cloud-mu 3.5.0 → 3.6.3

data/cookbooks/firewall/resources/nftables_rule.rb

@@ -0,0 +1,113 @@
+unified_mode true
+
+require 'ipaddr'
+
+action_class do
+  include FirewallCookbook::Helpers
+  include FirewallCookbook::Helpers::Nftables
+
+  def return_early?(new_resource)
+    !new_resource.notify_firewall ||
+      !(new_resource.action.include?(:create) &&
+        !new_resource.should_skip?(:create))
+  end
+end
+
+provides :nftables_rule
+default_action :create
+
+property :firewall_name,
+         String,
+         default: 'default'
+property :command,
+         [Array, Symbol],
+         default: :accept
+property :protocol,
+         [Integer, Symbol],
+         default: :tcp,
+         callbacks: {
+           'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
+             %i(udp tcp icmp icmpv6 ipv6-icmp esp ah ipv6 none).include?(p) || (0..142).include?(p)
+           end,
+         }
+property :direction,
+         Symbol,
+         equal_to: [:in, :out, :pre, :post, :forward],
+         default: :in
+# nftables handles ip6 and ip simultaneously.  Except for directions
+# :pre and :post, where where either :ip6 or :ip must be specified.
+# callback should prevent from mixing that up.
+property :family,
+         Symbol,
+         equal_to: [:ip6, :ip],
+         default: :ip
+property :source,
+         [String, Array],
+         callbacks: {
+           'must be a valid ip address' => lambda do |ips|
+             Array(ips).inject(false) do |a, ip|
+               a || !!IPAddr.new(ip)
+             end
+           end,
+         }
+property :sport,
+         [Integer, String, Array, Range]
+property :interface,
+         String
+
+property :dport,
+         [Integer, String, Array, Range]
+property :destination,
+         [String, Array],
+         callbacks: {
+           'must be a valid ip address' => lambda do |ips|
+             Array(ips).inject(false) do |a, ip|
+               a || !!IPAddr.new(ip)
+             end
+           end,
+         }
+property :outerface,
+         String
+
+property :position,
+         Integer,
+         default: 50
+property :stateful,
+         [Symbol, Array]
+property :redirect_port,
+         Integer
+property :description,
+         String,
+         name_property: true
+property :include_comment,
+         [true, false],
+         default: true
+property :log_prefix,
+         String
+property :log_group,
+         Integer
+# for when you just want to pass a raw rule
+property :raw,
+         String
+
+# do you want this rule to notify the firewall to recalculate
+# (and potentially reapply) the firewall_rule(s) it finds?
+property :notify_firewall,
+         [true, false],
+         default: true
+
+action :create do
+  return if return_early?(new_resource)
+  fwr = build_firewall_rule(new_resource)
+
+  with_run_context :root do
+    edit_resource!('nftables', new_resource.firewall_name) do |fw_rule|
+      r = rules.dup || {}
+      r.merge!({
+                 fwr => fw_rule.position,
+               })
+      rules(r)
+      delayed_action :rebuild
+    end
+  end
+end

data/cookbooks/mu-activedirectory/Berksfile

@@ -8,4 +8,4 @@ metadata
 # Supermarket Cookbooks
 cookbook "windows", '~> 5.1.1'
 cookbook "chef-vault", '~> 3.1.1'
-cookbook "yum-epel", '~> 3.2.0'
+cookbook "yum-epel", '~> 5.0.8'

data/cookbooks/mu-activedirectory/metadata.rb

@@ -10,7 +10,7 @@ chef_version '>= 14.0' if respond_to?(:chef_version)
 version '0.2.0'
 depends "windows", '~> 5.1.1'
 depends "chef-vault", '~> 3.1.1'
-depends "yum-epel", '~> 3.2.0'
+depends "yum-epel", '~> 5.0.8'
 
 %w( amazon centos redhat windows ).each do |os|
 	supports os

data/cookbooks/mu-firewall/metadata.rb

@@ -7,10 +7,10 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 source_url 'https://github.com/cloudamatic/mu'
 issues_url 'https://github.com/cloudamatic/mu/issues'
 chef_version '>= 12.1' if respond_to?(:chef_version)
-version          '0.1.2'
+version          '0.1.3'
 
 %w( amazon centos redhat windows ).each do |os|
 	supports os
 end
 
-depends	'firewall', '~> 2.7.1'
+depends	'firewall', '~> 6.3.7'

data/cookbooks/mu-master/Berksfile

@@ -4,7 +4,6 @@ source chef_repo: ".."
 metadata
 
 # Mu Cookbooks
-cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
 cookbook 'mu-utility'
 cookbook 'mu-tools'
 cookbook 'mu-firewall'
@@ -12,12 +11,14 @@ cookbook 'mu-activedirectory'
 cookbook 's3fs'
 
 # Supermarket Cookbooks
+cookbook 'nagios'
 cookbook 'nrpe', '~> 2.0.3'
 cookbook 'postfix', '~> 5.3.1'
 cookbook 'bind', '~> 2.2.0'
 cookbook 'bind9-ng', '~> 0.1.0'
-cookbook 'vault-cluster', '~> 2.1.0'
-cookbook 'consul-cluster', '~> 2.0.0'
+#cookbook 'vault-cluster', '~> 2.1.0'
+#cookbook 'consul-cluster', '~> 2.0.0'
 cookbook 'hostsfile', '~> 3.0.1'
 cookbook 'chef-vault', '~> 3.1.1'
 cookbook 'chef-sugar'
+depends 'apache2', '~> 9.0.3'

data/cookbooks/mu-master/attributes/default.rb

@@ -47,11 +47,14 @@ else
 end
 #default['nagios']['server']['server_alias'] = node[:fqdn]+", "+node[:hostname]+", "+node['local_hostname']+", "+node['local_ipv4']+", "+node['public_hostname']+", "+node['public_ipv4']
 default["nagios"]["log_dir"] = "/var/log/httpd"
-default['nagios']['cgi-bin'] = "/usr/lib/cgi-bin/"
+default['nagios']['cgi-bin'] = "/usr/lib/cgi-bin/nagios/"
 default['nagios']['cgi-path'] = "/nagios/cgi-bin/"
 default['nagios']['server_role'] = "mu-master"
+default['nrpe']['server_role'] = "mu-master"
 default['nagios']['group'] = "nagios"
+default['nagios']['server_auth_method'] = "htauth"
 default['nagios']['server']['install_method'] = 'source'
+default['nagios']['monitored_environments'] = ["dev", "prod"]
 default['nagios']['multi_environment_monitoring'] = true
 default['nagios']['users_databag'] = "nagios_users"
 default['nagios']['conf']['enable_notifications'] = 1
@@ -60,7 +63,7 @@ default['nagios']['conf']['interval_length'] = 1
 default['nagios']['default_host']['notification_interval'] = 7200
 default['nagios']['default_host']['check_interval'] = 180
 default['nagios']['default_host']['retry_interval'] = 60
-default['nagios']['conf']['service_check_timeout'] = 10
+default['nagios']['conf']['service_check_timeout'] = 30
 default['nagios']['default_host']['max_check_attempts'] = 4
 default['nagios']['default_host']['check_command'] = "check_node_ssh"
 default['nagios']['default_service']['check_interval'] = 180