From 4f79b53825772e173d8aea4cf07c0d403d0ea0bc Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Tue, 25 May 2021 01:39:36 +0000
Subject: [PATCH] puppet: Factor out firewall config.

---
 puppet/zulip_ops/manifests/firewall.pp     | 27 +++++++++++++++++++++
 puppet/zulip_ops/manifests/profile/base.pp | 28 +---------------------
 2 files changed, 28 insertions(+), 27 deletions(-)
 create mode 100644 puppet/zulip_ops/manifests/firewall.pp

diff --git a/puppet/zulip_ops/manifests/firewall.pp b/puppet/zulip_ops/manifests/firewall.pp
new file mode 100644
index 0000000000..79e78ce592
--- /dev/null
+++ b/puppet/zulip_ops/manifests/firewall.pp
@@ -0,0 +1,27 @@
+class zulip_ops::firewall {
+  package { 'iptables-persistent': }
+  file { '/etc/iptables/rules.v4':
+    ensure  => file,
+    mode    => '0600',
+    content => template('zulip_ops/iptables/rules.v4.erb'),
+    require => Package['iptables-persistent'],
+  }
+  service { 'netfilter-persistent':
+    ensure     => running,
+
+    # Because there is no running process for this service, the normal status
+    # checks fail.  Because Puppet then thinks the service has been manually
+    # stopped, it won't restart it.  This fake status command will trick Puppet
+    # into thinking the service is *always* running (which in a way it is, as
+    # iptables is part of the kernel.)
+    hasstatus  => true,
+    status     => '/bin/true',
+
+    # Under Debian, the "restart" parameter does not reload the rules, so tell
+    # Puppet to fall back to stop/start, which does work.
+    hasrestart => false,
+
+    require    => Package['iptables-persistent'],
+    subscribe  => File['/etc/iptables/rules.v4'],
+  }
+}
diff --git a/puppet/zulip_ops/manifests/profile/base.pp b/puppet/zulip_ops/manifests/profile/base.pp
index bf6859164c..28660b2099 100644
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@@ -2,6 +2,7 @@ class zulip_ops::profile::base {
   include zulip::profile::base
   include zulip_ops::munin_node
   include zulip_ops::ksplice_uptrack
+  include zulip_ops::firewall
 
   $org_base_packages = [
     # Standard kernel, not AWS', so ksplice works
@@ -13,8 +14,6 @@ class zulip_ops::profile::base {
     'aptitude',
     # SSL certificates
     'certbot',
-    # Security
-    'iptables-persistent',
     # For managing our current Debian packages
     'debian-goodies',
     # Needed for zulip-ec2-configure-network-interfaces
@@ -187,29 +186,4 @@ class zulip_ops::profile::base {
     force   => true,
     recurse => true,
   }
-
-  file { '/etc/iptables/rules.v4':
-    ensure  => file,
-    mode    => '0600',
-    content => template('zulip_ops/iptables/rules.v4.erb'),
-    require => Package['iptables-persistent'],
-  }
-  service { 'netfilter-persistent':
-    ensure     => running,
-
-    # Because there is no running process for this service, the normal status
-    # checks fail.  Because Puppet then thinks the service has been manually
-    # stopped, it won't restart it.  This fake status command will trick Puppet
-    # into thinking the service is *always* running (which in a way it is, as
-    # iptables is part of the kernel.)
-    hasstatus  => true,
-    status     => '/bin/true',
-
-    # Under Debian, the "restart" parameter does not reload the rules, so tell
-    # Puppet to fall back to stop/start, which does work.
-    hasrestart => false,
-
-    require    => Package['iptables-persistent'],
-    subscribe  => File['/etc/iptables/rules.v4'],
-  }
 }