Update cookbooks and add wordpress cookbook

2016-02-19 18:09:49 +01:00
parent 9ba973e3ac
commit 820b0ab3f8
606 changed files with 22421 additions and 14084 deletions
--- a/cookbooks/firewall/recipes/default.rb
+++ b/cookbooks/firewall/recipes/default.rb
@@ -17,13 +17,40 @@
 # limitations under the License.
 #

+include_recipe 'chef-sugar'
+
 firewall 'default' do
-  action :enable
+  ipv6_enabled node['firewall']['ipv6_enabled']
+  action :install
 end

+# create a variable to use as a condition on some rules that follow
+iptables_firewall = rhel? || node['firewall']['ubuntu_iptables']
+
 firewall_rule 'allow world to ssh' do
  port 22
  source '0.0.0.0/0'
-  action [:allow]
-  only_if { node['firewall']['allow_ssh'] }
+  only_if { linux? && node['firewall']['allow_ssh'] }
+end
+
+firewall_rule 'allow world to winrm' do
+  port 5989
+  source '0.0.0.0/0'
+  only_if { windows? && node['firewall']['allow_winrm'] }
+end
+
+# allow established connections, ufw defaults to this but iptables does not
+firewall_rule 'established' do
+  stateful [:related, :established]
+  protocol :none # explicitly don't specify protocol
+  command :allow
+  only_if { node['firewall']['allow_established'] && iptables_firewall }
+end
+
+# ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6
+# allow established connections, ufw defaults to this but iptables does not
+firewall_rule 'ipv6_icmp' do
+  protocol :'ipv6-icmp'
+  command :allow
+  only_if { node['firewall']['ipv6_enabled'] && node['firewall']['allow_established'] && iptables_firewall }
 end