add install_method parameter

4 files changed, 52 insertions, 4 deletions

diff --git a/manifests/config.pp b/manifests/config.pp
index 5876bd7..8ed0f57 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -10,6 +10,16 @@ class ferm::config {
 
   $_ip = join($ferm::ip_versions, ' ')
 
+  if $facts['systemd'] { #fact provided by systemd module
+    if $ferm::install_method == 'vcsrepo' and $ferm::manage_service {
+      systemd::dropin_file { 'ferm.conf':
+        unit    => 'ferm.service',
+        content => epp("${module_name}/dropin_ferm.conf.epp"),
+        before  => Service['ferm'],
+      }
+    }
+  }
+
   # copy static files to ferm
   # on a long term point of view, we want to package this
   file{$ferm::configdirectory:
diff --git a/manifests/init.pp b/manifests/init.pp
index b1d051e..251effe 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -45,8 +45,11 @@
 # @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched
 # @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
 # @param ip_versions Set list of versions of ip we want ot use.
-# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for
+# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for (since ferm v2.4)
 #   Example: {'nat' => ['PREROUTING', 'POSTROUTING']}
+# @param install_method method used to install ferm
+# @param vcsrepo git repository where ferm sources are hosted
+# @param vcstag git tag used when install_method is vcsrepo
 class ferm (
   Stdlib::Absolutepath $configfile,
   Stdlib::Absolutepath $configdirectory,
@@ -67,6 +70,9 @@ class ferm (
   Hash $chains = {},
   Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'],
   Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {},
+  Enum['package','vcsrepo'] $install_method = 'package',
+  Stdlib::HTTPSUrl $vcsrepo = 'https://github.com/MaxKellermann/ferm.git',
+  String[1] $vcstag = 'v2.5.1',
 ) {
   contain ferm::install
   contain ferm::config
diff --git a/manifests/install.pp b/manifests/install.pp
index 4337a99..5755ead 100644
--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -8,8 +8,40 @@ class ferm::install {
   # this is a private class
   assert_private("You're not supposed to do that!")
 
-  package{'ferm':
-    ensure => 'latest',
+  case $ferm::install_method {
+    'package': {
+      package{'ferm':
+        ensure => 'latest',
+      }
+    }
+    'vcsrepo': {
+      $_source_path = '/opt/ferm'
+      ensure_packages (['git', 'iptables', 'perl', 'make'], { ensure => present })
+
+      package{'ferm':
+        ensure => absent,
+      }
+      -> vcsrepo { $_source_path :
+        ensure   => present,
+        provider => git,
+        source   => $ferm::vcsrepo,
+        revision => $ferm::vcstag,
+      }
+      -> exec { 'make install':
+        cwd     => $_source_path,
+        path    => '/usr/sbin:/usr/bin:/sbin:/bin',
+        creates => '/usr/sbin/ferm',
+      }
+      -> file { '/etc/ferm':
+        ensure => directory,
+        owner  => 0,
+        group  => 0,
+        mode   => '0700',
+      }
+    }
+    default: {
+      fail("unexpected install_method ${ferm::install_method}")
+    }
   }
 
   if $ferm::manage_initfile {
diff --git a/manifests/service.pp b/manifests/service.pp
index e9eb369..9fb1737 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -15,7 +15,7 @@ class ferm::service {
     }
 
     # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm...
-    if ($facts['os']['name'] in ['Ubuntu', 'Debian']) {
+    if ($facts['os']['name'] in ['Ubuntu', 'Debian']) and ($ferm::install_method == 'package') {
       file_line{'enable_ferm':
         path   => '/etc/default/ferm',
         line   => 'ENABLED="yes"',