other/Puppet: manifests/templates.pp comparison

comparison manifests/templates.pp @ 279:e36b7f4f85f2

Start to support IPv6 servers * Assumed only one or the other, not dual stack * Removed old VPS setup * Removed "secondary IP", added IPv4-to-6 forwarding * Updated firewall rules * Moved HTTP firewall rules to website module so it can do the right thing based on IP address families

author	IBBoard <dev@ibboard.co.uk>
date	Sat, 15 Feb 2020 13:52:30 +0000
parents	165ad12ea8ca
children	af7df930a670

comparison

equal deleted inserted replaced

-:a8bf3a400712
+:e36b7f4f85f2
 	}
 }
 class basevpsnode (
 	$primary_ip,
-	$secondary_ip,
+	$proxy_6to4_ip = undef,
+	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	) {
 	if $firewall_cmd == 'iptables' {
-		include vpsfirewall
+		class { 'vpsfirewall':
+			fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'},
+		}
 	}
 	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
 	file { '/etc/hosts':
 		ensure => present,
 	include ssh::server
 	include vcs::server
 	include vcs::client
 	class { 'webserver':
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_6to4_ip => $proxy_6to4_ip,
+		proxy_upstream => $proxy_upstream,
 	}
 	include cronjobs
 	include logrotate
 	class { 'fail2ban':
 		firewall_cmd => $firewall_cmd,
 	}
 }
 ## Classes to allow facet behaviour using preconfigured setups of classes
-class vpsfirewall {
+class vpsfirewall ($fw_protocol) {
 	resources { "firewall":
 		purge => false,
 	}
-	firewallchain { 'INPUT:filter:IPv4':
+	class { "my_fw":
-		purge => true,
+		ip_version => $fw_protocol,
+	}
+	# Control what does and doesn't get pruned in the main filter chain
+	firewallchain { "INPUT:filter:$fw_protocol":
+		purge => true,
 		ignore => [
 			'-j f2b-[^ ]+$',
 			'^(:|-A )f2b-',
 			'--comment "Great Firewall of China"',
 			'--comment "Do not purge',
 			],
 	}
-	Firewall {
+	if ($fw_protocol != "IPv6") {
-		before => Class['my_fw::post'],
+		firewall { '010 Whitelist Googlebot':
-		require => Class['my_fw::pre'],
+			source => '66.249.64.0/19',
-	}
+			dport => [80,443],
-	class { ['my_fw::pre', 'my_fw::post']: }
+			proto => tcp,
-	class { 'firewall': }
+			action => accept,
-	firewall { '010 Whitelist Googlebot':
+		}
-		source => '66.249.64.0/19',
+		# Block a spammer hitting our contact forms (also on StopForumSpam list A LOT)
-		dport => [80,443],
+		firewall { '099 Blacklist spammers 1':
-		proto => tcp,
+			source => '107.181.78.172',
-		action => accept,
+			dport => [80, 443],
-	}
+			proto => tcp,
-	# Block a spammer hitting our contact forms (also on StopForumSpam list A LOT)
+			action => 'reject',
-	firewall { '099 Blacklist spammers 1':
+		}
-		source => '107.181.78.172',
+		firewall { '099 Blacklist IODC bot':
-		dport => [80, 443],
+			# IODC bot makes too many bad requests, and contact form is broken
-		proto => tcp,
+			# They don't publish a robots.txt name, so firewall it!
-		action => 'reject',
+			source => '86.153.145.149',
-	}
+			dport => [ 80, 443 ],
-	firewall { '099 Blacklist IODC bot':
+			proto => tcp,
-		# IODC bot makes too many bad requests, and contact form is broken
+			action => 'reject',
-		# They don't publish a robots.txt name, so firewall it!
+		}
-		source => '86.153.145.149',
+		firewall { '099 Blacklist Baidu Brazil':
-		dport => [ 80, 443 ],
+			#Baidu got a Brazilian netblock and are hitting us hard
-		proto => tcp,
+			#Baidu doesn't honour "crawl-delay" in robots.txt
-		action => 'reject',
+			#Baidu gets firewalled
-	}
+			source => '131.161.8.0/22',
-	firewall { '099 Blacklist Baidu Brazil':
+			dport => [ 80, 443 ],
-		#Baidu got a Brazilian netblock and are hitting us hard
+			proto => tcp,
-		#Baidu doesn't honour "crawl-delay" in robots.txt
+			action => 'reject',
-		#Baidu gets firewalled
+		}
-		source => '131.161.8.0/22',
+	}
-		dport => [ 80, 443 ],
+	firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol":
-		proto => tcp,
-		action => 'reject',
-	}
-	firewallchain { 'GREATFIREWALLOFCHINA:filter:IPv4':
 		ensure => present,
 	}
 	firewall { '050 Check our Great Firewall Against China':
 		chain => 'INPUT',
 		jump => 'GREATFIREWALLOFCHINA',
 	}
-	firewallchain { 'Fail2Ban:filter:IPv4':
+	firewallchain { "Fail2Ban:filter:$fw_protocol":
 		ensure => present,
 	}
 	firewall { '060 Check Fail2Ban':
 		chain => 'INPUT',
 		jump => 'Fail2Ban',
-	}
-	firewall { '100 allow https and http':
-		dport => [80, 443],
-		proto => tcp,
-		action => accept,
 	}
 	firewall { '101 allow SMTP':
 		dport => [25, 465],
 		proto => tcp,
 		action => accept,
 }
 #Our web server with our configs, not just a stock one
 class webserver (
 	$primary_ip,
-	$secondary_ip,
+	$proxy_6to4_ip = undef,
+	$proxy_upstream = undef,
 	) {
 	#Setup base website parameters
 	class { 'website':
 		base_dir => '/srv/sites',
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_6to4_ip => $proxy_6to4_ip,
+		proxy_upstream => $proxy_upstream,
 		default_owner => $defaultusers::default_user,
 		default_group => $defaultusers::default_user,
 		default_tld => 'co.uk',
 		default_extra_tlds => [ 'com' ],
 	}
 	}
 }
 class ibboardvpsnode (
 	$primary_ip,
-	$secondary_ip = $primary_ip,
+	$proxy_6to4_ip = undef,
+	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_6to4_ip => $proxy_6to4_ip,
+		proxy_upstream => $proxy_upstream,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
 		firewall_cmd => $firewall_cmd,
 	}

Mercurial > repos > other > Puppet

comparison manifests/templates.pp @ 279:e36b7f4f85f2