From 4781c23a88bfec6798e705486fc21a8923a79096 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 14 Jun 2015 19:36:12 +0100
Subject: [PATCH] Rework fail2ban cookbook to use jail.d

---
 .../fail2ban/definitions/fail2ban_jail.rb     | 22 ++++++++-------
 cookbooks/fail2ban/recipes/default.rb         | 28 ++++++++++++++++---
 .../templates/default/jail.default.erb        |  6 ++++
 cookbooks/fail2ban/templates/default/jail.erb | 23 ++++++---------
 .../fail2ban/templates/default/jail.local.erb |  5 ++++
 5 files changed, 55 insertions(+), 29 deletions(-)
 create mode 100644 cookbooks/fail2ban/templates/default/jail.default.erb
 create mode 100644 cookbooks/fail2ban/templates/default/jail.local.erb

diff --git a/cookbooks/fail2ban/definitions/fail2ban_jail.rb b/cookbooks/fail2ban/definitions/fail2ban_jail.rb
index b73889638..3c3330652 100644
--- a/cookbooks/fail2ban/definitions/fail2ban_jail.rb
+++ b/cookbooks/fail2ban/definitions/fail2ban_jail.rb
@@ -18,14 +18,16 @@
 #
 
 define :fail2ban_jail, :action => :create do
-  config = resources(:template => "/etc/fail2ban/jail.local")
-
-  config.variables[:jails] << Hash[
-    :name => params[:name],
-    :filter => params[:filter],
-    :logpath => params[:logpath],
-    :protocol => params[:protocol],
-    :port => Array(params[:ports]).join(","),
-    :maxretry => params[:maxretry]
-  ]
+  template "/etc/fail2ban/jail.d/50-#{params[:name]}.conf" do
+    source "jail.erb"
+    owner "root"
+    group "root"
+    mode 0644
+    variables params
+    if node[:lsb][:release].to_f >= 14.04
+      notifies :create, "template[/etc/fail2ban/jail.local]"
+    else
+      notifies :reload, "service[fail2ban]"
+    end
+  end
 end
diff --git a/cookbooks/fail2ban/recipes/default.rb b/cookbooks/fail2ban/recipes/default.rb
index b06ea2a45..27e373db5 100644
--- a/cookbooks/fail2ban/recipes/default.rb
+++ b/cookbooks/fail2ban/recipes/default.rb
@@ -19,18 +19,38 @@
 
 package "fail2ban"
 
-template "/etc/fail2ban/jail.local" do
-  source "jail.erb"
+if node[:lsb][:release].to_f >= 14.04
+  file "/etc/fail2ban/jail.local" do
+    action :delete
+  end
+else
+  directory "/etc/fail2ban/jail.d" do
+    owner "root"
+    group "group"
+    mode 0755
+  end
+
+  template "/etc/fail2ban/jail.local" do
+    source "jail.local.erb"
+    owner "root"
+    group "root"
+    mode 0644
+    subscribes :create, "template[/etc/fail2ban/jail.d/00-default.conf]"
+    notifies :reload, "service[fail2ban]"
+  end
+end
+
+template "/etc/fail2ban/jail.d/00-default.conf" do
+  source "jail.default.erb"
   owner "root"
   group "root"
   mode 0644
-  variables :jails => []
+  notifies :reload, "service[fail2ban]"
 end
 
 service "fail2ban" do
   action [:enable, :start]
   supports :status => true, :reload => true, :restart => true
-  subscribes :reload, "template[/etc/fail2ban/jail.local]"
 end
 
 munin_plugin "fail2ban"
diff --git a/cookbooks/fail2ban/templates/default/jail.default.erb b/cookbooks/fail2ban/templates/default/jail.default.erb
new file mode 100644
index 000000000..fc0f8bdc8
--- /dev/null
+++ b/cookbooks/fail2ban/templates/default/jail.default.erb
@@ -0,0 +1,6 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+[DEFAULT]
+destemail = admins@openstreetmap.org
+banaction = shorewall
+bantime = 14400
diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb
index 20010d1b2..08fb7ed16 100644
--- a/cookbooks/fail2ban/templates/default/jail.erb
+++ b/cookbooks/fail2ban/templates/default/jail.erb
@@ -1,20 +1,13 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
-[DEFAULT]
-destemail = admins@openstreetmap.org
-banaction = shorewall
-bantime = 14400
-<% @jails.each do |jail| -%>
-
-[<%= jail[:name] %>]
+[<%= @name %>]
 enabled = true
-<% if jail[:protocol] -%>
-protocol = <%= jail[:protocol] %>
-<% end -%>
-port = <%= jail[:port] %>
-filter = <%= jail[:filter] %>
-logpath = <%= jail[:logpath] %>
-<% if jail[:maxretry] -%>
-maxretry = <%= jail[:maxretry] %>
+<% if @protocol -%>
+protocol = <%= @protocol %>
 <% end -%>
+port = <%= @ports.join(",") %>
+filter = <%= @filter %>
+logpath = <%= @logpath %>
+<% if @maxretry -%>
+maxretry = <%= @maxretry %>
 <% end -%>
diff --git a/cookbooks/fail2ban/templates/default/jail.local.erb b/cookbooks/fail2ban/templates/default/jail.local.erb
new file mode 100644
index 000000000..701e8e183
--- /dev/null
+++ b/cookbooks/fail2ban/templates/default/jail.local.erb
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+<% Dir.glob("/etc/fail2ban/jail.d/*.conf").sort do |file| -%>
+
+<%= File.read(file) %>
+<% end -%>
-- 
2.43.2