John F. Lewis has uploaded a new change for review. https://gerrit.wikimedia.org/r/188606
Change subject: base: move base::firewall to manifest ...................................................................... base: move base::firewall to manifest Change-Id: Ia96a60aea1d51fd264ae2042e5a9109037d900b2 --- A modules/base/manifests/firewall.pp M modules/base/manifests/init.pp 2 files changed, 34 insertions(+), 36 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/06/188606/1 diff --git a/modules/base/manifests/firewall.pp b/modules/base/manifests/firewall.pp new file mode 100644 index 0000000..561a061 --- /dev/null +++ b/modules/base/manifests/firewall.pp @@ -0,0 +1,34 @@ +# Don't include this sub class on all hosts yet +# NOTE: Policy is DROP by default +class base::firewall($ensure = 'present') { + include network::constants + include ferm + + $defscontent = $::realm ? { + 'labs' => template('base/firewall/defs.erb', 'base/firewall/defs.labs.erb'), + default => template('base/firewall/defs.erb'), + } + ferm::conf { 'defs': + # defs can always be present. + # They don't actually do firewalling. + ensure => 'present', + prio => '00', + content => $defscontent, + } + + ferm::conf { 'main': + ensure => $ensure, + prio => '00', + source => 'puppet:///modules/base/firewall/main-input-default-drop.conf', + } + + ferm::rule { 'bastion-ssh': + ensure => $ensure, + rule => 'proto tcp dport ssh saddr $BASTION_HOSTS ACCEPT;', + } + + ferm::rule { 'monitoring-all': + ensure => $ensure, + rule => 'saddr $MONITORING_HOSTS ACCEPT;', + } +} \ No newline at end of file diff --git a/modules/base/manifests/init.pp b/modules/base/manifests/init.pp index 1da77fc..f2c8ac4 100644 --- a/modules/base/manifests/init.pp +++ b/modules/base/manifests/init.pp @@ -42,42 +42,6 @@ } } - -# Don't include this sub class on all hosts yet -# NOTE: Policy is DROP by default -class base::firewall($ensure = 'present') { - include network::constants - include ferm - - $defscontent = $::realm ? { - 'labs' => template('base/firewall/defs.erb', 'base/firewall/defs.labs.erb'), - default => template('base/firewall/defs.erb'), - } - ferm::conf { 'defs': - # defs can always be present. - # They don't actually do firewalling. - ensure => 'present', - prio => '00', - content => $defscontent, - } - - ferm::conf { 'main': - ensure => $ensure, - prio => '00', - source => 'puppet:///modules/base/firewall/main-input-default-drop.conf', - } - - ferm::rule { 'bastion-ssh': - ensure => $ensure, - rule => 'proto tcp dport ssh saddr $BASTION_HOSTS ACCEPT;', - } - - ferm::rule { 'monitoring-all': - ensure => $ensure, - rule => 'saddr $MONITORING_HOSTS ACCEPT;', - } -} - class base { include apt -- To view, visit https://gerrit.wikimedia.org/r/188606 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia96a60aea1d51fd264ae2042e5a9109037d900b2 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: John F. Lewis <johnflewi...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits