From b6c8a6b2547b0de09a4e495ecf3c3089ea84bc8e Mon Sep 17 00:00:00 2001 From: ben Date: Fri, 21 Jun 2024 12:00:06 +1000 Subject: [PATCH] Switch to firewall module for ubuntu --- .fixtures.yml | 6 +-- manifests/firewall.pp | 55 +++++++++++++++++++++++ manifests/firewallufw.pp | 29 ------------ manifests/init.pp | 2 +- metadata.json | 21 ++++----- spec/acceptance/observium_install_spec.rb | 3 +- spec/classes/observium_spec.rb | 2 +- 7 files changed, 72 insertions(+), 46 deletions(-) create mode 100644 manifests/firewall.pp delete mode 100644 manifests/firewallufw.pp diff --git a/.fixtures.yml b/.fixtures.yml index b3b0e18..006b647 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -30,9 +30,9 @@ fixtures: puppet-firewalld: repo: "puppet/firewalld" ref: "5.0.0" - domkrm-ufw: # consider moving to another modules for ufw - repo: "domkrm/ufw" - ref: "1.1.4" + puppetlabs-firewall: + repo: "puppetlabs/firewall" + ref: "8.0.2" puppet-systemd: # inifile is dep repo: "puppet/systemd" ref: "7.0.0" diff --git a/manifests/firewall.pp b/manifests/firewall.pp new file mode 100644 index 0000000..70dd547 --- /dev/null +++ b/manifests/firewall.pp @@ -0,0 +1,55 @@ +# Class: observium::firewall +# +# Manage UFW on ubuntu +# +# @api private +# +class observium::firewall { + assert_private() + Firewall { + require => undef, + } + + # Default firewall rules + firewall { '000 accept all icmp': + proto => 'icmp', + jump => 'accept', + } + -> firewall { '001 accept all to lo interface': + proto => 'all', + iniface => 'lo', + jump => 'accept', + } + -> firewall { '002 reject local traffic not on loopback interface': + iniface => '! lo', + proto => 'all', + destination => '127.0.0.1/8', + jump => 'reject', + } + -> firewall { '003 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + jump => 'accept', + } + # Add rules for apache + if $observium::manage_ssl { + firewall { "50 Allow https access ${observium::apache_sslport}": + dport => $observium::apache_sslport, + proto => 'tcp', + jump => 'accept', + } + } + else { + firewall { "50 Allow http access ${observium::apache_port}": + dport => $observium::apache_port, + proto => 'tcp', + jump => 'accept', + } + } + # Ensure ssh is open + firewall { '004 Allow inbound SSH': + dport => 22, + proto => 'tcp', + jump => 'accept', + } +} diff --git a/manifests/firewallufw.pp b/manifests/firewallufw.pp deleted file mode 100644 index 9f8d4b5..0000000 --- a/manifests/firewallufw.pp +++ /dev/null @@ -1,29 +0,0 @@ -# Class: observium::firewallufw -# -# Manage UFW on ubuntu -# -# @api private -# -class observium::firewallufw { - assert_private() - - # Add rules for apache - class { 'ufw': } - if $observium::manage_ssl { - ufw::allow { "Allow https access ${observium::apache_sslport}": - port => $observium::apache_sslport, - from => '0.0.0.0/0', - } - } - else { - ufw::allow { "Allow https access ${observium::apache_port}": - port => $observium::apache_port, - from => '0.0.0.0/0', - } - } - # Ensure ssh is open - ufw::allow { 'Allow ssh access 22': - port => '22', - from => '0.0.0.0/0', - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 04d694b..c4020d8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -246,7 +246,7 @@ if $manage_fw { case $facts['os']['family'] { 'RedHat': { include observium::firewalld } - 'Debian': { include observium::firewallufw } + 'Debian': { include observium::firewall } default: {} } } diff --git a/metadata.json b/metadata.json index f1505a4..0cbaae5 100644 --- a/metadata.json +++ b/metadata.json @@ -12,7 +12,7 @@ }, { "name": "puppet/archive", - "version_requirement": ">6.0.0 < 8.0.0" + "version_requirement": ">7.0.0 < 8.0.0" }, { "name": "puppetlabs/yumrepo_core", @@ -24,7 +24,7 @@ }, { "name": "puppetlabs/cron_core", - "version_requirement": ">=1.0.0 < 3.0.0" + "version_requirement": ">=1.0.0 < 2.0.0" }, { "name": "puppet/selinux", @@ -36,27 +36,27 @@ }, { "name": "puppet/snmp", - "version_requirement": ">=5.0.0 < 8.0.0" + "version_requirement": ">=7.0.0 < 8.0.0" }, { "name": "puppet/firewalld", - "version_requirement": ">=4.1.1 < 6.0.0" + "version_requirement": ">=5.0.0 < 6.0.0" }, { - "name": "domkrm/ufw", - "version_requirement": ">=1.1.1 < 2.0.0" + "name": "puppetlabs/firewall", + "version_requirement": ">=6.0.0 < 9.0.0" }, { "name": "puppet/systemd", - "version_requirement": ">=4.0.0 < 8.0.0" + "version_requirement": ">=5.1.0 < 8.0.0" }, { "name": "puppetlabs/inifile", - "version_requirement": ">=5.0.0 < 7.0.0" + "version_requirement": ">=6.1.0 < 7.0.0" }, { "name": "puppetlabs/concat", - "version_requirement": ">=7.0.0 < 10.0.0" + "version_requirement": ">=9.0.0 < 10.0.0" } ], "operatingsystem_support": [ @@ -64,7 +64,8 @@ "operatingsystem": "CentOS", "operatingsystemrelease": [ "7", - "8" + "8", + "9" ] }, { diff --git a/spec/acceptance/observium_install_spec.rb b/spec/acceptance/observium_install_spec.rb index c4f40dd..e457b6f 100644 --- a/spec/acceptance/observium_install_spec.rb +++ b/spec/acceptance/observium_install_spec.rb @@ -14,7 +14,7 @@ end end - # let(:hiera_config) { 'hiera-rpsec.yaml' } # serverspec doesn't seem to respect this. + # let(:hiera_config) { 'hiera-rpsec.yaml' } # litmus doesn't seem to respect this. let(:pp) do <<-MANIFEST @@ -46,7 +46,6 @@ class { 'observium': it { is_expected.to be_file } it { is_expected.to contain "$config['install_dir'] = \"/opt/observium\"" } it { is_expected.to contain "$config['db_host'] = 'localhost';" } - # it { is_expected.to contain os[:release] } end describe port(80) do diff --git a/spec/classes/observium_spec.rb b/spec/classes/observium_spec.rb index 70b5a8f..ce01020 100644 --- a/spec/classes/observium_spec.rb +++ b/spec/classes/observium_spec.rb @@ -4,7 +4,7 @@ describe 'observium' do let(:hiera_config) { 'hiera-rpsec.yaml' } - + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) { os_facts }