* (#4) Add an access control list for PveProxy (like Apache2).

CHANGELOG.md

@@ -1,6 +1,7 @@
 
 ##### Changes
 * Add a variable to choose to keep PVE enterprise repo for the subscribers.
+* (#4) Add an access control list for PveProxy.
 
 ---------------------------------------
 

README.md

@@ -36,7 +36,7 @@ class { 'proxmox::hypervisor':
 }
 ```
 
-**Note**: The module will automatically reboot the system on the PVE Kernel. You will need to start again the puppet agent. 
+**Note**: The module will automatically reboot the system on the PVE Kernel. You will need to start again the puppet agent.
 
 ### VM
 
@@ -63,6 +63,11 @@ class { 'proxmox::hypervisor':
 * `old_pkg_ensure`: What to set useless packages (non recommended, previous kernel, ...). Can be 'present' or 'absent'. Defaults to 'absent'.
 * `old_pkg_name`: The list of useless packages. Can be an array [ 'acpid',  'linux-image-amd64', 'linux-base', 'linux-image-3.2.0-4-amd64' ].
 * `pve_enterprise_repo_ensure`: Choose to keep the PVE enterprise repository. Can be 'present' or 'absent'. Defaults to 'absent'.
+* `pveproxy_default_path`: Path of the configuration file read by the PveProxy service. Defaults to '/etc/default/pveproxy'.
+* `pveproxy_default_content`: Template file use to generate the previous configuration file. Default to 'proxmox/hypervisor/pveproxy_default.erb'.
+* `pveproxy_allow`:   Can be ip addresses, range or network; separated by a comma (example: '192.168.0.0/24,10.10.0.1-10.10.0.5'). Defaults to '127.0.0.1'.
+* `pveproxy_deny`: Unauthorized IP addresses. Can be 'all' or ip addresses, range or network; separated by a comma. Defaults to 'all'.
+* `pveproxy_policy`: The policy access. Can be 'allow' or 'deny'. Defaults to 'deny'.
 
 Limitations
 -----------

manifests/hypervisor.pp

@@ -45,6 +45,11 @@ class proxmox::hypervisor (
   $old_pkg_ensure             = $proxmox::params::old_pkg_ensure,
   $old_pkg_name               = $proxmox::params::old_pkg_name,
   $pve_enterprise_repo_ensure = $proxmox::params::pve_enterprise_repo_ensure,
+  $pveproxy_default_path      = $proxmox::params::pveproxy_default_path,
+  $pveproxy_default_content   = $proxmox::params::pveproxy_default_content,
+  $pveproxy_allow             = $proxmox::params::pveproxy_allow,
+  $pveproxy_deny              = $proxmox::params::pveproxy_deny,
+  $pveproxy_policy            = $proxmox::params::pveproxy_policy,
 ) inherits proxmox::params {
 
   include '::proxmox::hypervisor::preconfig'

manifests/hypervisor/config.pp

@@ -4,6 +4,12 @@
 #
 class proxmox::hypervisor::config {
 
+  File {
+    owner => root,
+    group => root,
+    mode  => 644,
+  }
+
   Exec {
     path      => [ '/bin', '/sbin', '/usr/bin', '/usr/sbin' ],
     logoutput => 'on_failure',
@@ -12,6 +18,13 @@ class proxmox::hypervisor::config {
 
   if $::is_proxmox == 'true' {
 
+    # Pveproxy access control list
+    file { "${proxmox::hypervisor::pveproxy_default_path}":
+      ensure  => present,
+      content => template("${proxmox::hypervisor::pveproxy_default_content}"),
+    }
+    ->
+
     # Remove the Subscription message
     exec { 'remove_subscription_message':
       command  => 'rm -f /usr/share/pve-manager/ext4/pvemanagerlib.js.bak; sed -i".bak" -r -e "s/if \(data.status !== \'Active\'\) \{/if (false) {/" /usr/share/pve-manager/ext4/pvemanagerlib.js',

manifests/params.pp

@@ -22,6 +22,13 @@ class proxmox::params {
 
         # 
         $pve_enterprise_repo_ensure = 'absent'
+
+        # Pveproxy access restriction
+        $pveproxy_default_path      = '/etc/default/pveproxy'
+        $pveproxy_default_content   = 'proxmox/hypervisor/pveproxy_default.erb'
+        $pveproxy_allow             = '127.0.0.1'
+        $pveproxy_deny              = 'all'
+        $pveproxy_policy            = 'deny'
       }
     }
     default: {

templates/hypervisor/pveproxy_default.erb

@@ -0,0 +1,8 @@
+#file generated by puppet
+#Don't edit, please see https://forge.puppetlabs.com/gardouille/proxmox
+
+# Access control list (Apache2 like)
+ALLOW_FROM="<%= scope.lookupvar('proxmox::hypervisor::pveproxy_allow') %>"
+DENY_FROM="<%= scope.lookupvar('proxmox::hypervisor::pveproxy_deny') %>"
+POLICY="<%= scope.lookupvar('proxmox::hypervisor::pveproxy_policy') %>"
+