From fb1ae56f460f2cabdf0f7b9b0bccdde309d698ca Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Sat, 11 Jan 2020 21:42:43 +0000 Subject: [PATCH] feat: promote `ng` * Semi-automated using https://github.com/myii/ssf-formula/pull/119 * Close #34 * Close #35 BREAKING CHANGE: all previous `fail2ban` based configurations must be reviewed; `fail2ban.ng` usage must be promoted to `fail2ban` and any uses of the original `fail2ban` will have to be converted. --- docs/README.rst | 102 ++++----------- fail2ban/config.sls | 141 +++++++++++++------- fail2ban/deprecated.sls | 41 ------ fail2ban/{ng => }/files/config.jinja | 0 fail2ban/files/fail2ban_conf.template | 27 ---- fail2ban/init.sls | 17 +-- fail2ban/install.sls | 8 ++ fail2ban/map.jinja | 23 ++-- fail2ban/ng/config.sls | 107 --------------- fail2ban/ng/init.sls | 8 -- fail2ban/ng/install.sls | 11 -- fail2ban/ng/map.jinja | 30 ----- fail2ban/{ng => }/service.sls | 7 +- kitchen.yml | 2 +- pillar.example | 179 ++++++++++---------------- pre-commit_semantic-release.sh | 12 -- release.config.js | 2 +- 17 files changed, 221 insertions(+), 496 deletions(-) delete mode 100644 fail2ban/deprecated.sls rename fail2ban/{ng => }/files/config.jinja (100%) delete mode 100644 fail2ban/files/fail2ban_conf.template create mode 100644 fail2ban/install.sls delete mode 100644 fail2ban/ng/config.sls delete mode 100644 fail2ban/ng/init.sls delete mode 100644 fail2ban/ng/install.sls delete mode 100644 fail2ban/ng/map.jinja rename fail2ban/{ng => }/service.sls (78%) diff --git a/docs/README.rst b/docs/README.rst index d6c5850..d5933c3 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -21,25 +21,28 @@ fail2ban-formula :header-rows: 1 :widths: 1 - * - WARNING: BREAKING CHANGES IN UPCOMING ``v1.0.0`` - * - This formula currently provides two methods for managing Fail2Ban; the old method - under ``fail2ban`` and the new method under ``fail2ban.ng``. - In upcoming `v1.0.0 `_, - the old method will be removed and ``fail2ban.ng`` will be promoted to ``fail2ban`` in its place. - - If you are not in a position to migrate, you will need to pin your repo to - the final release tag before + * - WARNING: BREAKING CHANGES SINCE ``v1.0.0`` + * - Prior to `v1.0.0 `_, - which is expected to be + this formula provided two methods for managing Fail2Ban; + the old method under ``fail2ban`` and the new method under ``fail2ban.ng``. + The old method has now been removed and ``fail2ban.ng`` has been promoted to + be ``fail2ban`` in its place. + + If you are not in a position to migrate, please pin your repo to the final + release tag before + `v1.0.0 `_, + i.e. `v0.17.2 `_. - If you are currently using ``fail2ban.ng``, there is nothing to do until - `v1.0.0 `_ - is released. + To migrate from ``fail2ban.ng``, simply modify your pillar to promote the + entire section under ``fail2ban:ng`` so that it is under ``fail2ban`` instead. + So with the editor of your choice, highlight the entire section and then + unindent one level. Finish by removing the ``ng:`` line. - To migrate from the old ``fail2ban``, the first step is to convert to ``fail2ban.ng``, - before `v1.0.0 `_ - is released. + To migrate from the old ``fail2ban``, first convert to ``fail2ban.ng`` under + `v0.17.2 `_. + and then follow the steps laid out in the paragraph directly above. .. contents:: **Table of Contents** @@ -70,73 +73,21 @@ Available states .. contents:: :local: - ``fail2ban`` ^^^^^^^^^^^^ -Install the ``fail2ban`` package and enable the service. - -``fail2ban.config`` -^^^^^^^^^^^^^^^^^^^ - -Creates a ``jail.local`` config file based on pillar data to override configuration in the default ``jail.conf`` file and enables creation of all configuration files based on content blocks in pillar. See ``pillar.example`` for reference -and consult the fail2ban documentation. - - -The following states provide an alternate approach to managing fail2ban. Tested in Ubuntu 14/16 and CentOS 6/7. - -.. contents:: - :local: - -``fail2ban.ng`` -^^^^^^^^^^^^^^^ - -Meta state for inclusion of all ng states. +Meta state for inclusion of all states. -``fail2ban.ng.install`` -^^^^^^^^^^^^^^^^^^^^^^^ +``fail2ban.install`` +^^^^^^^^^^^^^^^^^^^^ Install the ``fail2ban`` package. -``fail2ban.ng.config`` -^^^^^^^^^^^^^^^^^^^^^^ +``fail2ban.config`` +^^^^^^^^^^^^^^^^^^^ Configure fail2ban creating a ``jail.local`` file based on pillar data that overrid ``jail.conf``. It also creates a ``file.local`` per action/filter. Either in jails, actions or filters is possible to setup a ``source_path`` options to upload your configuration directly (see ``pillar.example``). It is also possible to remove either actions or filters setting up ``enabled: False`` in it section (see ``pillar.example``). -Keep in mind that in ng states ``lookup``, ``config``, ``jails``, ``actions`` and ``filters`` are at the same level (in the old states, all the sections are under ``lookup``: - -.. code-block:: yaml - - fail2ban: - ng: - lookup: - config: - jails: - actions: - filters: - -Keep in mind also that in ng states change the syntax for the actions and filters adding a new `config` section and `enabled` option (optional): - -.. code-block:: yaml - - fail2ban: - ng: - actions: - name-of-action: - enabled: True/False # OPTIONAL - config: - Definition: - actionban: - actionunban: - Init: - whatever: - filters: - name-of-filter: - enabled: True/False # OPTIONAL - config: - Definition: - failregex: - It is also possible to specify the source file for config, jails, actions and filters instead of using the template: .. code-block:: yaml @@ -156,16 +107,15 @@ It is also possible to specify the source file for config, jails, actions and fi config: source_path: salt://path-to-filter-file -``fail2ban.ng.service`` -^^^^^^^^^^^^^^^^^^^^^^^ +``fail2ban.service`` +^^^^^^^^^^^^^^^^^^^^ Manage fail2ban service. It is also possible to disable the service using the following pillar configuration: .. code-block:: yaml fail2ban: - ng: - enabled: False + enabled: false Testing diff --git a/fail2ban/config.sls b/fail2ban/config.sls index a9574da..5305fd4 100644 --- a/fail2ban/config.sls +++ b/fail2ban/config.sls @@ -1,55 +1,104 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + {% from "fail2ban/map.jinja" import fail2ban with context %} -include: - - fail2ban.deprecated - - fail2ban - -{{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local: -{% if fail2ban.config %} - file.managed: - - source: salt://fail2ban/files/fail2ban_conf.template - - template: jinja - - context: - config: - Definition: {{ fail2ban.config|yaml }} +fail2ban.config.fail2ban: +{% if fail2ban.config is defined %} + +{% set fail2ban_config = fail2ban.config.get('source_path', + 'salt://fail2ban/files/config.jinja') %} + + file.managed: + - name: {{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local + - source: {{ fail2ban_config }} + - user: {{ fail2ban.user|default('root') }} + - group: {{ fail2ban.group|default('root') }} + - mode: '{{ fail2ban.mode|default("644") }}' + - template: jinja + {% if fail2ban.config.source_path is not defined %} + - context: + config: + Definition: {{ fail2ban.config|yaml }} + {% endif %} {% else %} - file.absent: + file.absent: + - name: {{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local {% endif %} - - watch_in: - - service: {{ fail2ban.service }} - -{{ fail2ban.prefix }}/etc/fail2ban/jail.local: -{% if fail2ban.jails %} - file.managed: - - source: salt://fail2ban/files/fail2ban_conf.template - - template: jinja - - context: - config: {{ fail2ban.jails|yaml }} + - watch_in: + - service: {{ fail2ban.service }} + +fail2ban.config.jails: +{% if fail2ban.jails is defined %} + +{% set fail2ban_jails = fail2ban.jails.get('source_path', + 'salt://fail2ban/files/config.jinja') %} + + file.managed: + - name: {{ fail2ban.prefix }}/etc/fail2ban/jail.local + - source: {{ fail2ban_jails }} + - user: {{ fail2ban.user|default('root') }} + - group: {{ fail2ban.group|default('root') }} + - mode: '{{ fail2ban.mode|default("644") }}' + - template: jinja + {% if fail2ban.jails.source_path is not defined %} + - context: + config: {{ fail2ban.jails|yaml }} + {% endif %} {% else %} - file.absent: + file.absent: {% endif %} - - watch_in: - - service: {{ fail2ban.service }} - -{% for name, config in fail2ban.actions|dictsort %} -{{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local: - file.managed: - - source: salt://fail2ban/files/fail2ban_conf.template - - template: jinja - - watch_in: - - service: {{ fail2ban.service }} - - context: - config: {{ config|yaml }} -{% endfor %} + - watch_in: + - service: {{ fail2ban.service }} -{% for name, config in fail2ban.filters|dictsort %} -{{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local: - file.managed: - - source: salt://fail2ban/files/fail2ban_conf.template - - template: jinja - - watch_in: - - service: {{ fail2ban.service }} - - context: - config: {{ config|yaml }} +{% for name, options in fail2ban.get('actions', {})|dictsort %} + +{% set fail2ban_actions = options.config.get('source_path', + 'salt://fail2ban/files/config.jinja') %} + +fail2ban.config.action.{{ name }}: +{% if ( 'enabled' in options and options.enabled ) or ('enabled' not in options ) %} + file.managed: + - name: {{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local + - source: {{ fail2ban_actions }} + - user: {{ fail2ban.user|default('root') }} + - group: {{ fail2ban.group|default('root') }} + - mode: '{{ fail2ban.mode|default("644") }}' + - template: jinja + - watch_in: + - service: {{ fail2ban.service }} + {% if options.config.source_path is not defined %} + - context: + config: {{ options.config|yaml }} + {% endif %} +{% elif 'enabled' in options and not options.enabled %} + file.absent: + - name: {{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local +{% endif %} {% endfor %} +{% for name, options in fail2ban.get('filters', {})|dictsort %} + +{% set fail2ban_filters = options.config.get('source_path', + 'salt://fail2ban/files/config.jinja') %} + +fail2ban.config.filter.{{ name }}: +{% if ( 'enabled' in options and options.enabled ) or ('enabled' not in options ) %} + file.managed: + - name: {{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local + - source: {{ fail2ban_filters }} + - user: {{ fail2ban.user|default('root') }} + - group: {{ fail2ban.group|default('root') }} + - mode: '{{ fail2ban.mode|default("644") }}' + - template: jinja + - watch_in: + - service: {{ fail2ban.service }} + {% if options.config.source_path is not defined %} + - context: + config: {{ options.config|yaml }} + {% endif %} +{% elif 'enabled' in options and not options.enabled %} + file.absent: + - name: {{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local +{% endif %} +{% endfor %} diff --git a/fail2ban/deprecated.sls b/fail2ban/deprecated.sls deleted file mode 100644 index 00fab74..0000000 --- a/fail2ban/deprecated.sls +++ /dev/null @@ -1,41 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls - -{#- Evaluating as `False` by default, using this method since `defaults.yaml` not available in this repo #} -{%- if not salt['config.get']('fail2ban', {}).get('warning_messages', {}).get('v1.0.0', {}).get('mute_critical', False) %} -fail2ban-deprecated-in-v1.0.0-test-succeed: - test.succeed_without_changes: - - name: | - - ################################################################################ - # # - # WARNING: BREAKING CHANGES IN UPCOMING VERSION `v1.0.0` # - # # - ################################################################################ - # # - # This formula currently provides two methods for managing Fail2Ban; the old # - # method under `fail2ban` and the new method under `fail2ban.ng`. In upcoming # - # `v1.0.0`, the old method will be removed and `fail2ban.ng` will be promoted # - # to `fail2ban` in its place. # - # # - # If you are not in a position to migrate, you will need to pin your repo to # - # the final release tag before `v1.0.0`, which is expected to be `v0.17.2`. # - # # - # If you are currently using `fail2ban.ng`, there is nothing to do until # - # `v1.0.0` is released. # - # # - # To migrate from the old `fail2ban`, the first step is to convert to # - # `fail2ban.ng`, before `v1.0.0` is released. # - # # - # To prevent this message being displayed again, set the pillar/config value: # - # # - # ``` # - # fail2ban: # - # warning_messages: # - # v1.0.0: # - # mute_critical: true # - # ``` # - # # - ################################################################################ - # - failhard: True -{%- endif %} diff --git a/fail2ban/ng/files/config.jinja b/fail2ban/files/config.jinja similarity index 100% rename from fail2ban/ng/files/config.jinja rename to fail2ban/files/config.jinja diff --git a/fail2ban/files/fail2ban_conf.template b/fail2ban/files/fail2ban_conf.template deleted file mode 100644 index 803d9df..0000000 --- a/fail2ban/files/fail2ban_conf.template +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is managed by salt. -# - -{%- macro print_config(name, value) %} - {%- set name_length = name|length %} - {%- if value is string %} -{{ name }} = {{ value }} - {%- elif value is number %} -{{ name }} = {{ value }} - {%- else %} - {#- Since strings are also sequences, there's no way to explicitly test for lists #} -{{ name }} = {{ value|first }} - {%- if value|length > 1 %} - {%- for item in value[1:] %} -{{ item|indent(width=name_length + 3, indentfirst=True) }} - {%- endfor %} - {%- endif %} - {%- endif %} -{%- endmacro %} - -{% for section, section_data in config|dictsort %} -[{{section}}] -{%- for name, value in section_data|dictsort %} -{{- print_config(name, value) }} -{%- endfor %} -{% endfor %} diff --git a/fail2ban/init.sls b/fail2ban/init.sls index 3c8f3c8..773c125 100644 --- a/fail2ban/init.sls +++ b/fail2ban/init.sls @@ -1,14 +1,7 @@ -{% from "fail2ban/map.jinja" import fail2ban with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls include: - - fail2ban.deprecated - -fail2ban: - pkg.installed: - - name: {{ fail2ban.package }} - service.running: - - name: {{ fail2ban.service }} - - enable: True - - require: - - pkg: fail2ban - + - fail2ban.install + - fail2ban.config + - fail2ban.service diff --git a/fail2ban/install.sls b/fail2ban/install.sls new file mode 100644 index 0000000..0d4f565 --- /dev/null +++ b/fail2ban/install.sls @@ -0,0 +1,8 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{% from "fail2ban/map.jinja" import fail2ban with context %} + +fail2ban.install: + pkg.installed: + - name: {{ fail2ban.package }} diff --git a/fail2ban/map.jinja b/fail2ban/map.jinja index c231706..f976e4d 100644 --- a/fail2ban/map.jinja +++ b/fail2ban/map.jinja @@ -1,10 +1,7 @@ -{% set fail2ban = salt['grains.filter_by']({ - 'common': { - 'config': {}, - 'jails': {}, - 'actions': {}, - 'filters': {}, - }, +# -*- coding: utf-8 -*- +# vim: ft=jinja + +{% set os_family_map = salt['grains.filter_by']({ 'FreeBSD': { 'package': 'py27-fail2ban', 'service': 'fail2ban', @@ -19,5 +16,15 @@ 'package': 'fail2ban', 'service': 'fail2ban', 'prefix': '', + 'user': 'root', + 'group': 'root', + 'mode': '644', }, -}, merge=salt['pillar.get']('fail2ban:lookup'), base='common') %} +}, merge=salt['pillar.get']('fail2ban:lookup')) %} + +{% set fail2ban = salt['pillar.get']( + 'fail2ban', + default=os_family_map, + merge=True + ) +%} diff --git a/fail2ban/ng/config.sls b/fail2ban/ng/config.sls deleted file mode 100644 index 4f4ae1d..0000000 --- a/fail2ban/ng/config.sls +++ /dev/null @@ -1,107 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls - -include: - - fail2ban.deprecated - -{% from "fail2ban/ng/map.jinja" import fail2ban with context %} - -fail2ban.ng.config.fail2ban: -{% if fail2ban.config is defined %} - -{% set fail2ban_config = fail2ban.config.get('source_path', - 'salt://fail2ban/ng/files/config.jinja') %} - - file.managed: - - name: {{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local - - source: {{ fail2ban_config }} - - user: {{ fail2ban.user|default('root') }} - - group: {{ fail2ban.group|default('root') }} - - mode: '{{ fail2ban.mode|default("644") }}' - - template: jinja - {% if fail2ban.config.source_path is not defined %} - - context: - config: - Definition: {{ fail2ban.config|yaml }} - {% endif %} -{% else %} - file.absent: - - name: {{ fail2ban.prefix }}/etc/fail2ban/fail2ban.local -{% endif %} - - watch_in: - - service: {{ fail2ban.service }} - -fail2ban.ng.config.jails: -{% if fail2ban.jails is defined %} - -{% set fail2ban_jails = fail2ban.jails.get('source_path', - 'salt://fail2ban/ng/files/config.jinja') %} - - file.managed: - - name: {{ fail2ban.prefix }}/etc/fail2ban/jail.local - - source: {{ fail2ban_jails }} - - user: {{ fail2ban.user|default('root') }} - - group: {{ fail2ban.group|default('root') }} - - mode: '{{ fail2ban.mode|default("644") }}' - - template: jinja - {% if fail2ban.jails.source_path is not defined %} - - context: - config: {{ fail2ban.jails|yaml }} - {% endif %} -{% else %} - file.absent: -{% endif %} - - watch_in: - - service: {{ fail2ban.service }} - -{% for name, options in fail2ban.get('actions', {})|dictsort %} - -{% set fail2ban_actions = options.config.get('source_path', - 'salt://fail2ban/ng/files/config.jinja') %} - -fail2ban.ng.config.action.{{ name }}: -{% if ( 'enabled' in options and options.enabled ) or ('enabled' not in options ) %} - file.managed: - - name: {{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local - - source: {{ fail2ban_actions }} - - user: {{ fail2ban.user|default('root') }} - - group: {{ fail2ban.group|default('root') }} - - mode: '{{ fail2ban.mode|default("644") }}' - - template: jinja - - watch_in: - - service: {{ fail2ban.service }} - {% if options.config.source_path is not defined %} - - context: - config: {{ options.config|yaml }} - {% endif %} -{% elif 'enabled' in options and not options.enabled %} - file.absent: - - name: {{ fail2ban.prefix }}/etc/fail2ban/action.d/{{ name }}.local -{% endif %} -{% endfor %} - -{% for name, options in fail2ban.get('filters', {})|dictsort %} - -{% set fail2ban_filters = options.config.get('source_path', - 'salt://fail2ban/ng/files/config.jinja') %} - -fail2ban.ng.config.filter.{{ name }}: -{% if ( 'enabled' in options and options.enabled ) or ('enabled' not in options ) %} - file.managed: - - name: {{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local - - source: {{ fail2ban_filters }} - - user: {{ fail2ban.user|default('root') }} - - group: {{ fail2ban.group|default('root') }} - - mode: '{{ fail2ban.mode|default("644") }}' - - template: jinja - - watch_in: - - service: {{ fail2ban.service }} - {% if options.config.source_path is not defined %} - - context: - config: {{ options.config|yaml }} - {% endif %} -{% elif 'enabled' in options and not options.enabled %} - file.absent: - - name: {{ fail2ban.prefix }}/etc/fail2ban/filter.d/{{ name }}.local -{% endif %} -{% endfor %} diff --git a/fail2ban/ng/init.sls b/fail2ban/ng/init.sls deleted file mode 100644 index 1da16a6..0000000 --- a/fail2ban/ng/init.sls +++ /dev/null @@ -1,8 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls - -include: - - fail2ban.deprecated - - fail2ban.ng.install - - fail2ban.ng.config - - fail2ban.ng.service diff --git a/fail2ban/ng/install.sls b/fail2ban/ng/install.sls deleted file mode 100644 index 48ecc5a..0000000 --- a/fail2ban/ng/install.sls +++ /dev/null @@ -1,11 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls - -{% from "fail2ban/ng/map.jinja" import fail2ban with context %} - -include: - - fail2ban.deprecated - -fail2ban.ng.install: - pkg.installed: - - name: {{ fail2ban.package }} diff --git a/fail2ban/ng/map.jinja b/fail2ban/ng/map.jinja deleted file mode 100644 index 75ae312..0000000 --- a/fail2ban/ng/map.jinja +++ /dev/null @@ -1,30 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=jinja - -{% set os_family_map = salt['grains.filter_by']({ - 'FreeBSD': { - 'package': 'py27-fail2ban', - 'service': 'fail2ban', - 'prefix': '/usr/local', - }, - 'Gentoo': { - 'package': 'net-analyzer/fail2ban', - 'service': 'fail2ban', - 'prefix': '', - }, - 'default': { - 'package': 'fail2ban', - 'service': 'fail2ban', - 'prefix': '', - 'user': 'root', - 'group': 'root', - 'mode': '644', - }, -}, merge=salt['pillar.get']('fail2ban:ng:lookup')) %} - -{% set fail2ban = salt['pillar.get']( - 'fail2ban:ng', - default=os_family_map, - merge=True - ) -%} diff --git a/fail2ban/ng/service.sls b/fail2ban/service.sls similarity index 78% rename from fail2ban/ng/service.sls rename to fail2ban/service.sls index 26d24d3..04330c4 100644 --- a/fail2ban/ng/service.sls +++ b/fail2ban/service.sls @@ -1,12 +1,9 @@ # -*- coding: utf-8 -*- # vim: ft=sls -{% from "fail2ban/ng/map.jinja" import fail2ban with context %} +{% from "fail2ban/map.jinja" import fail2ban with context %} -include: - - fail2ban.deprecated - -fail2ban.ng.service: +fail2ban.service: {% if ( 'enabled' in fail2ban and fail2ban.enabled ) or ('enabled' not in fail2ban ) %} service.running: - name: {{ fail2ban.service }} diff --git a/kitchen.yml b/kitchen.yml index 01836d1..5dfa5c2 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -182,7 +182,7 @@ suites: base: '*': - misc.fake_log_files - - fail2ban.ng + - fail2ban pillars: top.sls: base: diff --git a/pillar.example b/pillar.example index d2348cb..862c90f 100644 --- a/pillar.example +++ b/pillar.example @@ -2,127 +2,84 @@ # vim: ft=yaml --- fail2ban: - warning_messages: - v1.0.0: - mute_critical: false lookup: - config: - loglevel: ERROR - bantime: 600 - maxretry: 3 - backend: auto - jails: - ssh: - actions: iptables[name=SSH, port=ssh, protocol=tcp] - enabled: 'true' - filter: sshd - logpath: /var/log/auth.log - maxretry: 6 - port: ssh - ignoreip: 127.0.0.1/8 - ssh_ddos: - action: iptables[name=SSH, port=ssh, protocol=tcp] - enabled: 'true' - filter: sshd-ddos - logpath: /var/log/auth.log - maxretry: 6 - port: ssh - ignoreip: 127.0.0.1/8 - nginx-noscript: - action: iptables-multiport[name=NoScript, port="http,https"] - enabled: 'true' - filter: nginx-noscript - logpath: /var/log/nginx*/*access*.log - maxretry: 6 - port: http,https - ignoreip: 127.0.0.1/8 - filters: - nginx-noscript: - Definition: - failregex: .*(GET|POST).*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi).* - - # - # New NG states - # - ng: - lookup: - loglevel: ERROR - bantime: 600 - maxretry: 3 - backend: auto + loglevel: ERROR + bantime: 600 + maxretry: 3 + backend: auto - # fail2ban.local - config: + # fail2ban.local + config: - # # FTP-style - # source_path: salt://path-to-fail2ban-file + # # FTP-style + # source_path: salt://path-to-fail2ban-file - # Template-style - loglevel: ERROR - logtarget: /var/log/fail2ban.log + # Template-style + loglevel: ERROR + logtarget: /var/log/fail2ban.log - # jail.local - jails: + # jail.local + jails: - # # FTP-style - # source_path: salt://path-to-jail-file + # # FTP-style + # source_path: salt://path-to-jail-file - # Template-style - DEFAULT: - ignoreip: 127.0.0.1 - bantime: 600 - ssh: - action: iptables[name=SSH, port=ssh, protocol=tcp] - enabled: 'true' - filter: sshd - logpath: /var/log/auth.log - maxretry: 6 - port: ssh - ignoreip: 127.0.0.1/8 - ssh_ddos: - action: iptables[name=SSH, port=ssh, protocol=tcp] - enabled: 'true' - filter: sshd-ddos - logpath: /var/log/auth.log - maxretry: 6 - port: ssh - ignoreip: 127.0.0.1/8 + # Template-style + DEFAULT: + ignoreip: 127.0.0.1 + bantime: 600 + ssh: + action: iptables[name=SSH, port=ssh, protocol=tcp] + enabled: 'true' + filter: sshd + logpath: /var/log/auth.log + maxretry: 6 + port: ssh + ignoreip: 127.0.0.1/8 + ssh_ddos: + action: iptables[name=SSH, port=ssh, protocol=tcp] + enabled: 'true' + filter: sshd-ddos + logpath: /var/log/auth.log + maxretry: 6 + port: ssh + ignoreip: 127.0.0.1/8 - # action.d - actions: + # action.d + actions: - # Template-style - csf-ip-deny: - # OPTIONAL, default true; - # if false, the action.d/csf-ip-deny.local action will be deleted - enabled: true - config: - Definition: - actionban: csf -d Added by Fail2Ban for - actionunban: csf -dr + # Template-style + csf-ip-deny: + # OPTIONAL, default true; + # if false, the action.d/csf-ip-deny.local action will be deleted + enabled: true + config: + Definition: + actionban: csf -d Added by Fail2Ban for + actionunban: csf -dr - # yamllint disable rule:comments-indentation - # # FTP-style - # test-action: - # config: - # source_path: salt://path-to-action-file - # yamllint enable rule:comments-indentation + # yamllint disable rule:comments-indentation + # # FTP-style + # test-action: + # config: + # source_path: salt://path-to-action-file + # yamllint enable rule:comments-indentation - # filter.d - filters: + # filter.d + filters: - # Template-style - nginx-noscript: - # OPTIONAL, default true; - # if false, the filter.d/nginx-noscript.local will be deleted - enabled: true - config: - Definition: - failregex: .*(GET|POST).*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi).* + # Template-style + nginx-noscript: + # OPTIONAL, default true; + # if false, the filter.d/nginx-noscript.local will be deleted + enabled: true + config: + Definition: + failregex: .*(GET|POST).*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi).* - # yamllint disable rule:comments-indentation - # # FTP-style - # test-filter: - # config: - # source_path: salt://path-to-filter-file - # yamllint enable rule:comments-indentation + # yamllint disable rule:comments-indentation + # # FTP-style + # test-filter: + # config: + # source_path: salt://path-to-filter-file + # yamllint enable rule:comments-indentation diff --git a/pre-commit_semantic-release.sh b/pre-commit_semantic-release.sh index 4f4b24a..ba80535 100755 --- a/pre-commit_semantic-release.sh +++ b/pre-commit_semantic-release.sh @@ -28,15 +28,3 @@ sed -i -e '1,4s/-/=/g' CHANGELOG.rst # Return back to the main directory cd .. - - -############################################################################### -# (C) Update last version before `v1.0.0` with `${nextRelease.version}` -############################################################################### -# Only apply this while the version number is below `v1.0.0`! -V_REPR=v${1} -MAJOR=$(echo "${V_REPR}" | cut -c-2) -if [ "${MAJOR}" = "v0" ]; then - sed -i -e "s@^\(\s\+\`\).*\(\s\`_\.\)@\1${V_REPR}\2${V_REPR}\3@" docs/README.rst - sed -i -e "s@^\(\s\+# the final release tag before \`v1.0.0\`, which is expected to be \`\).*\(\`.\s\+#\)@\1${V_REPR}\2@" fail2ban/deprecated.sls -fi diff --git a/release.config.js b/release.config.js index cb42175..6af7aa8 100644 --- a/release.config.js +++ b/release.config.js @@ -14,7 +14,7 @@ module.exports = { prepareCmd: 'sh ./pre-commit_semantic-release.sh ${nextRelease.version}', }], ['@semantic-release/git', { - assets: ['*.md', 'docs/*.rst', 'FORMULA', 'fail2ban/deprecated.sls'], + assets: ['*.md', 'docs/*.rst', 'FORMULA'], }], '@semantic-release/github', ],