Puppet Class: ipset

Defined in:
manifests/init.pp

Summary

module to install the ipset tooling and to manage individual ipsets

Overview

Parameters:

  • packages (Array[String[1]])

    The name of the package we want to install

  • service (String[1])

    The name of the service that we’re going to manage

  • service_ensure (Boolean)

    Desired state of the service. If true, the service will be running. If false, the service will be stopped

  • enable (Boolean)

    Boolean to decide if we want to have the service in autostart or not

  • firewall_service (Optional[Pattern[/\.service$/]]) (defaults to: undef)

    An optional service name. if provided, the ipsets will be configured before this. So your firewall will depend on the chains. The name should end with ‘.service`. This is only supported on systemd-based Operating Systems

  • package_ensure (Enum['present', 'absent', 'latest'])
  • config_path (Stdlib::Absolutepath) 


18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'manifests/init.pp', line 18

class ipset (
  Array[String[1]] $packages,
  String[1] $service,
  Boolean $service_ensure,
  Boolean $enable,
  Enum['present', 'absent', 'latest'] $package_ensure,
  Stdlib::Absolutepath $config_path,
  Optional[Pattern[/\.service$/]] $firewall_service = undef,
){
  package{$ipset::packages:
    ensure => $package_ensure,
  }

  # create the config directory
  file{$config_path:
    ensure => 'directory',
  }

  # setup the helper scripts
  file{'/usr/local/bin/ipset_sync':
    ensure => 'file',
    owner  => 'root',
    group  => 'root',
    mode   => '0754',
    source => "puppet:///modules/${module_name}/ipset_sync",
  }
  file{'/usr/local/bin/ipset_init':
    ensure => 'file',
    owner  => 'root',
    group  => 'root',
    mode   => '0754',
    source => "puppet:///modules/${module_name}/ipset_init",
  }

  # configure custom unit file
  case $facts['service_provider'] {
    'systemd': {
      systemd::unit_file{"${service}.service":
        enable    => $enable,
        active    => $service_ensure,
        content   => epp("${module_name}/ipset.service.epp",{
          'firewall_service' => $firewall_service,
          'config_path'      => $config_path,
          }),
        subscribe => [File['/usr/local/bin/ipset_init'], File['/usr/local/bin/ipset_sync']],
      }
    }
    'redhat': {
      file{'/etc/init.d/ipset':
        ensure  => 'file',
        mode    => '0755',
        content => epp("${module_name}/init.redhat.epp", {
          'config_path' => $config_path
          }
        ),
        require => Package[$ipset::packages],
      }
      -> service{'ipset':
        ensure => 'running',
        enable => true,
      }
    }
    default: {
      fail('The ipset module only supports systemd and RedHat 6 based distributions')
    }
  }
}