puppet: Factor out firewall config.

2021-05-25 01:39:36 +00:00 · 2021-05-25 01:39:36 +00:00 · 4f79b53825
parent 87a109e3e0
commit 4f79b53825
2 changed files with 28 additions and 27 deletions
--- a/puppet/zulip_ops/manifests/firewall.pp
+++ b/puppet/zulip_ops/manifests/firewall.pp
@ -0,0 +1,27 @@
+class zulip_ops::firewall {
+  package { 'iptables-persistent': }
+  file { '/etc/iptables/rules.v4':
+    ensure  => file,
+    mode    => '0600',
+    content => template('zulip_ops/iptables/rules.v4.erb'),
+    require => Package['iptables-persistent'],
+  }
+  service { 'netfilter-persistent':
+    ensure     => running,
+
+    # Because there is no running process for this service, the normal status
+    # checks fail.  Because Puppet then thinks the service has been manually
+    # stopped, it won't restart it.  This fake status command will trick Puppet
+    # into thinking the service is *always* running (which in a way it is, as
+    # iptables is part of the kernel.)
+    hasstatus  => true,
+    status     => '/bin/true',
+
+    # Under Debian, the "restart" parameter does not reload the rules, so tell
+    # Puppet to fall back to stop/start, which does work.
+    hasrestart => false,
+
+    require    => Package['iptables-persistent'],
+    subscribe  => File['/etc/iptables/rules.v4'],
+  }
+}
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@ -2,6 +2,7 @@ class zulip_ops::profile::base {
  include zulip::profile::base
  include zulip_ops::munin_node
  include zulip_ops::ksplice_uptrack
+  include zulip_ops::firewall

  $org_base_packages = [
    # Standard kernel, not AWS', so ksplice works
@ -13,8 +14,6 @@ class zulip_ops::profile::base {
    'aptitude',
    # SSL certificates
    'certbot',
-    # Security
-    'iptables-persistent',
    # For managing our current Debian packages
    'debian-goodies',
    # Needed for zulip-ec2-configure-network-interfaces
@ -187,29 +186,4 @@ class zulip_ops::profile::base {
    force   => true,
    recurse => true,
  }
-
-  file { '/etc/iptables/rules.v4':
-    ensure  => file,
-    mode    => '0600',
-    content => template('zulip_ops/iptables/rules.v4.erb'),
-    require => Package['iptables-persistent'],
-  }
-  service { 'netfilter-persistent':
-    ensure     => running,
-
-    # Because there is no running process for this service, the normal status
-    # checks fail.  Because Puppet then thinks the service has been manually
-    # stopped, it won't restart it.  This fake status command will trick Puppet
-    # into thinking the service is *always* running (which in a way it is, as
-    # iptables is part of the kernel.)
-    hasstatus  => true,
-    status     => '/bin/true',
-
-    # Under Debian, the "restart" parameter does not reload the rules, so tell
-    # Puppet to fall back to stop/start, which does work.
-    hasrestart => false,
-
-    require    => Package['iptables-persistent'],
-    subscribe  => File['/etc/iptables/rules.v4'],
-  }
 }