modules/roles/manifests/security_tracker.pp

   1 class roles::security_tracker {
   2         include apache2::ssl
   3         include apache2::proxy_http
   4         include apache2::expires
   5
   6         apache2::module { 'mod_cache_disk':
   7                 ensure => present,
   8         }
   9
  10         # security-tracker abusers
  11         #  66.170.99.1  20180706 excessive number of requests
  12         #  66.170.99.2  20180706 excessive number of requests
  13         @ferm::rule { 'dsa-sectracker-abusers':
  14                 prio  => "000",
  15                 rule  => "saddr (66.170.99.1 66.170.99.2) DROP",
  16         }
  17
  18
  19         ssl::service { 'security-tracker.debian.org':
  20                 notify  => Exec['service apache2 reload'],
  21                 key => true,
  22         }
  23
  24         apache2::site { 'security-tracker.debian.org':
  25                 site   => 'security-tracker.debian.org',
  26                 content => template('roles/apache-security-tracker.debian.org.conf.erb')
  27         }
  28
  29         # traffic shaping http traffic
  30         @ferm::rule { 'dsa-security-tracker-shape':
  31                 table => 'mangle',
  32                 chain => 'OUTPUT',
  33                 rule  => "proto tcp sport 443 MARK set-mark 20",
  34         }
  35
  36         file { '/usr/local/sbin/traffic-shape':
  37                 mode   => '0755',
  38                 content => template('roles/security-tracker/traffic-shape'),
  39                 notify => Exec['/usr/local/sbin/traffic-shape'],
  40         }
  41         exec { '/usr/local/sbin/traffic-shape':
  42                 refreshonly => true
  43         }
  44 }