modules/fail2ban/manifests/init.pp - Issue 29364214: Issue 2487 - Introduce fail2ban module

Side by Side Diff: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)

Patch Set: Created Nov. 24, 2016, 3:09 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 # == Class: fail2ban

	2 #

	3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.

	4 #

	5 # == Parameters:

	6 #

	7 # [jail_config]

	8 # Adds jail.local to the default configuration of fail2ban
	f.nicolaisen 2016/11/25 15:09:09 Unnecessary white space at end of line. Unnecessary white space at end of line.
	9 #

	10 # [package]

	11 # Overwrite the default package options, to fine-tune the target version (i.e.

	12 # ensure => 'latest') or remove Fluentd (ensure => 'absent' or 'purged')
	mathias 2016/11/24 16:08:48 Fluentd? Fluentd? f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Fluentd? Acknowledged.
	13 #

	14 # [service]

	15 # Overwrite the default service options.

	16 #

	17 # [filters]

	18 # Adds adittional filters to the filters.d folder

	19 # === Examples:

	20 #

	21 # class {'fail2ban':

	22 # package => {ensure => 'present',},

	23 # service => {},

	24 # jail_config => {

	25 # 'wordpress' => {

	26 # logpath => '/var/log/nginx/access.log',
	f.nicolaisen 2016/11/25 15:09:09 Unnecessary white spaces at end of line. Unnecessary white spaces at end of line.
	27 # }

	28 # },

	29 # filters => {

	30 # 'wordpress' => {

	31 # failregex => [

	32 # '^<HOST>.\"WordPress\/.',

	33 # ],

	34 # }

	35 # },

	36 # }
	mathias 2016/11/24 16:08:48 The example code is not properly indented. Also it The example code is not properly indented. Also it should follow the same style practices as regular code within this repository. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > The example code is not properly indented. Also it should follow the same style > practices as regular code within this repository. Acknowledged.
	37 class fail2ban (

	38 $package = {},
	mathias 2016/11/24 16:08:48 Please make sure to wrap all default arguments acc Please make sure to wrap all default arguments according to this pattern: $parameter = hiera('class::parameter', $default), This emulates Puppet 3 behavior and allows for i.e. designating parameter values as global keys within Hiera. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Please make sure to wrap all default arguments according to this pattern: > $parameter = hiera('class::parameter', $default), > > This emulates Puppet 3 behavior and allows for i.e. designating parameter values > as global keys within Hiera. Acknowledged.
	39 $service = {},

	40 $jail_config = {},

	41 $filters = {},

	42 ) {

	43

	44 include stdlib

	45

	46 ensure_resource('package', $title, $package)

	47

	48 # Used as default $ensure parameter for most resources below

	49 $ensure = getparam(Package[$title], 'ensure') ? {

	50 /^(absent\|purged\|held)$/ => 'absent',
	mathias 2016/11/24 16:08:48 By now I wouldn't consider a "held" package as "ab By now I wouldn't consider a "held" package as "absent" any more. Usually one would mark a package that way if there is a customized local version available. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > By now I wouldn't consider a "held" package as "absent" any more. Usually one > would mark a package that way if there is a customized local version available. Acknowledged.
	51 default => 'present',

	52 }

	53

	54 # Service resources don't properly support the concept of absence

	55 if ($ensure == 'present') or ($service['ensure'] != undef) {
	mathias 2016/11/24 16:08:48 Why checking for $service['ensure'] being defined? Why checking for $service['ensure'] being defined? Shouldn't the default be totally fine? f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Why checking for $service['ensure'] being defined? Shouldn't the default be > totally fine? Acknowledged.
	56

	57 ensure_resource('service', $title, $service)

	58 # See modules/fail2ban/manifests/filter.pp

	59 create_resources('fail2ban::filter', $filters)

	60
	f.nicolaisen 2016/11/25 15:09:09 Unnecessary white spaces here. Unnecessary white spaces here.
	61 # According to the docs one can also enable filters that are

	62 # already in there, so the config file should be done appart.
	mathias 2016/11/24 16:08:48 I don't really get this point, but I assume you me I don't really get this point, but I assume you meant "separately" when you wrote "appart"? f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > I don't really get this point, but I assume you meant "separately" when you > wrote "appart"? Acknowledged.
	63 if jail_config != undef {
	mathias 2016/11/24 16:08:48 The $jail_config defaults to an empty hash, so I d The $jail_config defaults to an empty hash, so I doubt that this condition makes much sense here. Especially not if this "magic" with undef is not intended and/or documented accordingly. f.lopez 2016/11/25 15:13:49 One can have filters without activating them, so y Show quoted text On 2016/11/24 16:08:48, mathias wrote: > The $jail_config defaults to an empty hash, so I doubt that this condition makes > much sense here. Especially not if this "magic" with undef is not intended > and/or documented accordingly. One can have filters without activating them, so you can still create filters without activating them.
	64 file {'/etc/fail2ban/jail.local':

	65 ensure => present,

	66 group => 'root',

	67 mode => '0644',

	68 owner => 'root',

	69 content => template("fail2ban/jail.erb"),

	70 notify => Service[$title],

	71 }

	72 }

	73
	f.nicolaisen 2016/11/25 15:09:09 Unnecessary white spaces here. Unnecessary white spaces here.
	74 Service[$title] <~ Package[$title]
	mathias 2016/11/24 16:08:48 Usually package updates imply reloading/restarting Usually package updates imply reloading/restarting the associated service (if any), hence I am not sure if one would want to notify the service resource here (rather than just declaring an order relationship). f.lopez 2016/11/25 15:13:49 Notify is a kind of relation, but I agree that whe Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Usually package updates imply reloading/restarting the associated service (if > any), hence I am not sure if one would want to notify the service resource here > (rather than just declaring an order relationship). Notify is a kind of relation, but I agree that when the package is updated or installed is handles that part, I'm removing this.
	75 }

	76

	77 Package[$title] -> File['/etc/fail2ban/jail.local']
	mathias 2016/11/24 16:08:48 Since the file resource is just declared under cer Since the file resource is just declared under certain circumstances, the dependency on the package can trigger an error if denoted in this fashion and position. f.lopez 2016/11/25 15:13:49 Acknowledged. Show quoted text On 2016/11/24 16:08:48, mathias wrote: > Since the file resource is just declared under certain circumstances, the > dependency on the package can trigger an error if denoted in this fashion and > position. Acknowledged.
	78

	79

	80 }

OLD	NEW

« modules/fail2ban/manifests/filter.pp ('K') | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | modules/fail2ban/templates/jail.erb » ('J')