Skip to content

Commit

Permalink
Move default parameter values back to main class, hiera keeps exceptions
Browse files Browse the repository at this point in the history 
When I asked around about how folks were using hiera for default
parameters, I was pointed to this discussion which is still unresolved:

puppetlabs/puppet-strings#250

I also think that moving all default values to hiera makes it more
complicated to figure out what's happening in most cases since it makes
users of the module always need to open up at least two files to figure
out what parameters and their default values are. It's way easier if the
default values are right there in the code. Only the overrides should be
in hiera.

The downside of this approach is that knowing what gets overridden is
rather hidden. Ppl need to remember to check within data/ if there's any
relevant overrides for the platforms and releases that are relevant to
them.

In our case, the only param that's currently getting overridden is the
jail.conf template path for RedHat. Otherwise all the rest in hiera is
about values for creating default jails.

The other argument that I think makes me think that having values in the
class definition is better is that for defined types we can't use hiera
at all, so all default values must be in the code. So in that sense
pushing all default values for classes only creates an inconsistency
and it makes reading and comprehending the code harder. Things are just
easier if all code follows the same pattern/style.
  • Loading branch information
@lelutin
lelutin committed Jan 8, 2022
1 parent 7295321 commit 8c6b052
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 94 deletions.
48 changes: 0 additions & 48 deletions data/common.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,52 +1,4 @@
---
fail2ban::rm_fail2ban_local: true
fail2ban::rm_jail_local: true
fail2ban::purge_fail2ban_dot_d: true
fail2ban::purge_jail_dot_d: true
fail2ban::config_file_mode: '0644'
fail2ban::fail2ban_conf_template: 'fail2ban/fail2ban.conf.epp'
fail2ban::loglvl: 'INFO'
fail2ban::logtarget: '/var/log/fail2ban.log'
fail2ban::syslogsocket: 'auto'
fail2ban::socket: '/var/run/fail2ban/fail2ban.sock'
fail2ban::pidfile: '/var/run/fail2ban/fail2ban.pid'
fail2ban::dbfile: '/var/lib/fail2ban/fail2ban.sqlite3'
fail2ban::dbpurgeage: 86400
fail2ban::dbmaxmatches: 10
fail2ban::stacksize: 0
fail2ban::jail_conf_template: "fail2ban/debian/jail.conf.epp"
fail2ban::enabled: false
fail2ban::mode: 'normal'
fail2ban::filter: '%(__name__)s[mode=%(mode)s]'
fail2ban::ignoreself: true
fail2ban::ignoreip: ['127.0.0.1']
fail2ban::bantime: 600
fail2ban::findtime: 600
fail2ban::maxretry: 3
fail2ban::maxmatches: '%(maxretry)s'
fail2ban::ignorecommand: ''
fail2ban::ignorecache: ~
fail2ban::backend: 'auto'
fail2ban::destemail: 'root@localhost'
fail2ban::sender: 'root@localhost'
fail2ban::fail2ban_agent: 'Fail2Ban/%(fail2ban_version)s'
fail2ban::banaction: 'iptables-multiport'
fail2ban::banaction_allports: 'iptables-allports'
fail2ban::chain: 'INPUT'
fail2ban::port: '0:65535'
fail2ban::mta: 'sendmail'
fail2ban::protocol: 'tcp'
fail2ban::action:
- '%(action_)s'
fail2ban::usedns: 'warn'
fail2ban::logpath: []
fail2ban::logencoding: 'auto'
fail2ban::logtimezone: ~
fail2ban::prefregex: ~
fail2ban::failregex: ~
fail2ban::ignoreregex: ~
fail2ban::manage_service: true

## Default jails that can be used with fail2ban::jail. See the README for an
# example of how to use those structures.
#
Expand Down
92 changes: 46 additions & 46 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,56 +155,56 @@
#
class fail2ban (
# Options that change how the module behaves
Boolean $rm_fail2ban_local,
Boolean $rm_jail_local,
Boolean $purge_fail2ban_dot_d,
Boolean $purge_jail_dot_d,
Stdlib::Filemode $config_file_mode,
Boolean $manage_service,
Boolean $rm_fail2ban_local = true,
Boolean $rm_jail_local = true,
Boolean $purge_fail2ban_dot_d = true,
Boolean $purge_jail_dot_d = true,
Stdlib::Filemode $config_file_mode = '0644',
Boolean $manage_service = true,
# Options for fail2ban.conf
String[1] $fail2ban_conf_template,
Fail2ban::Loglevel $loglvl,
Fail2ban::Logtarget $logtarget,
Fail2ban::Syslogsocket $syslogsocket,
Stdlib::Absolutepath $socket,
Stdlib::Absolutepath $pidfile,
Fail2ban::Dbfile $dbfile,
Integer $dbpurgeage,
Integer $dbmaxmatches,
Variant[Integer[0,0], Integer[32]] $stacksize,
String[1] $fail2ban_conf_template = 'fail2ban/fail2ban.conf.epp',
Fail2ban::Loglevel $loglvl = 'INFO',
Fail2ban::Logtarget $logtarget = '/var/log/fail2ban.log',
Fail2ban::Syslogsocket $syslogsocket = 'auto',
Stdlib::Absolutepath $socket = '/var/run/fail2ban/fail2ban.sock',
Stdlib::Absolutepath $pidfile = '/var/run/fail2ban/fail2ban.pid',
Fail2ban::Dbfile $dbfile = '/var/lib/fail2ban/fail2ban.sqlite3',
Integer $dbpurgeage = 86400,
Integer $dbmaxmatches = 10,
Variant[Integer[0,0], Integer[32]] $stacksize = 0,
# Options for jail.conf
String[1] $jail_conf_template,
Boolean $enabled,
String $mode,
Fail2ban::Backend $backend,
Fail2ban::Usedns $usedns,
String $filter,
Array[String] $logpath,
String $logencoding,
Optional[String] $logtimezone,
Optional[String] $prefregex,
Optional[String] $failregex,
Optional[String] $ignoreregex,
Boolean $ignoreself,
Array[String, 0] $ignoreip,
String $ignorecommand,
Optional[String] $ignorecache,
Integer[1] $maxretry,
Variant[Integer[1], String] $maxmatches,
Integer[1] $findtime,
Variant[String, Array[String, 1]] $action,
Integer[0] $bantime,
String $banaction,
String $banaction_allports,
String $chain,
Fail2ban::Port $port,
Fail2ban::Protocol $protocol,
String[1] $jail_conf_template = 'fail2ban/debian/jail.conf.epp',
Boolean $enabled = false,
String $mode = 'normal',
Fail2ban::Backend $backend = 'auto',
Fail2ban::Usedns $usedns = 'warn',
String $filter = '%(__name__)s[mode=%(mode)s]',
Array[String] $logpath = [],
String $logencoding = 'auto',
Optional[String] $logtimezone = undef,
Optional[String] $prefregex = undef,
Optional[String] $failregex = undef,
Optional[String] $ignoreregex = undef,
Boolean $ignoreself = true,
Array[String, 0] $ignoreip = ['127.0.0.1'],
String $ignorecommand = '',
Optional[String] $ignorecache = undef,
Integer[1] $maxretry = 3,
Variant[Integer[1], String] $maxmatches = '%(maxretry)s',
Integer[1] $findtime = 600,
Variant[String, Array[String, 1]] $action = ['%(action_)s'],
Integer[0] $bantime = 600,
String $banaction = 'iptables-multiport',
String $banaction_allports = 'iptables-allports',
String $chain = 'INPUT',
Fail2ban::Port $port = '0:65535',
Fail2ban::Protocol $protocol = 'tcp',
# options for email-based actions
String $mta,
String $destemail,
String $sender,
String $mta = 'sendmail',
String $destemail = 'root@localhost',
String $sender = 'root@localhost',
# option for http-based actions
String $fail2ban_agent,
String $fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s',
) {

if ! $facts['os']['family'] in ['Debian', 'RedHat'] {
Expand Down

0 comments on commit 8c6b052

Please sign in to comment.