Merge pull request #296 from bastelfreak/choria

Add rule for outgoing choria connections

Author: bastelfreak

REFERENCE.md

@@ -42,6 +42,7 @@ Enable this option to support Ceph's Monitor Daemon.
 Enable this to be a client of Ceph's Monitor (MON),
 Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
 and Manager Daemons (MGR).
+* [`nftables::rules::out::choria`](#nftables--rules--out--choria): manage outgoing connections to choria brokers
 * [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
 * [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
 * [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
@@ -1028,6 +1029,54 @@ Specify ports to open
 
 Default value: `[3300, 6789]`
 
+### <a name="nftables--rules--out--choria"></a>`nftables::rules::out::choria`
+
+manage outgoing connections to choria brokers
+
+* **See also**
+  * https://choria.io/docs/deployment/broker/
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::out::choria` class:
+
+* [`brokers`](#-nftables--rules--out--choria--brokers)
+* [`choria_port`](#-nftables--rules--out--choria--choria_port)
+* [`websocket_port`](#-nftables--rules--out--choria--websocket_port)
+* [`enable_websockets`](#-nftables--rules--out--choria--enable_websockets)
+
+##### <a name="-nftables--rules--out--choria--brokers"></a>`brokers`
+
+Data type: `Array[Stdlib::IP::Address]`
+
+list of brokers where you want to connect to
+
+Default value: `[]`
+
+##### <a name="-nftables--rules--out--choria--choria_port"></a>`choria_port`
+
+Data type: `Stdlib::Port`
+
+where the broker listens for incoming server connections
+
+Default value: `4222`
+
+##### <a name="-nftables--rules--out--choria--websocket_port"></a>`websocket_port`
+
+Data type: `Stdlib::Port`
+
+where the broker listens for incoming websocket connections from servers
+
+Default value: `4333`
+
+##### <a name="-nftables--rules--out--choria--enable_websockets"></a>`enable_websockets`
+
+Data type: `Boolean`
+
+websockets are optional and use a different port
+
+Default value: `true`
+
 ### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
 
 manage out chrony

manifests/rules/out/choria.pp

@@ -0,0 +1,53 @@
+#
+# @summary manage outgoing connections to choria brokers
+#
+# @param brokers list of brokers where you want to connect to
+# @param choria_port where the broker listens for incoming server connections
+# @param websocket_port where the broker listens for incoming websocket connections from servers
+# @param enable_websockets websockets are optional and use a different port
+#
+# @see https://choria.io/docs/deployment/broker/
+#
+# @author Tim Meusel <tim@bastelfreak.de>
+#
+class nftables::rules::out::choria (
+  Array[Stdlib::IP::Address] $brokers = [],
+  Stdlib::Port $choria_port = 4222,
+  Stdlib::Port $websocket_port = 4333,
+  Boolean $enable_websockets = true,
+) {
+  if empty($brokers) {
+    nftables::rule { 'default_out-choria-0':
+      content => "tcp dport ${choria_port} accept",
+    }
+    if $enable_websockets {
+      nftables::rule { 'default_out-choriawebsocket-0':
+        content => "tcp dport ${choria_port} accept",
+      }
+    }
+  }
+  else {
+    $brokers.each |$index,$ip| {
+      if $ip =~ Stdlib::IP::Address::V6 {
+        nftables::rule { "default_out-choria-${index}":
+          content => "ip6 daddr ${ip} tcp dport ${choria_port} accept",
+        }
+      } else {
+        nftables::rule { "default_out-choria-${index}":
+          content => "ip daddr ${ip} tcp dport ${choria_port} accept",
+        }
+      }
+      if $enable_websockets {
+        if $ip =~ Stdlib::IP::Address::V6 {
+          nftables::rule { "default_out-choriawebsocket-${index}":
+            content => "ip6 daddr ${ip} tcp dport ${websocket_port} accept",
+          }
+        } else {
+          nftables::rule { "default_out-choriawebsocket-${index}":
+            content => "ip daddr ${ip} tcp dport ${websocket_port} accept",
+          }
+        }
+      }
+    }
+  }
+}

spec/acceptance/all_rules_spec.rb

@@ -114,6 +114,7 @@ class { 'nftables':
       include nftables::rules::out::mdns
       include nftables::rules::out::ssdp
       include nftables::rules::out::icinga2
+      include nftables::rules::out::choria
       include nftables::services::dhcpv6_client
       include nftables::services::openafs_client
       $config_path = $facts['os']['family'] ? {

spec/classes/rules/out/choria_spec.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::out::choria' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+      let(:params) do
+        { brokers: ['1.2.3.4'] }
+      end
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('ip daddr 1.2.3.4 tcp dport 4222 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choriawebsocket-0').with_content('ip daddr 1.2.3.4 tcp dport 4333 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(2) }
+      end
+
+      context 'with different port' do
+        let(:params) do
+          super().merge({ choria_port: 8141 })
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('ip daddr 1.2.3.4 tcp dport 8141 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choriawebsocket-0').with_content('ip daddr 1.2.3.4 tcp dport 4333 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(2) }
+      end
+
+      context 'with ipv6 address' do
+        let(:params) do
+          { brokers: ['fe80::1'] }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('ip6 daddr fe80::1 tcp dport 4222 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choriawebsocket-0').with_content('ip6 daddr fe80::1 tcp dport 4333 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(2) }
+      end
+
+      context 'with ipv6 & ipv4 address' do
+        let(:params) do
+          { brokers: ['fe80::1', '1.2.3.4'] }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('ip6 daddr fe80::1 tcp dport 4222 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choria-1').with_content('ip daddr 1.2.3.4 tcp dport 4222 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choriawebsocket-0').with_content('ip6 daddr fe80::1 tcp dport 4333 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choriawebsocket-1').with_content('ip daddr 1.2.3.4 tcp dport 4333 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(4) }
+      end
+
+      context 'with ipv6 & ipv4 address & without websockets' do
+        let(:params) do
+          { brokers: ['fe80::1', '1.2.3.4'], enable_websockets: false }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('ip6 daddr fe80::1 tcp dport 4222 accept') }
+        it { is_expected.to contain_nftables__rule('default_out-choria-1').with_content('ip daddr 1.2.3.4 tcp dport 4222 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(2) }
+      end
+
+      context 'without IPs' do
+        let :params do
+          {}
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('tcp dport 4222 accept') }
+        it { is_expected.not_to contain_nftables__rule('default_out-choriawebsocket-0').with_content('tcp dport 4333 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(2) }
+      end
+
+      context 'without IPs & websockets' do
+        let :params do
+          { enable_websockets: false }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-choria-0').with_content('tcp dport 4222 accept') }
+        it { is_expected.to have_nftables__rule_resource_count(1) }
+      end
+    end
+  end
+end