diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/config.pp | 10 | ||||
| -rw-r--r-- | manifests/init.pp | 8 | ||||
| -rw-r--r-- | manifests/install.pp | 36 | ||||
| -rw-r--r-- | manifests/service.pp | 2 |
4 files changed, 52 insertions, 4 deletions
diff --git a/manifests/config.pp b/manifests/config.pp index 5876bd7..8ed0f57 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -10,6 +10,16 @@ class ferm::config { $_ip = join($ferm::ip_versions, ' ') + if $facts['systemd'] { #fact provided by systemd module + if $ferm::install_method == 'vcsrepo' and $ferm::manage_service { + systemd::dropin_file { 'ferm.conf': + unit => 'ferm.service', + content => epp("${module_name}/dropin_ferm.conf.epp"), + before => Service['ferm'], + } + } + } + # copy static files to ferm # on a long term point of view, we want to package this file{$ferm::configdirectory: diff --git a/manifests/init.pp b/manifests/init.pp index b1d051e..251effe 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -45,8 +45,11 @@ # @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched # @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched # @param ip_versions Set list of versions of ip we want ot use. -# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for +# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for (since ferm v2.4) # Example: {'nat' => ['PREROUTING', 'POSTROUTING']} +# @param install_method method used to install ferm +# @param vcsrepo git repository where ferm sources are hosted +# @param vcstag git tag used when install_method is vcsrepo class ferm ( Stdlib::Absolutepath $configfile, Stdlib::Absolutepath $configdirectory, @@ -67,6 +70,9 @@ class ferm ( Hash $chains = {}, Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'], Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {}, + Enum['package','vcsrepo'] $install_method = 'package', + Stdlib::HTTPSUrl $vcsrepo = 'https://github.com/MaxKellermann/ferm.git', + String[1] $vcstag = 'v2.5.1', ) { contain ferm::install contain ferm::config diff --git a/manifests/install.pp b/manifests/install.pp index 4337a99..5755ead 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -8,8 +8,40 @@ class ferm::install { # this is a private class assert_private("You're not supposed to do that!") - package{'ferm': - ensure => 'latest', + case $ferm::install_method { + 'package': { + package{'ferm': + ensure => 'latest', + } + } + 'vcsrepo': { + $_source_path = '/opt/ferm' + ensure_packages (['git', 'iptables', 'perl', 'make'], { ensure => present }) + + package{'ferm': + ensure => absent, + } + -> vcsrepo { $_source_path : + ensure => present, + provider => git, + source => $ferm::vcsrepo, + revision => $ferm::vcstag, + } + -> exec { 'make install': + cwd => $_source_path, + path => '/usr/sbin:/usr/bin:/sbin:/bin', + creates => '/usr/sbin/ferm', + } + -> file { '/etc/ferm': + ensure => directory, + owner => 0, + group => 0, + mode => '0700', + } + } + default: { + fail("unexpected install_method ${ferm::install_method}") + } } if $ferm::manage_initfile { diff --git a/manifests/service.pp b/manifests/service.pp index e9eb369..9fb1737 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -15,7 +15,7 @@ class ferm::service { } # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm... - if ($facts['os']['name'] in ['Ubuntu', 'Debian']) { + if ($facts['os']['name'] in ['Ubuntu', 'Debian']) and ($ferm::install_method == 'package') { file_line{'enable_ferm': path => '/etc/default/ferm', line => 'ENABLED="yes"', |