Switch to firewall module for ubuntu

benjamin-robertson · Jun 21, 2024 · b6c8a6b · b6c8a6b
1 parent f5c3692
commit b6c8a6b
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 46 deletions.
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -30,9 +30,9 @@ fixtures:
     puppet-firewalld:
       repo: "puppet/firewalld"
       ref: "5.0.0"
-    domkrm-ufw: # consider moving to another modules for ufw
-      repo: "domkrm/ufw"
-      ref: "1.1.4"
+    puppetlabs-firewall:
+      repo: "puppetlabs/firewall"
+      ref: "8.0.2"
     puppet-systemd: # inifile is dep
       repo: "puppet/systemd"
       ref: "7.0.0"

diff --git a/manifests/firewall.pp b/manifests/firewall.pp
@@ -0,0 +1,55 @@
+# Class: observium::firewall
+#
+# Manage UFW on ubuntu
+#
+# @api private
+#
+class observium::firewall {
+  assert_private()
+  Firewall {
+    require => undef,
+  }
+
+  # Default firewall rules
+  firewall { '000 accept all icmp':
+    proto => 'icmp',
+    jump  => 'accept',
+  }
+  -> firewall { '001 accept all to lo interface':
+    proto   => 'all',
+    iniface => 'lo',
+    jump    => 'accept',
+  }
+  -> firewall { '002 reject local traffic not on loopback interface':
+    iniface     => '! lo',
+    proto       => 'all',
+    destination => '127.0.0.1/8',
+    jump        => 'reject',
+  }
+  -> firewall { '003 accept related established rules':
+    proto => 'all',
+    state => ['RELATED', 'ESTABLISHED'],
+    jump  => 'accept',
+  }
+  # Add rules for apache
+  if $observium::manage_ssl {
+    firewall { "50 Allow https access ${observium::apache_sslport}":
+      dport => $observium::apache_sslport,
+      proto => 'tcp',
+      jump  => 'accept',
+    }
+  }
+  else {
+    firewall { "50 Allow http access ${observium::apache_port}":
+      dport => $observium::apache_port,
+      proto => 'tcp',
+      jump  => 'accept',
+    }
+  }
+  # Ensure ssh is open
+  firewall { '004 Allow inbound SSH':
+    dport => 22,
+    proto => 'tcp',
+    jump  => 'accept',
+  }
+}
diff --git a/manifests/firewallufw.pp b/manifests/firewallufw.pp
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -246,7 +246,7 @@
   if $manage_fw {
     case $facts['os']['family'] {
       'RedHat': { include observium::firewalld }
-      'Debian': { include observium::firewallufw }
+      'Debian': { include observium::firewall }
       default: {}
     }
   }

diff --git a/metadata.json b/metadata.json
@@ -12,7 +12,7 @@
     },
     {
       "name": "puppet/archive",
-      "version_requirement": ">6.0.0 < 8.0.0"
+      "version_requirement": ">7.0.0 < 8.0.0"
     },
     {
       "name": "puppetlabs/yumrepo_core",
@@ -24,7 +24,7 @@
     },
     {
       "name": "puppetlabs/cron_core",
-      "version_requirement": ">=1.0.0 < 3.0.0"
+      "version_requirement": ">=1.0.0 < 2.0.0"
     },
     {
       "name": "puppet/selinux",
@@ -36,35 +36,36 @@
     },
     {
       "name": "puppet/snmp",
-      "version_requirement": ">=5.0.0 < 8.0.0"
+      "version_requirement": ">=7.0.0 < 8.0.0"
     },
     {
       "name": "puppet/firewalld",
-      "version_requirement": ">=4.1.1 < 6.0.0"
+      "version_requirement": ">=5.0.0 < 6.0.0"
     },
     {
-      "name": "domkrm/ufw",
-      "version_requirement": ">=1.1.1 < 2.0.0"
+      "name": "puppetlabs/firewall",
+      "version_requirement": ">=6.0.0 < 9.0.0"
     },
     {
       "name": "puppet/systemd",
-      "version_requirement": ">=4.0.0 < 8.0.0"
+      "version_requirement": ">=5.1.0 < 8.0.0"
     },
     {
       "name": "puppetlabs/inifile",
-      "version_requirement": ">=5.0.0 < 7.0.0"
+      "version_requirement": ">=6.1.0 < 7.0.0"
     },
     {
       "name": "puppetlabs/concat",
-      "version_requirement": ">=7.0.0 < 10.0.0"
+      "version_requirement": ">=9.0.0 < 10.0.0"
     }
   ],
   "operatingsystem_support": [
     {
       "operatingsystem": "CentOS",
       "operatingsystemrelease": [
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {

diff --git a/spec/acceptance/observium_install_spec.rb b/spec/acceptance/observium_install_spec.rb
@@ -14,7 +14,7 @@
     end
   end
 
-  # let(:hiera_config) { 'hiera-rpsec.yaml' } # serverspec doesn't seem to respect this.
+  # let(:hiera_config) { 'hiera-rpsec.yaml' } # litmus doesn't seem to respect this.
 
   let(:pp) do
     <<-MANIFEST
@@ -46,7 +46,6 @@ class { 'observium':
     it { is_expected.to be_file }
     it { is_expected.to contain "$config['install_dir'] = \"/opt/observium\"" }
     it { is_expected.to contain "$config['db_host']      = 'localhost';" }
-    # it { is_expected.to contain os[:release] }
   end
 
   describe port(80) do

diff --git a/spec/classes/observium_spec.rb b/spec/classes/observium_spec.rb
@@ -4,7 +4,7 @@
 
 describe 'observium' do
   let(:hiera_config) { 'hiera-rpsec.yaml' }
-  
+
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
       let(:facts) { os_facts }