Mercurial > repos > other > Puppet

comparison manifests/templates.pp @ 292:3e04f35dd0af

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Turn Fail2ban setup into a module We now: * Don't have a large class outside a module * Build "bad SSH users" config from a list (easier to understand/see diffs in than a long line) * Use modern EPP files
author IBBoard <dev@ibboard.co.uk>
date Sat, 18 Jan 2020 15:17:03 +0000
parents 1182a180085d
children 61e90445c899
comparison
equal deleted inserted replaced
291:d2ae0b786b49 292:3e04f35dd0af
332 file { '/etc/logwatch/conf/logfiles/mysql.conf': 332 file { '/etc/logwatch/conf/logfiles/mysql.conf':
333 source => 'puppet:///common/logwatch/logfiles_mysql.conf', 333 source => 'puppet:///common/logwatch/logfiles_mysql.conf',
334 } 334 }
335 file { '/etc/logwatch/conf/services/mysql.conf': 335 file { '/etc/logwatch/conf/services/mysql.conf':
336 source => 'puppet:///common/logwatch/services_mysql.conf', 336 source => 'puppet:///common/logwatch/services_mysql.conf',
337 }
338 }
339
340 class fail2ban (
341 $firewall_cmd,
342 ) {
343 package { 'fail2ban':
344 ensure => installed,
345 }
346 service { 'fail2ban':
347 ensure => running,
348 enable => true
349 }
350 File {
351 ensure => present,
352 require => Package['fail2ban'],
353 notify => Service['fail2ban'],
354 }
355 file { '/etc/fail2ban/fail2ban.local':
356 source => 'puppet:///common/fail2ban/fail2ban.local',
357 }
358 file { '/etc/fail2ban/jail.local':
359 source => 'puppet:///common/fail2ban/jail.local',
360 }
361 file { '/etc/fail2ban/action.d/apf.conf':
362 source => 'puppet:///common/fail2ban/apf.conf',
363 }
364
365 if $firewall_cmd == 'iptables' {
366 $firewall_ban_cmd = 'iptables-multiport'
367 } else {
368 $firewall_ban_cmd = $firewall_cmd
369 }
370
371 file { '/etc/fail2ban/action.d/firewall-ban.conf':
372 ensure => link,
373 target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf",
374 }
375 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
376 source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf',
377 }
378 file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf':
379 source => 'puppet:///common/fail2ban/ibb-apache-shellshock.conf',
380 }
381 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
382 source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf',
383 }
384 file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf':
385 source => 'puppet:///common/fail2ban/ibb-repeat-offender-ssh.conf',
386 }
387 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
388 source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf',
389 }
390 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
391 source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf',
392 }
393 file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
394 source => 'puppet:///common/fail2ban/ibb-postfix.conf',
395 }
396 file { '/etc/fail2ban/filter.d/ibb-sshd.conf':
397 source => 'puppet:///common/fail2ban/ibb-sshd.conf',
398 }
399 file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf':
400 source => 'puppet:///common/fail2ban/ibb-sshd-bad-user.conf',
401 }
402 # Because one of our rules checks fail2ban's log, but the service dies without the file
403 file { '/var/log/fail2ban.log':
404 ensure => present,
405 owner => 'root',
406 group => 'root',
407 mode => '0600',
408 } 337 }
409 } 338 }
410 339
411 #Our web server with our configs, not just a stock one 340 #Our web server with our configs, not just a stock one
412 class webserver ( 341 class webserver (