests/rule.pp b/modules/ferm/manifests/rule.pp index 945f3dc51..555087564 100644 --- a/modules/ferm/manifests/rule.pp +++ b/modules/ferm/manifests/rule.pp @@ -1,20 +1,19 @@ define ferm::rule ( - $rule, - $domain='ip', - $table='filter', - $chain='INPUT', - $description='', - $prio='10', - $notarule=false + $rule, + $domain='ip', + $table='filter', + $chain='INPUT', + $description='', + $prio='10', + $notarule=false ) { + include ferm - include ferm - - file { - "/etc/ferm/dsa.d/${prio}_${name}": - ensure => present, - mode => '0400', - content => template('ferm/ferm_rule.erb'), - notify => Exec['ferm reload'], - } + file { + "/etc/ferm/dsa.d/${prio}_${name}": + ensure => 'present', + mode => '0400', + content => template('ferm/ferm_rule.erb'), + notify => Exec['ferm reload'], + } } -- 2.20.1