*** cdist #6: Glueing it together **** Lecture content ***** Objective - Apply learnings from the previous cdist sessions ***** Steps 1: *__all_in_one* (1.25h) - Create a new type named *__all_in_one* - Decide yourself whether it is a singleton or not - Reason why in your cdist.org file - It should work on alpine, debian and fedora - It accepts the following parameters: - *--with-x* (boolean) - *--extra-packages* (optional multiple) - On Alpine, it should install netcat-openbsd and tshark - On Debian, it should install netcat tshark - On Fedora, it should install nmap-ncat wireshark-cli - On all operating systems install socat sipcalc sudo - If the detected operating system is neither Alpine/Debian/Fedora, output an error message and abort the manifest with exit code 1 - Additionally install all packages specified by the *--extra-packages* parameter ***** Steps 2: *__firewall* (1.25h) - Create a new type *__my_firewall* - Add a *type explorer* to find out whether nft is present on the target system - Add a required parameter named *file* - If the type explorer does not detect nft on the target system, abort with an error message - Deploy the specified file to */etc/my-nftables* - Add a *type explorer* that reads the current nft rules - If the rules are different on the target host, apply the new ruleset by generating code in *gencode-remote* - If the filename specified by the *file* parameter is *-* (the minus sign), then the type should read from *stdin* ***** Step 3: manifest (0.5h) - Create a new manifest in the folder that contains the initial manifest - Name the new manifest *firewall* - Source the *firewall* manifest in the *initial* manifest - In the *firewall* manifest, match on *localhost* - Install nftables - Use the *__firewall* type - Use correct *require* parameter to ensure that nftables is installed before the *__firewall* type is run