fix: Add missing nftables.conf file

2025-03-26 21:57:45 -04:00 · 2025-03-26 21:57:45 -04:00 · 755957e3b1
commit 755957e3b1
parent 8030eedb32
5 changed files with 48 additions and 0 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -1,5 +1,6 @@
 node default {
 	include base
+	include security
 	include puppet_module
 	include genesis
 }
--- a/modules/security/files/firewall/nftables/nftables.conf
+++ b/modules/security/files/firewall/nftables/nftables.conf
@ -0,0 +1,21 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+		iif lo accept
+		ct state established,related accept
+		tcp dport { 22, 22, 80, 443, 8140 } ct state new accept
+		icmp type { 0, 3, 8, 11, 12 } accept
+		icmpv6 type { 1, 3, 4, 128, 129 } accept
+		counter drop
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
--- a/modules/security/manifests/firewall.pp
+++ b/modules/security/manifests/firewall.pp
@ -0,0 +1,16 @@
+class security::firewall {
+  include firewall::nftables
+}
+
+class firewall::nftables {
+  package { 'nftables':
+    ensure => installed,
+    name   => 'nftables',
+  }
+  ~> file { default: *=> $firewall::params::file_defaults;
+    "/etc/nftables.conf":
+      ensure => present,
+      source => 'puppet:///modules/security/firewall/nftables/nftables.conf',
+    ;
+  }
+}
--- a/modules/security/manifests/init.pp
+++ b/modules/security/manifests/init.pp
@ -0,0 +1,3 @@
+class security inherits security::params {
+  include security::firewall
+}
--- a/modules/security/manifests/params.pp
+++ b/modules/security/manifests/params.pp
@ -0,0 +1,7 @@
+class security::params {
+  $file_defaults = {
+    mode  => "0640",
+    owner => "root",
+    group => "root",
+  }
+}