Révision 0c9bc308
Add support for Arch Linux
Arch Linux stores the configuration in a different path and does not
provide firewalld without explicit installation.
This basically the same as #66 – I've reused their code since it hasn't
been merged in a while.
| manifests/init.pp | ||
|---|---|---|
| 86 | 86 |
# @param rules |
| 87 | 87 |
# Specify hashes of `nftables::rule`s via hiera |
| 88 | 88 |
# |
| 89 |
# @param configuration_path |
|
| 90 |
# The absolute path to the principal nftables configuration file. The default |
|
| 91 |
# varies depending on the system, and is set in the module's data. |
|
| 92 |
# |
|
| 89 | 93 |
class nftables ( |
| 90 | 94 |
Boolean $in_ssh = true, |
| 91 | 95 |
Boolean $in_icmp = true, |
| ... | ... | |
| 107 | 111 |
Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable', |
| 108 | 112 |
Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask', |
| 109 | 113 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef, |
| 114 |
Stdlib::Unixpath $configuration_path, |
|
| 110 | 115 |
) {
|
| 111 | 116 |
package { 'nftables':
|
| 112 | 117 |
ensure => installed, |
| 113 | 118 |
} -> file_line {
|
| 114 | 119 |
'enable_nftables': |
| 115 | 120 |
line => 'include "/etc/nftables/puppet.nft"', |
| 116 |
path => '/etc/sysconfig/nftables.conf',
|
|
| 121 |
path => $configuration_path,
|
|
| 117 | 122 |
notify => Service['nftables'], |
| 118 | 123 |
} -> file {
|
| 119 | 124 |
default: |
| 120 | 125 |
owner => 'root', |
| 121 | 126 |
group => 'root', |
| 122 | 127 |
mode => '0640'; |
| 128 |
'/etc/nftables': |
|
| 129 |
ensure => directory, |
|
| 130 |
mode => '0750'; |
|
| 123 | 131 |
'/etc/nftables/puppet-preflight': |
| 124 | 132 |
ensure => directory, |
| 125 | 133 |
mode => '0750', |
| ... | ... | |
| 167 | 175 |
systemd::dropin_file { 'puppet_nft.conf':
|
| 168 | 176 |
ensure => present, |
| 169 | 177 |
unit => 'nftables.service', |
| 170 |
content => file('nftables/systemd/puppet_nft.conf'),
|
|
| 178 |
content => epp('nftables/systemd/puppet_nft.conf.epp', {
|
|
| 179 |
'configuration_path' => $configuration_path, |
|
| 180 |
}), |
|
| 171 | 181 |
notify => Service['nftables'], |
| 172 | 182 |
} |
| 173 | 183 |
|
Formats disponibles : Unified diff