Mercurial > repos > other > Puppet

diff manifests/templates.pp @ 279:e36b7f4f85f2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Start to support IPv6 servers * Assumed only one or the other, not dual stack * Removed old VPS setup * Removed "secondary IP", added IPv4-to-6 forwarding * Updated firewall rules * Moved HTTP firewall rules to website module so it can do the right thing based on IP address families
author IBBoard <dev@ibboard.co.uk>
date Sat, 15 Feb 2020 13:52:30 +0000
parents 165ad12ea8ca
children af7df930a670
line wrap: on
line diff
--- a/manifests/templates.pp	Sat Feb 15 13:12:44 2020 +0000
+++ b/manifests/templates.pp	Sat Feb 15 13:52:30 2020 +0000
@@ -27,14 +27,17 @@
 
 class basevpsnode (
 	$primary_ip,
-	$secondary_ip,
+	$proxy_6to4_ip = undef,
+	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	) {
 
 	if $firewall_cmd == 'iptables' {
-		include vpsfirewall
+		class { 'vpsfirewall':
+			fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'},
+		}
 	}
 
 	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
@@ -53,7 +56,8 @@
 	include vcs::client
 	class { 'webserver':
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_6to4_ip => $proxy_6to4_ip,
+		proxy_upstream => $proxy_upstream,
 	}
 	include cronjobs
 	include logrotate
@@ -69,12 +73,16 @@
 
 ## Classes to allow facet behaviour using preconfigured setups of classes
 
-class vpsfirewall {
+class vpsfirewall ($fw_protocol) {
 	resources { "firewall":
 		purge => false,
 	}
-	firewallchain { 'INPUT:filter:IPv4':
-		purge => true,		
+	class { "my_fw":
+		ip_version => $fw_protocol,
+	}
+	# Control what does and doesn't get pruned in the main filter chain
+	firewallchain { "INPUT:filter:$fw_protocol":
+		purge => true,
 		ignore => [
 			'-j f2b-[^ ]+$',
 			'^(:|-A )f2b-',
@@ -82,61 +90,52 @@
 			'--comment "Do not purge',
 			],
 	}
-	Firewall {
-		before => Class['my_fw::post'],
-		require => Class['my_fw::pre'],
-	}
-	class { ['my_fw::pre', 'my_fw::post']: }
-	class { 'firewall': }
-	firewall { '010 Whitelist Googlebot':
-		source => '66.249.64.0/19',
-		dport => [80,443],
-		proto => tcp,
-		action => accept,
-	}
-	# Block a spammer hitting our contact forms (also on StopForumSpam list A LOT)
-	firewall { '099 Blacklist spammers 1':
-		source => '107.181.78.172',
-		dport => [80, 443],
-		proto => tcp,
-		action => 'reject',
+	if ($fw_protocol != "IPv6") {
+		firewall { '010 Whitelist Googlebot':
+			source => '66.249.64.0/19',
+			dport => [80,443],
+			proto => tcp,
+			action => accept,
+		}
+		# Block a spammer hitting our contact forms (also on StopForumSpam list A LOT)
+		firewall { '099 Blacklist spammers 1':
+			source => '107.181.78.172',
+			dport => [80, 443],
+			proto => tcp,
+			action => 'reject',
+		}
+		firewall { '099 Blacklist IODC bot':
+			# IODC bot makes too many bad requests, and contact form is broken
+			# They don't publish a robots.txt name, so firewall it!
+			source => '86.153.145.149',
+			dport => [ 80, 443 ],
+			proto => tcp,
+			action => 'reject',
+		}
+		firewall { '099 Blacklist Baidu Brazil':
+			#Baidu got a Brazilian netblock and are hitting us hard
+			#Baidu doesn't honour "crawl-delay" in robots.txt
+			#Baidu gets firewalled
+			source => '131.161.8.0/22',
+			dport => [ 80, 443 ],
+			proto => tcp,
+			action => 'reject',
+		}
 	}
-	firewall { '099 Blacklist IODC bot':
-		# IODC bot makes too many bad requests, and contact form is broken
-		# They don't publish a robots.txt name, so firewall it!
-		source => '86.153.145.149',
-		dport => [ 80, 443 ],
-		proto => tcp,
-		action => 'reject',
-	}
-	firewall { '099 Blacklist Baidu Brazil':
-		#Baidu got a Brazilian netblock and are hitting us hard
-		#Baidu doesn't honour "crawl-delay" in robots.txt
-		#Baidu gets firewalled
-		source => '131.161.8.0/22',
-		dport => [ 80, 443 ],
-		proto => tcp,
-		action => 'reject',
-	}
-	firewallchain { 'GREATFIREWALLOFCHINA:filter:IPv4':
+	firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol":
 		ensure => present,
 	}
 	firewall { '050 Check our Great Firewall Against China':
 		chain => 'INPUT',
 		jump => 'GREATFIREWALLOFCHINA',
 	}
-	firewallchain { 'Fail2Ban:filter:IPv4':
+	firewallchain { "Fail2Ban:filter:$fw_protocol":
 		ensure => present,
 	}
 	firewall { '060 Check Fail2Ban':
 		chain => 'INPUT',
 		jump => 'Fail2Ban',
 	}
-	firewall { '100 allow https and http':
-		dport => [80, 443],
-		proto => tcp,
-		action => accept,
-	}
 	firewall { '101 allow SMTP':
 		dport => [25, 465],
 		proto => tcp,
@@ -411,13 +410,15 @@
 #Our web server with our configs, not just a stock one
 class webserver (
 	$primary_ip,
-	$secondary_ip,
+	$proxy_6to4_ip = undef,
+	$proxy_upstream = undef,
 	) {
 	#Setup base website parameters
 	class { 'website':
 		base_dir => '/srv/sites',
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_6to4_ip => $proxy_6to4_ip,
+		proxy_upstream => $proxy_upstream,
 		default_owner => $defaultusers::default_user,
 		default_group => $defaultusers::default_user,
 		default_tld => 'co.uk',
@@ -516,14 +517,16 @@
 
 class ibboardvpsnode (
 	$primary_ip,
-	$secondary_ip = $primary_ip,
+	$proxy_6to4_ip = undef,
+	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_6to4_ip => $proxy_6to4_ip,
+		proxy_upstream => $proxy_upstream,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
 		firewall_cmd => $firewall_cmd,