Puppet Class: profile::nftables::basefirewall

Defined in:
modules/profile/manifests/nftables/basefirewall.pp

Overview

Parameters:

  • cumin_masters (Array[Stdlib::IP::Address]) (defaults to: lookup('cumin_masters', {default_value => []}))
  • bastion_hosts (Array[Stdlib::IP::Address]) (defaults to: lookup('bastion_hosts', {default_value => []}))
  • monitoring_hosts (Array[Stdlib::IP::Address]) (defaults to: lookup('monitoring_hosts', {default_value => []}))
  • prometheus_nodes (Array[Stdlib::Fqdn]) (defaults to: lookup('prometheus_nodes', {default_value => []}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# File 'modules/profile/manifests/nftables/basefirewall.pp', line 1

class profile::nftables::basefirewall (
    Array[Stdlib::IP::Address] $cumin_masters    = lookup('cumin_masters', {default_value => []}),
    Array[Stdlib::IP::Address] $bastion_hosts    = lookup('bastion_hosts', {default_value => []}),
    Array[Stdlib::IP::Address] $monitoring_hosts = lookup('monitoring_hosts', {default_value => []}),
    Array[Stdlib::Fqdn]        $prometheus_nodes = lookup('prometheus_nodes', {default_value => []}),
) {
    $bastion_hosts_ipv4 = filter($bastion_hosts) |$addr| { $addr =~ Stdlib::IP::Address::V4 }
    $bastion_hosts_ipv6 = filter($bastion_hosts) |$addr| { $addr =~ Stdlib::IP::Address::V6 }
    $cumin_masters_ipv4 = filter($cumin_masters) |$addr| { $addr =~ Stdlib::IP::Address::V4 }
    $cumin_masters_ipv6 = filter($cumin_masters) |$addr| { $addr =~ Stdlib::IP::Address::V6 }
    $monitoring_hosts_ipv4 = filter($monitoring_hosts) |$addr| { $addr =~ Stdlib::IP::Address::V4 }
    $monitoring_hosts_ipv6 = filter($monitoring_hosts) |$addr| { $addr =~ Stdlib::IP::Address::V6 }
    $prometheus_nodes_ipv4 = $prometheus_nodes.map |$fqdn| { ipresolve($fqdn, 4) }
    $prometheus_nodes_ipv6 = $prometheus_nodes.map |$fqdn| { ipresolve($fqdn, 6) }

    nftables::file { 'basefirewall':
        ensure  => 'present',
        content => template('profile/nftables/basefirewall.nft.erb'),
        order   => 0,
    }

    nftables::file { 'basefirewall_input_last':
        ensure  => 'present',
        content => "add rule inet basefirewall input counter comment \"counter dropped packets\"\n",
        order   => 999,
    }
}