diff options
Diffstat (limited to '')
-rw-r--r-- | manifests/site.pp | 4 | ||||
-rw-r--r-- | modules/profiles/files/firewall/rules.v4 | 15 | ||||
-rw-r--r-- | modules/profiles/manifests/firewall.pp | 19 |
3 files changed, 38 insertions, 0 deletions
diff --git a/manifests/site.pp b/manifests/site.pp index 1613c64..4850d63 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,4 +1,7 @@ node 'hornquist.se' { + + include ::profiles::firewall + ensure_packages([ 'cowsay', ], { ensure => installed }) @@ -59,6 +62,7 @@ node 'hornquist.se' { class { 'letsencrypt': email => 'hugo.hornquist@gmail.com', + renew_cron_ensure => present, } letsencrypt::certonly { $certname: diff --git a/modules/profiles/files/firewall/rules.v4 b/modules/profiles/files/firewall/rules.v4 new file mode 100644 index 0000000..bdc63cc --- /dev/null +++ b/modules/profiles/files/firewall/rules.v4 @@ -0,0 +1,15 @@ +# Generated by iptables-save v1.8.4 on Thu Jun 3 20:27:52 2021 +*filter +:INPUT DROP [120:97784] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [526:114637] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -p udp -m udp --dport 53 -j ACCEPT +COMMIT +# Completed on Thu Jun 3 20:27:52 2021 diff --git a/modules/profiles/manifests/firewall.pp b/modules/profiles/manifests/firewall.pp new file mode 100644 index 0000000..6c9d7e6 --- /dev/null +++ b/modules/profiles/manifests/firewall.pp @@ -0,0 +1,19 @@ +class profiles::firewall { + ensure_packages ([ + 'iptables-persistent', + 'fail2ban', + ], { ensure => installed }) + + file { '/etc/iptables/rules.v4': + source => 'puppet:///modules/profiles/firewall/rules.v4', + } ~> exec { 'reload firewall': + command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', + refreshonly => true, + } + + service { 'fail2ban': + ensure => running, + enable => true, + } + +} |