Support overriding ssh port in default config

- Include param tags - fail2ban::port function to simplify syntax - Add Debian 12 template
voxpupuli · Sep 26, 2024 · cb07ac7 · cb07ac7
1 parent 7a33d2e
commit cb07ac7
Show file tree

Hide file tree

Showing 23 changed files with 2,747 additions and 1,971 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -72,6 +72,7 @@ The following parameters are available in the `fail2ban` class:
 * [`sender`](#-fail2ban--sender)
 * [`iptables_chain`](#-fail2ban--iptables_chain)
 * [`jails`](#-fail2ban--jails)
+* [`jails_config`](#-fail2ban--jails_config)
 * [`maxretry`](#-fail2ban--maxretry)
 * [`whitelist`](#-fail2ban--whitelist)
 * [`custom_jails`](#-fail2ban--custom_jails)
@@ -507,6 +508,7 @@ The following parameters are available in the `fail2ban::jail` defined type:
 * [`enabled`](#-fail2ban--jail--enabled)
 * [`action`](#-fail2ban--jail--action)
 * [`filter`](#-fail2ban--jail--filter)
+* [`logpath`](#-fail2ban--jail--logpath)
 * [`maxretry`](#-fail2ban--jail--maxretry)
 * [`findtime`](#-fail2ban--jail--findtime)
 * [`bantime`](#-fail2ban--jail--bantime)

diff --git a/functions/port.pp b/functions/port.pp
@@ -0,0 +1,19 @@
+# See https://puppet.com/docs/puppet/latest/lang_write_functions_in_puppet.html
+# for more information on native puppet functions.
+#
+# Looks up fail2ban::jails_config.{namespace} for port configuration
+#
+# @param config_key
+# @param default_port
+# @return actual config
+function fail2ban::port(String $config_key, Fail2ban::Port $default_port) >> String {
+  $needle = "fail2ban::jails_config.${config_key}.port"
+  $result = lookup($needle, undef, undef, $default_port)
+
+  case $result {
+    String : { $result }
+    Integer : { String($result) }
+    Array,Tuple : { join($result, ',') }
+    default : { raise(Puppet::ParseError, "Unsupported type in lookup result: ${result}.class") }
+  }
+}
diff --git a/manifests/define.pp b/manifests/define.pp
@@ -1,5 +1,16 @@
 # == Define: fail2ban::define
 #
+# @param config_file_path
+# @param config_file_owner
+# @param config_file_group
+# @param config_file_mode
+# @param config_file_source
+# @param config_file_string
+# @param config_file_template
+# @param config_file_notify
+# @param config_file_require
+# @param config_file_options_hash
+#
 define fail2ban::define (
   Stdlib::Absolutepath $config_file_path = "${fail2ban::config_dir_path}/${title}",
   String $config_file_owner = $fail2ban::config_file_owner,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -37,6 +37,45 @@
 # @param custom_jails Determines which custom jails should be included
 # @param banaction Determines which action to perform when performing a global ban (not overridden in a specific jail).
 #
+# @param config_file_before
+# @param package_name
+# @param package_list
+# @param package_ensure
+# @param config_dir_path
+# @param config_dir_filter_path
+# @param config_dir_purge
+# @param config_dir_recurse
+# @param config_dir_source
+# @param config_file_path
+# @param config_file_owner
+# @param config_file_group
+# @param config_file_mode
+# @param config_file_source
+# @param config_file_string
+# @param config_file_template
+# @param config_file_notify
+# @param config_file_require
+# @param config_file_hash
+# @param config_file_options_hash
+# @param manage_defaults
+# @param manage_firewalld
+# @param service_ensure
+# @param service_name
+# @param service_enable
+# @param action
+# @param bantime
+# @param email
+# @param sender
+# @param iptables_chain
+# @param jails
+# @param jails_config
+# @param maxretry
+# @param default_backend
+# @param whitelist
+# @param custom_jails
+# @param banaction
+# @param sendmail_config
+# @param sendmail_actions
 class fail2ban (
   String[1] $config_file_before,
 
@@ -77,6 +116,7 @@
   String[1] $sender = "fail2ban@${facts['networking']['fqdn']}",
   String[1] $iptables_chain = 'INPUT',
   Array[String[1]] $jails = ['ssh', 'ssh-ddos'],
+  Hash $jails_config = {},
   Integer[0] $maxretry = 3,
   Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto'] $default_backend = 'auto',
   Array $whitelist = ['127.0.0.1/8', '192.168.56.0/24'],

diff --git a/manifests/jail.pp b/manifests/jail.pp
@@ -2,6 +2,30 @@
 #
 # @param logpath Filename(s) of the log files to be monitored
 #
+# @param filter_includes
+# @param filter_failregex
+# @param filter_ignoreregex
+# @param filter_maxlines
+# @param filter_datepattern
+# @param filter_additional_config
+# @param enabled
+# @param action
+# @param filter
+# @param logpath
+# @param maxretry
+# @param findtime
+# @param bantime
+# @param port
+# @param backend
+# @param journalmatch
+# @param ignoreip
+# @param config_dir_filter_path
+# @param config_file_owner
+# @param config_file_group
+# @param config_file_mode
+# @param config_file_source
+# @param config_file_notify
+# @param config_file_require
 define fail2ban::jail (
   Optional[String] $filter_includes = undef,
   Optional[String] $filter_failregex = undef,