Rework fail2ban cookbook to use jail.d
authorTom Hughes <tom@compton.nu>
Sun, 14 Jun 2015 18:36:12 +0000 (19:36 +0100)
committerTom Hughes <tom@compton.nu>
Sun, 14 Jun 2015 18:37:52 +0000 (19:37 +0100)
cookbooks/fail2ban/definitions/fail2ban_jail.rb
cookbooks/fail2ban/recipes/default.rb
cookbooks/fail2ban/templates/default/jail.default.erb [new file with mode: 0644]
cookbooks/fail2ban/templates/default/jail.erb
cookbooks/fail2ban/templates/default/jail.local.erb [new file with mode: 0644]

index b73889638bbb1075a249c3379d832ee0de7f19c2..3c33306522fa7b8b366c30510413c3535ed71eba 100644 (file)
 #
 
 define :fail2ban_jail, :action => :create do
-  config = resources(:template => "/etc/fail2ban/jail.local")
-
-  config.variables[:jails] << Hash[
-    :name => params[:name],
-    :filter => params[:filter],
-    :logpath => params[:logpath],
-    :protocol => params[:protocol],
-    :port => Array(params[:ports]).join(","),
-    :maxretry => params[:maxretry]
-  ]
+  template "/etc/fail2ban/jail.d/50-#{params[:name]}.conf" do
+    source "jail.erb"
+    owner "root"
+    group "root"
+    mode 0644
+    variables params
+    if node[:lsb][:release].to_f >= 14.04
+      notifies :create, "template[/etc/fail2ban/jail.local]"
+    else
+      notifies :reload, "service[fail2ban]"
+    end
+  end
 end
index b06ea2a452d2ba2f213a92e632c0d6bbe5370474..27e373db56f39d5a10c22130f8c67452acc72b25 100644 (file)
 
 package "fail2ban"
 
-template "/etc/fail2ban/jail.local" do
-  source "jail.erb"
+if node[:lsb][:release].to_f >= 14.04
+  file "/etc/fail2ban/jail.local" do
+    action :delete
+  end
+else
+  directory "/etc/fail2ban/jail.d" do
+    owner "root"
+    group "group"
+    mode 0755
+  end
+
+  template "/etc/fail2ban/jail.local" do
+    source "jail.local.erb"
+    owner "root"
+    group "root"
+    mode 0644
+    subscribes :create, "template[/etc/fail2ban/jail.d/00-default.conf]"
+    notifies :reload, "service[fail2ban]"
+  end
+end
+
+template "/etc/fail2ban/jail.d/00-default.conf" do
+  source "jail.default.erb"
   owner "root"
   group "root"
   mode 0644
-  variables :jails => []
+  notifies :reload, "service[fail2ban]"
 end
 
 service "fail2ban" do
   action [:enable, :start]
   supports :status => true, :reload => true, :restart => true
-  subscribes :reload, "template[/etc/fail2ban/jail.local]"
 end
 
 munin_plugin "fail2ban"
diff --git a/cookbooks/fail2ban/templates/default/jail.default.erb b/cookbooks/fail2ban/templates/default/jail.default.erb
new file mode 100644 (file)
index 0000000..fc0f8bd
--- /dev/null
@@ -0,0 +1,6 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+[DEFAULT]
+destemail = admins@openstreetmap.org
+banaction = shorewall
+bantime = 14400
index 20010d1b217854e12304a2983fa729811f45edb1..08fb7ed16d618d7aae3e9139ce8664d61a0844eb 100644 (file)
@@ -1,20 +1,13 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
-[DEFAULT]
-destemail = admins@openstreetmap.org
-banaction = shorewall
-bantime = 14400
-<% @jails.each do |jail| -%>
-
-[<%= jail[:name] %>]
+[<%= @name %>]
 enabled = true
-<% if jail[:protocol] -%>
-protocol = <%= jail[:protocol] %>
-<% end -%>
-port = <%= jail[:port] %>
-filter = <%= jail[:filter] %>
-logpath = <%= jail[:logpath] %>
-<% if jail[:maxretry] -%>
-maxretry = <%= jail[:maxretry] %>
+<% if @protocol -%>
+protocol = <%= @protocol %>
 <% end -%>
+port = <%= @ports.join(",") %>
+filter = <%= @filter %>
+logpath = <%= @logpath %>
+<% if @maxretry -%>
+maxretry = <%= @maxretry %>
 <% end -%>
diff --git a/cookbooks/fail2ban/templates/default/jail.local.erb b/cookbooks/fail2ban/templates/default/jail.local.erb
new file mode 100644 (file)
index 0000000..701e8e1
--- /dev/null
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+<% Dir.glob("/etc/fail2ban/jail.d/*.conf").sort do |file| -%>
+
+<%= File.read(file) %>
+<% end -%>