Update the firewall cookbook to the latest version

This gives us comments from the named resources
2023-06-29 15:08:44 +02:00
parent 916ae8094c
commit 68ce3c4834
72 changed files with 4774 additions and 448 deletions
--- a/cookbooks/firewall/resources/nftables.rb
+++ b/cookbooks/firewall/resources/nftables.rb
@@ -0,0 +1,71 @@
+unified_mode true
+
+include FirewallCookbook::Helpers
+include FirewallCookbook::Helpers::Nftables
+
+provides :nftables,
+         os: 'linux'
+
+property :rules,
+         Hash,
+         default: {}
+property :input_policy,
+         String,
+         equal_to: %w(drop accept),
+         default: 'accept'
+property :output_policy,
+         String,
+         equal_to: %w(drop accept),
+         default: 'accept'
+property :forward_policy,
+         String,
+         equal_to: %w(drop accept),
+         default: 'accept'
+property :table_ip_nat,
+         [true, false],
+         default: false
+property :table_ip6_nat,
+         [true, false],
+         default: false
+property :nftables_conf_path, String,
+         description: 'nftables.conf filepath',
+         default: lazy { default_nftables_conf_path }
+
+action :install do
+  package 'nftables' do
+    action :install
+    notifies :rebuild, "nftables[#{new_resource.name}]"
+  end
+end
+
+action :rebuild do
+  ensure_default_rules_exist(new_resource)
+
+  file new_resource.nftables_conf_path do
+    content  <<~NFT
+      #!/usr/sbin/nft -f
+      flush ruleset
+      #{build_rule_file(new_resource.rules)}
+    NFT
+    mode '0750'
+    owner 'root'
+    group 'root'
+    notifies :restart, 'service[nftables]'
+  end
+
+  service 'nftables' do
+    action [:enable, :start]
+  end
+end
+
+action :restart do
+  service 'nftables' do
+    action :restart
+  end
+end
+
+action :disable do
+  service 'nftables' do
+    action [:disable, :stop]
+  end
+end