root / manifests / init.pp @ b3a7a6dd
Historique | Voir | Annoter | Télécharger (1,61 ko)
| 1 | e17693e3 | Steve Traylen | # @summary Configure nftables |
|---|---|---|---|
| 2 | # |
||
| 3 | # @example |
||
| 4 | # class{'nftables:
|
||
| 5 | # out_ntp = false, |
||
| 6 | # out_dns = true, |
||
| 7 | b3a7a6dd | tr | # } |
| 8 | e17693e3 | Steve Traylen | # |
| 9 | b3a7a6dd | tr | # @param out_all |
| 10 | e17693e3 | Steve Traylen | # Allow all outbound connections. If `true` then all other |
| 11 | # out parameters `out_ntp`, `out_dns`, ... will be assuemed |
||
| 12 | # false. |
||
| 13 | # |
||
| 14 | # @param out_ntp |
||
| 15 | # Allow outbound to ntp servers. |
||
| 16 | # |
||
| 17 | # @param out_http |
||
| 18 | # Allow outbound to http servers. |
||
| 19 | # |
||
| 20 | # @param out_https |
||
| 21 | # Allow outbound to https servers. |
||
| 22 | # |
||
| 23 | # @param out_https |
||
| 24 | # Allow outbound to https servers. |
||
| 25 | # |
||
| 26 | # @param in_ssh |
||
| 27 | # Allow inbound to ssh servers. |
||
| 28 | # |
||
| 29 | be0b08e1 | tr | class nftables ( |
| 30 | Boolean $in_ssh = true, |
||
| 31 | Boolean $out_ntp = true, |
||
| 32 | Boolean $out_dns = true, |
||
| 33 | cd664666 | tr | Boolean $out_http = true, |
| 34 | be0b08e1 | tr | Boolean $out_https = true, |
| 35 | e17693e3 | Steve Traylen | Boolean $out_all = false, |
| 36 | b3a7a6dd | tr | Hash $rules = {},
|
| 37 | be0b08e1 | tr | ) {
|
| 38 | |||
| 39 | 0ba57c66 | mh | package{'nftables':
|
| 40 | ensure => installed, |
||
| 41 | } -> file_line{
|
||
| 42 | 'enable_nftables': |
||
| 43 | line => 'include "/etc/nftables/puppet.nft"', |
||
| 44 | path => '/etc/sysconfig/nftables.conf', |
||
| 45 | notify => Service['nftables'], |
||
| 46 | } -> file{
|
||
| 47 | default: |
||
| 48 | e140adff | tr | owner => 'root', |
| 49 | group => 'root', |
||
| 50 | mode => '0640'; |
||
| 51 | 0ba57c66 | mh | '/etc/nftables/puppet.nft': |
| 52 | 5acb554a | tr | ensure => file, |
| 53 | 0ba57c66 | mh | source => 'puppet:///modules/nftables/config/puppet.nft'; |
| 54 | '/etc/nftables/puppet': |
||
| 55 | ensure => directory, |
||
| 56 | 5acb554a | tr | mode => '0750', |
| 57 | 0ba57c66 | mh | purge => true, |
| 58 | force => true, |
||
| 59 | recurse => true; |
||
| 60 | } ~> service{'nftables':
|
||
| 61 | e140adff | tr | ensure => running, |
| 62 | enable => true, |
||
| 63 | 0ba57c66 | mh | } |
| 64 | |||
| 65 | f02562f2 | tr | service{'firewalld':
|
| 66 | ensure => stopped, |
||
| 67 | enable => mask, |
||
| 68 | } |
||
| 69 | |||
| 70 | c8092701 | tr | include nftables::inet_filter |
| 71 | include nftables::ip_nat |
||
| 72 | b3a7a6dd | tr | |
| 73 | # inject custom rules e.g. from hiera |
||
| 74 | create_resources(nftables::rule, $rules) |
||
| 75 | 0ba57c66 | mh | } |