Skip to content

Commit

Permalink
feat: promote ng
Browse files Browse the repository at this point in the history
* Semi-automated using myii/ssf-formula#119
* Close #34
* Close #35

BREAKING CHANGE: all previous `fail2ban` based configurations must be
reviewed; `fail2ban.ng` usage must be promoted to `fail2ban` and any
uses of the original `fail2ban` will have to be converted.
  • Loading branch information
myii committed Jan 11, 2020
1 parent 7a35761 commit fb1ae56
Show file tree
Hide file tree
Showing 17 changed files with 221 additions and 496 deletions.
102 changes: 26 additions & 76 deletions docs/README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,25 +21,28 @@ fail2ban-formula
:header-rows: 1
:widths: 1

* - WARNING: BREAKING CHANGES IN UPCOMING ``v1.0.0``
* - This formula currently provides two methods for managing Fail2Ban; the old method
under ``fail2ban`` and the new method under ``fail2ban.ng``.
In upcoming `v1.0.0 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v1.0.0>`_,
the old method will be removed and ``fail2ban.ng`` will be promoted to ``fail2ban`` in its place.

If you are not in a position to migrate, you will need to pin your repo to
the final release tag before
* - WARNING: BREAKING CHANGES SINCE ``v1.0.0``
* - Prior to
`v1.0.0 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v1.0.0>`_,
which is expected to be
this formula provided two methods for managing Fail2Ban;
the old method under ``fail2ban`` and the new method under ``fail2ban.ng``.
The old method has now been removed and ``fail2ban.ng`` has been promoted to
be ``fail2ban`` in its place.

If you are not in a position to migrate, please pin your repo to the final
release tag before
`v1.0.0 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v1.0.0>`_,
i.e.
`v0.17.2 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v0.17.2>`_.

If you are currently using ``fail2ban.ng``, there is nothing to do until
`v1.0.0 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v1.0.0>`_
is released.
To migrate from ``fail2ban.ng``, simply modify your pillar to promote the
entire section under ``fail2ban:ng`` so that it is under ``fail2ban`` instead.
So with the editor of your choice, highlight the entire section and then
unindent one level. Finish by removing the ``ng:`` line.

To migrate from the old ``fail2ban``, the first step is to convert to ``fail2ban.ng``,
before `v1.0.0 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v1.0.0>`_
is released.
To migrate from the old ``fail2ban``, first convert to ``fail2ban.ng`` under
`v0.17.2 <https://github.com/saltstack-formulas/fail2ban-formula/releases/tag/v0.17.2>`_.
and then follow the steps laid out in the paragraph directly above.

.. contents:: **Table of Contents**

Expand Down Expand Up @@ -70,73 +73,21 @@ Available states
.. contents::
:local:


``fail2ban``
^^^^^^^^^^^^

Install the ``fail2ban`` package and enable the service.

``fail2ban.config``
^^^^^^^^^^^^^^^^^^^

Creates a ``jail.local`` config file based on pillar data to override configuration in the default ``jail.conf`` file and enables creation of all configuration files based on content blocks in pillar. See ``pillar.example`` for reference
and consult the fail2ban documentation.


The following states provide an alternate approach to managing fail2ban. Tested in Ubuntu 14/16 and CentOS 6/7.

.. contents::
:local:

``fail2ban.ng``
^^^^^^^^^^^^^^^

Meta state for inclusion of all ng states.
Meta state for inclusion of all states.

``fail2ban.ng.install``
^^^^^^^^^^^^^^^^^^^^^^^
``fail2ban.install``
^^^^^^^^^^^^^^^^^^^^

Install the ``fail2ban`` package.

``fail2ban.ng.config``
^^^^^^^^^^^^^^^^^^^^^^
``fail2ban.config``
^^^^^^^^^^^^^^^^^^^

Configure fail2ban creating a ``jail.local`` file based on pillar data that overrid ``jail.conf``. It also creates a ``file.local`` per action/filter. Either in jails, actions or filters is possible to setup a ``source_path`` options to upload your configuration directly (see ``pillar.example``). It is also possible to remove either actions or filters setting up ``enabled: False`` in it section (see ``pillar.example``).

Keep in mind that in ng states ``lookup``, ``config``, ``jails``, ``actions`` and ``filters`` are at the same level (in the old states, all the sections are under ``lookup``:

.. code-block:: yaml
fail2ban:
ng:
lookup:
config:
jails:
actions:
filters:
Keep in mind also that in ng states change the syntax for the actions and filters adding a new `config` section and `enabled` option (optional):

.. code-block:: yaml
fail2ban:
ng:
actions:
name-of-action:
enabled: True/False # OPTIONAL
config:
Definition:
actionban:
actionunban:
Init:
whatever:
filters:
name-of-filter:
enabled: True/False # OPTIONAL
config:
Definition:
failregex:
It is also possible to specify the source file for config, jails, actions and filters instead of using the template:

.. code-block:: yaml
Expand All @@ -156,16 +107,15 @@ It is also possible to specify the source file for config, jails, actions and fi
config:
source_path: salt://path-to-filter-file
``fail2ban.ng.service``
^^^^^^^^^^^^^^^^^^^^^^^
``fail2ban.service``
^^^^^^^^^^^^^^^^^^^^

Manage fail2ban service. It is also possible to disable the service using the following pillar configuration:

.. code-block:: yaml
fail2ban:
ng:
enabled: False
enabled: false
Testing
Expand Down
141 changes: 95 additions & 46 deletions fail2ban/config.sls
Original file line number Diff line number Diff line change
@@ -1,55 +1,104 @@
# -*- coding: utf-8 -*-
# vim: ft=sls

{% from "fail2ban/map.jinja" import fail2ban with context %}
include:
- fail2ban.deprecated
- fail2ban
{{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local:
{% if fail2ban.config %}
file.managed:
- source: salt://fail2ban/files/fail2ban_conf.template
- template: jinja
- context:
config:
Definition: {{ fail2ban.config|yaml }}
fail2ban.config.fail2ban:
{% if fail2ban.config is defined %}
{% set fail2ban_config = fail2ban.config.get('source_path',
'salt://fail2ban/files/config.jinja') %}
file.managed:
- name: {{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local
- source: {{ fail2ban_config }}
- user: {{ fail2ban.user|default('root') }}
- group: {{ fail2ban.group|default('root') }}
- mode: '{{ fail2ban.mode|default("644") }}'
- template: jinja
{% if fail2ban.config.source_path is not defined %}
- context:
config:
Definition: {{ fail2ban.config|yaml }}
{% endif %}
{% else %}
file.absent:
file.absent:
- name: {{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local
{% endif %}
- watch_in:
- service: {{ fail2ban.service }}
{{ fail2ban.prefix }}/etc/fail2ban/jail.local:
{% if fail2ban.jails %}
file.managed:
- source: salt://fail2ban/files/fail2ban_conf.template
- template: jinja
- context:
config: {{ fail2ban.jails|yaml }}
- watch_in:
- service: {{ fail2ban.service }}
fail2ban.config.jails:
{% if fail2ban.jails is defined %}
{% set fail2ban_jails = fail2ban.jails.get('source_path',
'salt://fail2ban/files/config.jinja') %}
file.managed:
- name: {{ fail2ban.prefix }}/etc/fail2ban/jail.local
- source: {{ fail2ban_jails }}
- user: {{ fail2ban.user|default('root') }}
- group: {{ fail2ban.group|default('root') }}
- mode: '{{ fail2ban.mode|default("644") }}'
- template: jinja
{% if fail2ban.jails.source_path is not defined %}
- context:
config: {{ fail2ban.jails|yaml }}
{% endif %}
{% else %}
file.absent:
file.absent:
{% endif %}
- watch_in:
- service: {{ fail2ban.service }}
{% for name, config in fail2ban.actions|dictsort %}
{{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local:
file.managed:
- source: salt://fail2ban/files/fail2ban_conf.template
- template: jinja
- watch_in:
- service: {{ fail2ban.service }}
- context:
config: {{ config|yaml }}
{% endfor %}
- watch_in:
- service: {{ fail2ban.service }}
{% for name, config in fail2ban.filters|dictsort %}
{{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local:
file.managed:
- source: salt://fail2ban/files/fail2ban_conf.template
- template: jinja
- watch_in:
- service: {{ fail2ban.service }}
- context:
config: {{ config|yaml }}
{% for name, options in fail2ban.get('actions', {})|dictsort %}
{% set fail2ban_actions = options.config.get('source_path',
'salt://fail2ban/files/config.jinja') %}
fail2ban.config.action.{{ name }}:
{% if ( 'enabled' in options and options.enabled ) or ('enabled' not in options ) %}
file.managed:
- name: {{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local
- source: {{ fail2ban_actions }}
- user: {{ fail2ban.user|default('root') }}
- group: {{ fail2ban.group|default('root') }}
- mode: '{{ fail2ban.mode|default("644") }}'
- template: jinja
- watch_in:
- service: {{ fail2ban.service }}
{% if options.config.source_path is not defined %}
- context:
config: {{ options.config|yaml }}
{% endif %}
{% elif 'enabled' in options and not options.enabled %}
file.absent:
- name: {{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local
{% endif %}
{% endfor %}
{% for name, options in fail2ban.get('filters', {})|dictsort %}
{% set fail2ban_filters = options.config.get('source_path',
'salt://fail2ban/files/config.jinja') %}
fail2ban.config.filter.{{ name }}:
{% if ( 'enabled' in options and options.enabled ) or ('enabled' not in options ) %}
file.managed:
- name: {{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local
- source: {{ fail2ban_filters }}
- user: {{ fail2ban.user|default('root') }}
- group: {{ fail2ban.group|default('root') }}
- mode: '{{ fail2ban.mode|default("644") }}'
- template: jinja
- watch_in:
- service: {{ fail2ban.service }}
{% if options.config.source_path is not defined %}
- context:
config: {{ options.config|yaml }}
{% endif %}
{% elif 'enabled' in options and not options.enabled %}
file.absent:
- name: {{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local
{% endif %}
{% endfor %}
41 changes: 0 additions & 41 deletions fail2ban/deprecated.sls

This file was deleted.

File renamed without changes.
27 changes: 0 additions & 27 deletions fail2ban/files/fail2ban_conf.template

This file was deleted.

17 changes: 5 additions & 12 deletions fail2ban/init.sls
Original file line number Diff line number Diff line change
@@ -1,14 +1,7 @@
{% from "fail2ban/map.jinja" import fail2ban with context %}
# -*- coding: utf-8 -*-
# vim: ft=sls

include:
- fail2ban.deprecated
fail2ban:
pkg.installed:
- name: {{ fail2ban.package }}
service.running:
- name: {{ fail2ban.service }}
- enable: True
- require:
- pkg: fail2ban
- fail2ban.install
- fail2ban.config
- fail2ban.service
8 changes: 8 additions & 0 deletions fail2ban/install.sls
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# -*- coding: utf-8 -*-
# vim: ft=sls

{% from "fail2ban/map.jinja" import fail2ban with context %}
fail2ban.install:
pkg.installed:
- name: {{ fail2ban.package }}
Loading

0 comments on commit fb1ae56

Please sign in to comment.