## cd_fail2ban::params.pp
# Module name: cd_fail2ban
# Author: Arne Teuke (arne_teuke@confdroid.com)
# License:
#    This file is part of cd_fail2ban.
#
#    cd_fail2ban is used for providing automatic configuration of Fail2Ban
#    Copyright (C) 2017  confdroid (copyright@confdroid.com)
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
# @summary  Class holds all parameters for the cd_fail2ban module and is
#   inherited by all classes except defines.
# @param  [string] pkg_ensure
#   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
#   to choose, i.e. `latest` or `present`.
# @param  [boolean] fn_manage_config Whether to manage the fail2ban
#   configuration files. If set to false, fail2ban will be installed, but the
#   configuration will not be managed.
# @param  [string] fn_enable_service Whether to enable/start or disable/stop
#    the fail2ban service. Valid options are `running` or `stopped`.
# @param  [string]  fn_loglevel Set the log level output. Valid options are
# `CRITICAL`,`ERROR`,`WARNING`,`NOTICE`,`INFO` and `DEBUG`.
# @param  [string]  fn_logtarget Set the log target. This could be a file,
#   SYSLOG, STDERR or STDOUT. Only one log target can be specified.
# @param  [string] fn_syslogsocket Set the syslog socket file. Only used when
#   logtarget is SYSLOG.  auto uses platform.system() to determine predefined
#   paths Valid options: [ auto | FILE ].
# @param  [string] fn_socket Set the socket file to communicate with the daemon.
# @param  [string]  fn_pidfile Set the PID file to store the process ID of the
#   fail2ban server.
# @param  [string] fn_dbfile file for the fail2ban persistent data to be stored.
#   A value of ":memory:" means database is only stored in memory
#   and data is lost when fail2ban is stopped.
#   A value of "None" disables the database.
# @param  [string] fn_dbpurgeage age in seconds at which bans should be purged
#   from the database.
# @param  [string] fn_ignoreip can be an IP address, a CIDR mask or a DNS host.
#   Fail2ban will not ban a host which matches an address in this list. Several
#   addresses can be defined using space (and/or comma) separator.
# @param  [string] fn_ignorecommand External command that will take an
#   tagged arguments to ignore, e.g. <ip>,and return true if the IP is to be
#   ignored. False otherwise.
# @param  [string] fn_bantime number of seconds that a host is banned.
# @param  [string] fn_findtime A host is banned if it has generated "maxretry"
#   during the last "findtime" seconds.
# @param  [string] fn_maxretry number of failures before a host get banned.
# @param  [string] fn_backend specifies the backend used to get files
#   modification. options are "pyinotify", "gamin", "polling", "systemd" and
#   "auto".
#   pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
#   gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
#   polling:   uses a polling algorithm which does not require external libraries.
#   systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
#   auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
# @param  [string] fn_usedns specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#   yes:   if a hostname is encountered, a DNS lookup will be performed.
#   warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
#   no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
#   raw:   use raw value (no hostname), allow use it for no-host filters/actions
#   (example user)
# @param  [string] fn_logencoding specifies the encoding of the log files
#   handled by the jail This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#   auto:   will use the system locale setting
# @param  [string] fn_enabled enables the jails.
#   By default all jails are disabled, and it should stay this way.
#   Enable only relevant to your setup jails in your .local or jail.d/*.conf
#   true:  jail will be enabled and log files will get monitored for changes
#   false: jail is not enabled
# @param  [string]  fn_filter defines the filter to use by the jail.
#   By default jails have names matching their filter name
# @param  [string]  fn_destemail Destination email address used solely for the
#   interpolations in jail.{conf,local,d/*} configuration files.
# @param  [string] fn_sender Sender email address used solely for some actions
# @param  [string] fn_mta E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA
#   for the mailing. Change mta configuration parameter to mail if you want to
#   revert to conventional 'mail'.
# @param  [string]  fn_protocol Default protocol.
# @param  [string] fn_chain Specify chain where jumps would need to be added in
#   iptables-* actions.
# @param  [string]  fn_port # Ports to be banned Usually should be overridden
#   in a particular jail
# @param  [string] fn_fail2ban_agent Format of user-agent
#   https://tools.ietf.org/html/rfc7231#section-5.5.3
# @param  [string] fn_banaction Default banning action
# @param  [string] fn_banaction_allports Default banning action
# @param  [string] fn_action_ ban only
# @param  [string]  fn_action_mw ban & send an e-mail with whois report to the
#   destemail.
# @param  [string] fn_action_mwl ban & send an e-mail with whois report and
#   relevant log lines
# @param [string] fn_action_xarf ban & send a xarf e-mail to abuse contact of
#   IP address and include relevant log lines.
# @param  [string]  fn_action_cf_mwl ban IP on CloudFlare & send an e-mail with
#   whois report and relevant log lines.
# @param  [string] fn_action_blocklist_de Report block via blocklist.de fail2ban
#   reporting service API
#  @param  [string] Report ban via badips.com, and use as blacklist
# @param  [string]  fn_action_badips_report # Report ban via badips.com
#   (uses action.d/badips.conf for reporting only).
# @param  [string]  fn_default_action Choose default action.
###############################################################################
class cd_fail2ban::params (

$pkg_ensure                 = 'latest',

$fn_manage_config           = true,
$fn_enable_service          = 'running',

# fail2ban.conf/local

$fn_loglevel                = 'INFO',
$fn_logtarget               = 'SYSLOG',
$fn_syslogsocket            = 'auto',
$fn_socket                  = '/var/run/fail2ban/fail2ban.sock',
$fn_pidfile                 = '/var/run/fail2ban/fail2ban.pid',
$fn_dbfile                  = '/var/lib/fail2ban/fail2ban.sqlite3',
$fn_dbpurgeage              = '86400',

# jail.conf/local
$fn_ignoreip                = '127.0.0.1/8',
$fn_ignorecommand           = '',
$fn_bantime                 = '600',
$fn_findtime                = '600',
$fn_maxretry                = '5',
$fn_backend                 = 'auto',
$fn_usedns                  = 'warn',
$fn_logencoding             = 'auto',
$fn_enabled                 = 'false',
$fn_filter                  = '%(__name__)s',
$fn_destemail               = 'root@localhost',
$fn_sender                  = 'root@localhost',
$fn_mta                     = 'sendmail',
$fn_protocol                = 'tcp',
$fn_chain                   = 'INPUT',
$fn_port                    = '0:65535',
$fn_fail2ban_agent          = 'Fail2Ban/%(fail2ban_version)s',
$fn_banaction               = 'iptables-multiport',
$fn_banaction_allports      = 'iptables-allports',
$fn_action_                 = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]',
$fn_action_mw               = @(EOT) '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                              "%(mta)s-whois[name=%(__name__)s,  sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]' | EOT,
$fn_action_mwl              = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
$fn_action_xarf             = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]',
$fn_action_cf_mwl           = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
$fn_action_blocklist_de     = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]',
$fn_action_badips           = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]',
$fn_action_badips_report    = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]',
$fn_default_action          = 'action_',

) {

# installation section
$reqpackages    = $::operatingsystem ? {
    /(?i-mx:centos|fedora|redhat)/ => ['fail2ban','fail2ban-firewalld',
                                        'fail2ban-sendmail',
                                        'fail2ban-server.noarch','jwhois'],
  }

$fn_jail_paths    = $::operatingsystem ? {
    /(?i-mx:centos|fedora|redhat)/ => 'fedora',
  }

# shortcuts
$fn_os                  = $::operatingsystem

# service
$fn_service             = 'fail2ban'

# directories
$fn_main_dir            = '/etc/fail2ban'
$fn_action_d_dir        = "${fn_main_dir}/action.d"
$fn_fail2ban_d_dir      = "${fn_main_dir}/fail2ban.d"
$fn_filter_d_dir        = "${fn_main_dir}/filter.d"
$fn_jail_d_dir          = "${fn_main_dir}/jail.d"
$fn_var_lib_dir         = '/var/lib/fail2ban'
$fn_var_run_dir         = '/var/run/fail2ban'

# files
$fn_fail2ban_conf_file  = "${fn_main_dir}/fail2ban.conf"
$fn_fail2ban_conf_erb   = 'cd_fail2ban/fail2ban_conf.erb'
$fn_fail2ban_local_file = "${fn_main_dir}/fail2ban.local"
$fn_fail2ban_local_erb  = 'cd_fail2ban/fail2ban_local.erb'
$fn_jail_conf_file      = "${fn_main_dir}/jail.conf"
$fn_jail_conf_erb       = 'cd_fail2ban/jail_conf.erb'
$fn_jail_local_file     = "${fn_main_dir}/jail.local"
$fn_jail_local_erb      = 'cd_fail2ban/jail_local.erb'


# includes must be last

  include cd_fail2ban::main::config

}