2.1 KiB
2.1 KiB
cdist #6: Glueing it together
Lecture content
Objective
- Apply learnings from the previous cdist sessions
Steps 1: __all_in_one (1.25h)
-
Create a new type named __all_in_one
- Decide yourself whether it is a singleton or not
- Reason why in your cdist.org file
- It should work on alpine, debian and fedora
-
It accepts the following parameters:
- –with-x (boolean)
- –extra-packages (optional multiple)
- On Alpine, it should install netcat-openbsd and tshark
- On Debian, it should install netcat tshark
- On Fedora, it should install nmap-ncat wireshark-cli
- On all operating systems install socat sipcalc sudo
- If the detected operating system is neither Alpine/Debian/Fedora, output an error message and abort the manifest with exit code 1
- Additionally install all packages specified by the –extra-packages parameter
Steps 2: __firewall (1.25h)
- Create a new type __my_firewall
- Add a type explorer to find out whether nft is present on the target system
- Add a required parameter named file
- If the type explorer does not detect nft on the target system, abort with an error message
- Deploy the specified file to /etc/my-nftables
- Add a type explorer that reads the current nft rules
- If the rules are different on the target host, apply the new ruleset by generating code in gencode-remote
- If the filename specified by the file parameter is - (the minus sign), then the type should read from stdin
Step 3: manifest (0.5h)
- Create a new manifest in the folder that contains the initial manifest
- Name the new manifest firewall
- Source the firewall manifest in the initial manifest
-
In the firewall manifest, match on localhost
- Install nftables
- Use the __firewall type
- Use correct require parameter to ensure that nftables is installed before the __firewall type is run