mirror of https://github.com/zulip/zulip.git
57 lines
1.8 KiB
Puppet
57 lines
1.8 KiB
Puppet
class kandra::firewall {
|
|
package { 'iptables-persistent': }
|
|
concat { '/etc/iptables/rules.v4':
|
|
ensure => present,
|
|
mode => '0600',
|
|
require => Package['iptables-persistent'],
|
|
}
|
|
concat::fragment { 'iptables-header.v4':
|
|
target => '/etc/iptables/rules.v4',
|
|
source => 'puppet:///modules/kandra/iptables/header.v4',
|
|
order => '01',
|
|
}
|
|
concat::fragment { 'iptables-trailer.v4':
|
|
target => '/etc/iptables/rules.v4',
|
|
source => 'puppet:///modules/kandra/iptables/trailer.v4',
|
|
order => '99',
|
|
}
|
|
|
|
concat { '/etc/iptables/rules.v6':
|
|
ensure => present,
|
|
mode => '0600',
|
|
require => Package['iptables-persistent'],
|
|
}
|
|
concat::fragment { 'iptables-header.v6':
|
|
target => '/etc/iptables/rules.v6',
|
|
source => 'puppet:///modules/kandra/iptables/header.v6',
|
|
order => '01',
|
|
}
|
|
concat::fragment { 'iptables-trailer.v6':
|
|
target => '/etc/iptables/rules.v6',
|
|
source => 'puppet:///modules/kandra/iptables/trailer.v6',
|
|
order => '99',
|
|
}
|
|
|
|
service { 'netfilter-persistent':
|
|
ensure => running,
|
|
|
|
# Because there is no running process for this service, the normal status
|
|
# checks fail. Because Puppet then thinks the service has been manually
|
|
# stopped, it won't restart it. This fake status command will trick Puppet
|
|
# into thinking the service is *always* running (which in a way it is, as
|
|
# iptables is part of the kernel.)
|
|
hasstatus => true,
|
|
status => '/bin/true',
|
|
|
|
# Under Debian, the "restart" parameter does not reload the rules, so tell
|
|
# Puppet to fall back to stop/start, which does work.
|
|
hasrestart => false,
|
|
|
|
require => Package['iptables-persistent'],
|
|
subscribe => [
|
|
Concat['/etc/iptables/rules.v4'],
|
|
Concat['/etc/iptables/rules.v6'],
|
|
],
|
|
}
|
|
}
|