From 292b617463004a8d844150cd9b627f38f9370710 Mon Sep 17 00:00:00 2001
From: kjg <jinguk.kwon@ungleich.ch>
Date: Fri, 15 May 2020 23:58:20 +0900
Subject: [PATCH] [cdist #6] create __my_firewall type

---
 kjg/dot-cdist/manifest/firewall               | 10 +++++
 kjg/dot-cdist/manifest/init                   |  5 +++
 .../type/__my_firewall/explorer/exists        |  3 ++
 .../type/__my_firewall/explorer/nfrule        |  3 ++
 .../type/__my_firewall/gencode-remote         |  5 +++
 .../type/__my_firewall/gencode-remote~        |  5 +++
 kjg/dot-cdist/type/__my_firewall/manifest     | 24 +++++++++++
 kjg/dot-cdist/type/__my_firewall/manifest~    | 40 +++++++++++++++++++
 kjg/dot-cdist/type/__my_firewall/singleton    |  0
 9 files changed, 95 insertions(+)
 create mode 100644 kjg/dot-cdist/manifest/firewall
 create mode 100644 kjg/dot-cdist/type/__my_firewall/explorer/exists
 create mode 100644 kjg/dot-cdist/type/__my_firewall/explorer/nfrule
 create mode 100644 kjg/dot-cdist/type/__my_firewall/gencode-remote
 create mode 100644 kjg/dot-cdist/type/__my_firewall/gencode-remote~
 create mode 100644 kjg/dot-cdist/type/__my_firewall/manifest
 create mode 100644 kjg/dot-cdist/type/__my_firewall/manifest~
 create mode 100644 kjg/dot-cdist/type/__my_firewall/singleton

diff --git a/kjg/dot-cdist/manifest/firewall b/kjg/dot-cdist/manifest/firewall
new file mode 100644
index 0000000..da93aa2
--- /dev/null
+++ b/kjg/dot-cdist/manifest/firewall
@@ -0,0 +1,10 @@
+case "$__target_host" in
+    # Everybody has this
+    localhost)
+       __package nftables
+       require="__package/nftables" __my_firewall --file basic
+    ;;
+    *)
+      __my_nginx
+      __my_nginx_site $__target_host #test
+esac
\ No newline at end of file
diff --git a/kjg/dot-cdist/manifest/init b/kjg/dot-cdist/manifest/init
index 3b61b1b..6fd3e2c 100644
--- a/kjg/dot-cdist/manifest/init
+++ b/kjg/dot-cdist/manifest/init
@@ -1,3 +1,7 @@
+#!/bin/sh
+
+sh -e "$__manifest/firewall"
+
 case "$__target_host" in
     # Everybody has this
     localhost)
@@ -10,3 +14,4 @@ case "$__target_host" in
       __my_nginx
       __my_nginx_site $__target_host #test
 esac
+
diff --git a/kjg/dot-cdist/type/__my_firewall/explorer/exists b/kjg/dot-cdist/type/__my_firewall/explorer/exists
new file mode 100644
index 0000000..1839cf9
--- /dev/null
+++ b/kjg/dot-cdist/type/__my_firewall/explorer/exists
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+nft -V | grpe v*  || true
diff --git a/kjg/dot-cdist/type/__my_firewall/explorer/nfrule b/kjg/dot-cdist/type/__my_firewall/explorer/nfrule
new file mode 100644
index 0000000..ffaadf5
--- /dev/null
+++ b/kjg/dot-cdist/type/__my_firewall/explorer/nfrule
@@ -0,0 +1,3 @@
+
+
+nft list ruleset
diff --git a/kjg/dot-cdist/type/__my_firewall/gencode-remote b/kjg/dot-cdist/type/__my_firewall/gencode-remote
new file mode 100644
index 0000000..28c684f
--- /dev/null
+++ b/kjg/dot-cdist/type/__my_firewall/gencode-remote
@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+if [! -f echo "diff /etc/my-nftables /etc/readrule"]; then
+    echo "nft -f /etc/my-nftables"
+fi
diff --git a/kjg/dot-cdist/type/__my_firewall/gencode-remote~ b/kjg/dot-cdist/type/__my_firewall/gencode-remote~
new file mode 100644
index 0000000..d263ed7
--- /dev/null
+++ b/kjg/dot-cdist/type/__my_firewall/gencode-remote~
@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+if [! -f echo "diff /etc/my-nftables /etc/readnfrule"]; then
+    echo "nft -f /etc/my-nftables"
+fi
diff --git a/kjg/dot-cdist/type/__my_firewall/manifest b/kjg/dot-cdist/type/__my_firewall/manifest
new file mode 100644
index 0000000..154d40b
--- /dev/null
+++ b/kjg/dot-cdist/type/__my_firewall/manifest
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+os=$(cat "$__global/explorer/os")
+
+nft_path="/etc/my-nftables"
+
+if [ ! -f "$__global/explorer/exists" ];then
+    echo "crrently no nft" >&2
+    exit 1
+fi
+
+if ["-" -eq "$__object/parameter/file" ]; then
+    filename="$__object/stdin"
+    
+else
+    filename=($__object/parameter/file)
+fi
+
+__file ${nft_path} --mode 644 --source "$__type/files/${filename}"
+
+
+if [ -f "$__global/explorer/nfrule" ]; then
+   echo "$__global/explorer//nfrule" > /etc/readrule
+fi
diff --git a/kjg/dot-cdist/type/__my_firewall/manifest~ b/kjg/dot-cdist/type/__my_firewall/manifest~
new file mode 100644
index 0000000..8f1f178
--- /dev/null
+++ b/kjg/dot-cdist/type/__my_firewall/manifest~
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+os=$(cat "$__global/explorer/os")
+
+nft_path="/etc/my-nftables"
+
+case "$os" in
+    alpine)
+        os_pkgs="netcat-openbsd and tshark"
+    ;;
+    debian|devuan)
+        os_pkgs="netcat tshark"
+    ;;
+    fedora)
+        os_pkgs="nmap-ncat wireshark-cli"
+    ;;
+    *)
+        echo "OS $os currently not supported" >&2
+        exit 1
+    ;;
+esac
+
+if [ ! -f "$__global/explorer/exists" ];then
+    echo "crrently no nft" >&2
+    exit 1
+fi
+
+if ["-" -eq "$__object/parameter/file" ]; then
+    filename="$__object/stdin"
+    
+else
+    filename=($__object/parameter/file)
+fi
+ 
+__file ${nft_path} --mode 644 --source "$__type/files/${filename}"
+
+
+if [ -f "$__global/explorer/nfrule" ]; then
+   echo "$__global/explorer//nfrule" > /etc/readrule
+fi
diff --git a/kjg/dot-cdist/type/__my_firewall/singleton b/kjg/dot-cdist/type/__my_firewall/singleton
new file mode 100644
index 0000000..e69de29