confdroid_fail2ban/manifests/params.pp

## confdroid_fail2ban::params.pp
# Module name: confdroid_fail2ban
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class holds all parameters for the confdroid_fail2ban module
# @param [String] fn_pkg_ensure
#   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
#   to choose, i.e. `latest` or `present`.
# @param [array] fn_reqpackages the packages to install.
# @param [boolean] fn_manage_config Whether to manage the fail2ban
#   configuration files. If set to false, fail2ban will be installed, but the
#   configuration will not be managed.
# @param [String] fn_enable_service Whether to enable/start or disable/stop
#    the fail2ban service. Valid options are `running` or `stopped`.
# @param [String] fn_loglevel Set the log level output. Valid options are
# `CRITICAL`,`ERROR`,`WARNING`,`NOTICE`,`INFO` and `DEBUG`.
# @param [String] fn_logtarget Set the log target. This could be a file,
#   SYSLOG, STDERR or STDOUT. Only one log target can be specified.
# @param [String] fn_syslogsocket Set the syslog socket file. Only used when
#   logtarget is SYSLOG.  auto uses platform.system() to determine predefined
#   paths Valid options: [ auto | FILE ].
# @param [String] fn_socket Set the socket file to communicate with the daemon.
# @param [String] fn_pidfile Set the PID file to store the process ID of the
#   fail2ban server.
# @param [String] fn_dbfile file for the fail2ban persistent data to be stored.
#   A value of ":memory:" means database is only stored in memory
#   and data is lost when fail2ban is stopped.
#   A value of "None" disables the database.
# @param [String] fn_dbpurgeage age in seconds at which bans should be purged
#   from the database.
# @param [String] fn_ignoreip can be an IP address, a CIDR mask or a DNS host.
#   Fail2ban will not ban a host which matches an address in this list. Several
#   addresses can be defined using space (and/or comma) separator.
# @param [String] fn_ignorecommand External command that will take an
#   tagged arguments to ignore, e.g. <ip>,and return true if the IP is to be
#   ignored. False otherwise.
# @param [String] fn_bantime number of seconds that a host is banned.
# @param [String] fn_findtime A host is banned if it has generated "maxretry"
#   during the last "findtime" seconds.
# @param [String] fn_maxretry number of failures before a host get banned.
# @param [String] fn_backend specifies the backend used to get files
#   modification. options are "pyinotify", "gamin", "polling", "systemd" and
#   "auto".
#   pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
#   gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
#   polling:   uses a polling algorithm which does not require external libraries.
#   systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
#   auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
# @param [String] fn_usedns specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#   yes:   if a hostname is encountered, a DNS lookup will be performed.
#   warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
#   no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
#   raw:   use raw value (no hostname), allow use it for no-host filters/actions
#   (example user)
# @param [String] fn_logencoding specifies the encoding of the log files
#   handled by the jail This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#   auto:   will use the system locale setting
# @param [boolean] fn_enabled enables the jails.
#   By default all jails are disabled, and it should stay this way.
#   Enable only relevant to your setup jails in your .local or jail.d/*.conf
#   true:  jail will be enabled and log files will get monitored for changes
#   false: jail is not enabled
# @param [String] fn_filter defines the filter to use by the jail.
#   By default jails have names matching their filter name
# @param [String] fn_destemail Destination email address used solely for the
#   interpolations in jail.{conf.local.d/*} configuration files.
# @param [String] fn_mta E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA
#   for the mailing. Change mta configuration parameter to mail if you want to
#   revert to conventional 'mail'.
# @param [String] fn_protocol Default protocol.
# @param [String] fn_chain Specify chain where jumps would need to be added in
#   iptables-* actions.
# @param [String] fn_port # Ports to be banned Usually should be overridden
#   in a particular jail
# @param [String] fn_fail2ban_agent Format of user-agent
#   https://tools.ietf.org/html/rfc7231#section-5.5.3
# @param [String] fn_banaction Default banning action
# @param [String] fn_banaction_allports Default banning action
# @param [String] fn_action_ ban only
# @param [String] fn_action_mw ban & send an e-mail with whois report to the
#   destemail.
# @param [String] fn_action_mwl ban & send an e-mail with whois report and
#   relevant log lines
# @param [String] fn_action_xarf ban & send a xarf e-mail to abuse contact of
#   IP address and include relevant log lines.
# @param [String] fn_action_cf_mwl ban IP on CloudFlare & send an e-mail with
#   whois report and relevant log lines.
# @param [String] fn_action_blocklist_de Report block via blocklist.de fail2ban
#   reporting service API
# @param [String] fn_action_badips String to be be used in config files
# @param [String] fn_action_badips_report # Report ban via badips.com
#   (uses action.d/badips.conf for reporting only).
# @param [String] fn_default_action Choose default action.
# @param [String] fn_jail_paths the fail path. defaults to fedora.
# @param [Boolean] fn_incl_target Whether to include monitoring targets for
#   nagios. If set to true, monitoring targets will be included for the service.
# @param [String] fn_target_service The path to the nagios service configuration
#   file to be created if fn_incl_target is set to true.
# @param [String] fn_target_contacts The nagios contacts to be notified for
#   the service if fn_incl_target is set to true.
# @param [String] fn_procs_allowed The allowed number of fail2ban processes 
#   for the nagios check. Default is '1:1', which means exactly one process 
#   should be running.
###############################################################################
class confdroid_fail2ban::params (

# installation
  String $fn_pkg_ensure               = 'present',
  Array $fn_reqpackages               = ['fail2ban','fail2ban-firewalld',
  'fail2ban-sendmail','fail2ban-server.noarch','whois'],

  Boolean $fn_manage_config           = true,
  String $fn_enable_service           = 'running',

# fail2ban.conf/local

  String $fn_loglevel                 = 'INFO',
  String $fn_logtarget                = 'SYSLOG',
  String $fn_syslogsocket             = 'auto',
  String $fn_socket                   = '/var/run/fail2ban/fail2ban.sock',
  String $fn_pidfile                  = '/var/run/fail2ban/fail2ban.pid',
  String $fn_dbfile                   = '/var/lib/fail2ban/fail2ban.sqlite3',
  String $fn_dbpurgeage               = '86400',

# jail.conf/local
  String $fn_ignoreip                 = '127.0.0.1/8',
  Optional[String] $fn_ignorecommand  = undef,
  String $fn_bantime                  = '600',
  String $fn_findtime                 = '600',
  String $fn_maxretry                 = '5',
  String $fn_backend                  = 'auto',
  String $fn_usedns                   = 'warn',
  String $fn_logencoding              = 'auto',
  Boolean $fn_enabled                 = false,
  String $fn_filter                   = '%(__name__)s',
  String $fn_destemail                = 'root@localhost',
  String $fn_mta                      = 'sendmail',
  String $fn_protocol                 = 'tcp',
  String $fn_chain                    = 'INPUT',
  String $fn_port                     = '0:65535',
  String $fn_fail2ban_agent           = 'Fail2Ban/%(fail2ban_version)s',
  String $fn_banaction                = 'iptables-multiport',
  String $fn_banaction_allports       = 'iptables-allports',
  String $fn_action_                  = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]',
  String $fn_action_mw                = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                        %(mta)s-whois[name=%(__name__)s,  sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]',
  String $fn_action_mwl               = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                        %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
  String $fn_action_xarf              = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                        xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]',
  String $fn_action_cf_mwl            = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                        %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
  String $fn_action_blocklist_de      = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]',
  String $fn_action_badips            = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]',
  String $fn_action_badips_report     = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]',
  String $fn_default_action           = 'action_',
  String $fn_jail_paths               = 'fedora',

# nagios
  Boolean $fn_incl_target             = false,
  String $fn_target_service           = '/etc/nagios/conf.d/fail2ban_service.cfg',
  String $fn_target_contacts          = 'nagiosadmin',
  String $fn_procs_allowed            = '1:1',

) {
# shortcuts
  $fqdn                           = $facts['networking']['fqdn']
  $fn_os                          = $facts['os']
  $fn_sender                      = "fail2ban@${fqdn}"

# service
  $fn_service                     = 'fail2ban'

# directories
  $fn_main_dir                    = '/etc/fail2ban'
  $fn_action_d_dir                = "${fn_main_dir}/action.d"
  $fn_fail2ban_d_dir              = "${fn_main_dir}/fail2ban.d"
  $fn_filter_d_dir                = "${fn_main_dir}/filter.d"
  $fn_jail_d_dir                  = "${fn_main_dir}/jail.d"
  $fn_var_lib_dir                 = '/var/lib/fail2ban'
  $fn_var_run_dir                 = '/var/run/fail2ban'

# files
  $fn_fail2ban_conf_file          = "${fn_main_dir}/fail2ban.conf"
  $fn_fail2ban_conf_erb           = 'confdroid_fail2ban/fail2ban_conf.erb'
  $fn_fail2ban_local_file         = "${fn_main_dir}/fail2ban.local"
  $fn_fail2ban_local_erb          = 'confdroid_fail2ban/fail2ban_local.erb'
  $fn_jail_conf_file              = "${fn_main_dir}/jail.conf"
  $fn_jail_conf_erb               = 'confdroid_fail2ban/jail_conf.erb'
  $fn_jail_local_file             = "${fn_main_dir}/jail.local"
  $fn_jail_local_erb              = 'confdroid_fail2ban/jail_local.erb'
  $fn_paths_common_file           = "${fn_main_dir}/paths-common.conf"
  $fn_paths_common_erb            = 'confdroid_fail2ban/paths_common_conf.erb'

# includes must be last

  include confdroid_fail2ban::main::config
}