/spec/acceptance/all_rules_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / acceptance / all_rules_spec.rb @ master

Historique | Voir | Annoter | Télécharger (6,06 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	cfcafde5	Steve Traylen	require 'spec_helper_acceptance'
4
5			describe 'nftables class' do
6			context 'configure all nftables rules' do
7			it 'works idempotently with no errors' do
8			pp = <<-EOS
9	a528bf59	Steve Traylen	# Default ArchLinux rules contain "destroy" that requires kernel >= 6.3
10			# https://gitlab.archlinux.org/archlinux/packaging/packages/nftables/-/commit/f26a7145b2885d298925819782a5302905332dbe
11			# When running on docker this may not be the case.
12			if $facts['os']['family'] == 'Archlinux' and versioncmp($facts['kernelrelease'],'6.3') < 0 {
13			$_clobber_default_config = true
14			} else {
15			$_clobber_default_config = undef
16			}
17
18	cfcafde5	Steve Traylen	# default mask of firewalld service fails if service is not installed.
19			# https://tickets.puppetlabs.com/browse/PUP-10814
20			# Disable all default rules and include below explicitly
21			class { 'nftables':
22	a528bf59	Steve Traylen	firewalld_enable => false,
23			out_ntp => false,
24			out_http => false,
25			out_https => false,
26			out_icmp => false,
27			in_ssh => false,
28			in_icmp => false,
29			clobber_default_config => $_clobber_default_config,
30	cfcafde5	Steve Traylen	}
31			include nftables::rules::icmp
32			include nftables::rules::dns
33			include nftables::rules::node_exporter
34			include nftables::rules::nfs3
35			include nftables::rules::ssh
36			include nftables::rules::dhcpv6_client
37			include nftables::rules::afs3_callback
38			include nftables::rules::ospf
39	08b9f1d0	Steve Traylen	include nftables::rules::podman
40	cfcafde5	Steve Traylen	include nftables::rules::http
41			include nftables::rules::puppet
42	7f74df2e	Tim Meusel	include nftables::rules::pxp_agent
43	cfcafde5	Steve Traylen	include nftables::rules::icinga2
44	ea29e235	Simon Hoenscheid	include nftables::rules::ldap
45	cfcafde5	Steve Traylen	include nftables::rules::tor
46			include nftables::rules::ospf3
47			include nftables::rules::ceph_mon
48			include nftables::rules::smtp_submission
49			include nftables::rules::https
50			include nftables::rules::nfs
51			include nftables::rules::smtps
52			include nftables::rules::smtp
53			include nftables::rules::ceph
54	1ee2f66b	Giuseppe Lo Presti	include nftables::rules::samba
55	771b3256	Nacho Barrientos	include nftables::rules::activemq
56	6be2adf7	Luis Fernández Álvarez	include nftables::rules::docker_ce
57	cd2a3cbf	Nacho Barrientos	include nftables::rules::qemu
58	0f34454b	Steve Traylen	# Rules with sets are known to fail on Debian 11
59			# See spec/acceptance/set_spec.rb for details.
60			if $facts['os']['name'] != 'Debian' or $facts['os']['release']['major'] != '11' {
61			include nftables::rules::nomad
62			}
63	cfcafde5	Steve Traylen	include nftables::rules::out::postgres
64			include nftables::rules::out::icmp
65			include nftables::rules::out::dns
66			include nftables::rules::out::nfs3
67			include nftables::rules::out::ssh
68			include nftables::rules::out::kerberos
69			include nftables::rules::out::dhcpv6_client
70			include nftables::rules::out::ospf
71			include nftables::rules::out::openafs_client
72			include nftables::rules::out::http
73			include nftables::rules::out::ssh::remove
74	a1f09048	Tim Meusel	include nftables::rules::out::hkp
75	cfcafde5	Steve Traylen	class{'nftables::rules::out::puppet':
76	04176b0e	mh	puppetserver => '127.0.0.1',
77	cfcafde5	Steve Traylen	}
78	194e05d5	Tim Meusel	class{'nftables::rules::out::pxp_agent':
79			broker => '127.0.0.1',
80			}
81	ea29e235	Simon Hoenscheid	class{'nftables::rules::out::ldap':
82			ldapserver => '127.0.0.1',
83			}
84			class{'nftables::rules::out::active_directory':
85			adserver => '127.0.0.1',
86			}
87	cfcafde5	Steve Traylen	include nftables::rules::out::all
88			include nftables::rules::out::tor
89			include nftables::rules::out::ospf3
90			include nftables::rules::out::mysql
91			include nftables::rules::out::ceph_client
92			include nftables::rules::out::https
93			include nftables::rules::out::dhcp
94			include nftables::rules::out::nfs
95			include nftables::rules::out::smtp
96	19908f41	mh	include nftables::rules::out::smtp_client
97			include nftables::rules::out::imap
98			include nftables::rules::out::pop3
99	cfcafde5	Steve Traylen	include nftables::rules::out::chrony
100			include nftables::rules::out::wireguard
101	2b1896c1	Tim Meusel	include nftables::rules::out::whois
102	cfcafde5	Steve Traylen	include nftables::rules::wireguard
103	80b384c8	Tim Meusel	include nftables::rules::multicast
104	8b131276	Tim Meusel	include nftables::rules::spotify
105	3b26826f	Tim Meusel	include nftables::rules::llmnr
106	50a5be8b	Tim Meusel	include nftables::rules::ssdp
107	5ffd0328	Tim Meusel	include nftables::rules::mdns
108	020842af	Tim Meusel	include nftables::rules::igmp
109	ffc8b86f	Tim Meusel	include nftables::rules::wsd
110	baad986e	Vadym Chepkov	include nftables::rules::ftp
111	53aa1fa8	Tim Meusel	include nftables::rules::rsync
112	020842af	Tim Meusel	include nftables::rules::out::igmp
113	e499cece	Tim Meusel	include nftables::rules::out::mldv2
114	6b350264	Tim Meusel	include nftables::rules::out::mdns
115	50a5be8b	Tim Meusel	include nftables::rules::out::ssdp
116	ee93f2de	Simon Hoenscheid	include nftables::rules::out::icinga2
117	cfcafde5	Steve Traylen	include nftables::services::dhcpv6_client
118			include nftables::services::openafs_client
119	8842a597	Tim Meusel	$config_path = $facts['os']['family'] ? {
120			'Archlinux' => '/etc/nftables.conf',
121	008c95d7	Kienan Stewart	'Debian' => '/etc/nftables.conf',
122	8842a597	Tim Meusel	default => '/etc/sysconfig/nftables.conf',
123			}
124			$nft_path = $facts['os']['family'] ? {
125			'Archlinux' => '/usr/bin/nft',
126			default => '/usr/sbin/nft',
127	0c9bc308	hashworks	}
128	cfcafde5	Steve Traylen	# nftables cannot be started in docker so replace service with a validation only.
129			systemd::dropin_file{"zzz_docker_nft.conf":
130			ensure => present,
131			unit => "nftables.service",
132			content => [
133			"[Service]",
134			"ExecStart=",
135	8842a597	Tim Meusel	"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
136	cfcafde5	Steve Traylen	"ExecReload=",
137	8842a597	Tim Meusel	"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
138	cfcafde5	Steve Traylen	"",
139			].join("\n"),
140			notify => Service["nftables"],
141			}
142			EOS
143			# Run it twice and test for idempotency
144			apply_manifest(pp, catch_failures: true)
145			apply_manifest(pp, catch_changes: true)
146			end
147
148			describe package('nftables') do
149			it { is_expected.to be_installed }
150			end
151
152			describe service('nftables') do
153			it { is_expected.to be_running }
154			it { is_expected.to be_enabled }
155			end
156
157	b5874974	Steve Traylen	describe file('/etc/nftables/puppet.nft', '/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
158	cfcafde5	Steve Traylen	it { is_expected.to be_file }
159			end
160
161			describe file('/etc/nftables/puppet') do
162			it { is_expected.to be_directory }
163			end
164			end
165			end

Projet

Général

Profil

puppet nftables

root / spec / acceptance / all_rules_spec.rb @ master