Puppet Class: nftables
- Defined in:
- modules/nftables/manifests/init.pp
Overview
SPDX-License-Identifier: Apache-2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'modules/nftables/manifests/init.pp', line 2
class nftables (
String $ensure_package = 'present',
Wmflib::Ensure $ensure_service = 'absent',
) {
debian::codename::require::min('buster')
package { 'nftables':
ensure => $ensure_package,
}
# if we want the service to be stopped, it indicates we actually don't want this unit running
# this may prevent accidents in servers whose firewall is managed by others (e.g, neutron)
if $ensure_service == 'absent' {
systemd::mask { 'nftables.service': }
}
if $ensure_service == 'present' {
systemd::unmask { 'nftables.service': }
}
$nft_main_file = '/etc/nftables/main.nft' # used in the systemd template
systemd::service { 'nftables':
ensure => $ensure_service,
content => systemd_template('nftables'),
override => true,
service_params => {
hasrestart => true,
restart => '/usr/bin/systemctl reload nftables'
}
}
# create a directory to hold the nftables config
file { '/etc/nftables/':
ensure => 'directory',
}
# deploy the basic configuration file, i.e, the basic nftables ruleset skeleton
file { $nft_main_file:
ensure => $ensure_service,
source => 'puppet:///modules/nftables/main.nft',
require => File['/etc/nftables'],
notify => Systemd::Service['nftables'],
}
# cleanup the file shipped with the debian package, we don't use it
file { '/etc/nftables.conf':
ensure => 'absent',
}
File <| tag == 'nft' |>
}
|