Firewall.

3 files changed, 38 insertions, 0 deletions

diff --git a/manifests/site.pp b/manifests/site.pp
index 1613c64..4850d63 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1,4 +1,7 @@
 node 'hornquist.se' {
+
+	include ::profiles::firewall
+
 	ensure_packages([
 		'cowsay',
 	], { ensure => installed })
@@ -59,6 +62,7 @@ node 'hornquist.se' {
 
 	class { 'letsencrypt':
 		email => 'hugo.hornquist@gmail.com',
+		renew_cron_ensure => present,
 	}
 
 	letsencrypt::certonly { $certname:
diff --git a/modules/profiles/files/firewall/rules.v4 b/modules/profiles/files/firewall/rules.v4
new file mode 100644
index 0000000..bdc63cc
--- /dev/null
+++ b/modules/profiles/files/firewall/rules.v4
@@ -0,0 +1,15 @@
+# Generated by iptables-save v1.8.4 on Thu Jun  3 20:27:52 2021
+*filter
+:INPUT DROP [120:97784]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [526:114637]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -p udp -m udp --dport 53 -j ACCEPT
+COMMIT
+# Completed on Thu Jun  3 20:27:52 2021
diff --git a/modules/profiles/manifests/firewall.pp b/modules/profiles/manifests/firewall.pp
new file mode 100644
index 0000000..6c9d7e6
--- /dev/null
+++ b/modules/profiles/manifests/firewall.pp
@@ -0,0 +1,19 @@
+class profiles::firewall {
+	ensure_packages ([
+		'iptables-persistent',
+		'fail2ban',
+	], { ensure => installed })
+
+	file { '/etc/iptables/rules.v4':
+		source => 'puppet:///modules/profiles/firewall/rules.v4',
+	} ~> exec { 'reload firewall':
+		command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart',
+		refreshonly => true,
+	}
+
+	service { 'fail2ban':
+		ensure => running,
+		enable => true,
+	}
+
+}