[cdist #6] create __my_firewall type

2020-05-15 23:58:20 +09:00 · 2020-05-15 23:58:20 +09:00 · 292b617463
parent 93b1d1baa1
commit 292b617463
9 changed files with 95 additions and 0 deletions
--- a/kjg/dot-cdist/manifest/firewall
+++ b/kjg/dot-cdist/manifest/firewall
@ -0,0 +1,10 @@
+case "$__target_host" in
+    # Everybody has this
+    localhost)
+       __package nftables
+       require="__package/nftables" __my_firewall --file basic
+    ;;
+    *)
+      __my_nginx
+      __my_nginx_site $__target_host #test
+esac
--- a/kjg/dot-cdist/manifest/init
+++ b/kjg/dot-cdist/manifest/init
@ -1,3 +1,7 @@
+#!/bin/sh
+
+sh -e "$__manifest/firewall"
+
 case "$__target_host" in
    # Everybody has this
    localhost)
@ -10,3 +14,4 @@ case "$__target_host" in
      __my_nginx
      __my_nginx_site $__target_host #test
 esac
+
--- a/kjg/dot-cdist/type/__my_firewall/explorer/exists
+++ b/kjg/dot-cdist/type/__my_firewall/explorer/exists
@ -0,0 +1,3 @@
+#!/bin/sh
+
+nft -V | grpe v*  || true
--- a/kjg/dot-cdist/type/__my_firewall/explorer/nfrule
+++ b/kjg/dot-cdist/type/__my_firewall/explorer/nfrule
@ -0,0 +1,3 @@
+
+
+nft list ruleset
--- a/kjg/dot-cdist/type/__my_firewall/gencode-remote
+++ b/kjg/dot-cdist/type/__my_firewall/gencode-remote
@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+if [! -f echo "diff /etc/my-nftables /etc/readrule"]; then
+    echo "nft -f /etc/my-nftables"
+fi
--- a/kjg/dot-cdist/type/__my_firewall/gencode-remote~
+++ b/kjg/dot-cdist/type/__my_firewall/gencode-remote~
@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+if [! -f echo "diff /etc/my-nftables /etc/readnfrule"]; then
+    echo "nft -f /etc/my-nftables"
+fi
--- a/kjg/dot-cdist/type/__my_firewall/manifest
+++ b/kjg/dot-cdist/type/__my_firewall/manifest
@ -0,0 +1,24 @@
+#!/bin/sh
+
+os=$(cat "$__global/explorer/os")
+
+nft_path="/etc/my-nftables"
+
+if [ ! -f "$__global/explorer/exists" ];then
+    echo "crrently no nft" >&2
+    exit 1
+fi
+
+if ["-" -eq "$__object/parameter/file" ]; then
+    filename="$__object/stdin"
+    
+else
+    filename=($__object/parameter/file)
+fi
+
+__file ${nft_path} --mode 644 --source "$__type/files/${filename}"
+
+
+if [ -f "$__global/explorer/nfrule" ]; then
+   echo "$__global/explorer//nfrule" > /etc/readrule
+fi
--- a/kjg/dot-cdist/type/__my_firewall/manifest~
+++ b/kjg/dot-cdist/type/__my_firewall/manifest~
@ -0,0 +1,40 @@
+#!/bin/sh
+
+os=$(cat "$__global/explorer/os")
+
+nft_path="/etc/my-nftables"
+
+case "$os" in
+    alpine)
+        os_pkgs="netcat-openbsd and tshark"
+    ;;
+    debian|devuan)
+        os_pkgs="netcat tshark"
+    ;;
+    fedora)
+        os_pkgs="nmap-ncat wireshark-cli"
+    ;;
+    *)
+        echo "OS $os currently not supported" >&2
+        exit 1
+    ;;
+esac
+
+if [ ! -f "$__global/explorer/exists" ];then
+    echo "crrently no nft" >&2
+    exit 1
+fi
+
+if ["-" -eq "$__object/parameter/file" ]; then
+    filename="$__object/stdin"
+    
+else
+    filename=($__object/parameter/file)
+fi
+ 
+__file ${nft_path} --mode 644 --source "$__type/files/${filename}"
+
+
+if [ -f "$__global/explorer/nfrule" ]; then
+   echo "$__global/explorer//nfrule" > /etc/readrule
+fi
--- a/kjg/dot-cdist/type/__my_firewall/singleton
+++ b/kjg/dot-cdist/type/__my_firewall/singleton