summaryrefslogtreecommitdiff
path: root/puppet/modules/site_sshd/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_sshd/manifests')
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys.pp16
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp21
2 files changed, 30 insertions, 7 deletions
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index f36fe20f..90a33d8d 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,7 +1,17 @@
define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
- # We use a custom define here to deploy the authorized_keys file
- # cause puppet doesn't allow purgin before populating this file
- # (see https://tickets.puppetlabs.com/browse/PUP-1174)
+ # We want to purge unmanaged keys from the authorized_keys file so that only
+ # keys added in the provider are valid. Any manually added keys will be
+ # overridden.
+ #
+ # In order to do this, we have to use a custom define to deploy the
+ # authorized_keys file because puppet's internal resource doesn't allow
+ # purging before populating this file.
+ #
+ # See the following for more information:
+ # https://tickets.puppetlabs.com/browse/PUP-1174
+ # https://leap.se/code/issues/2990
+ # https://leap.se/code/issues/3010
+ #
# This line allows default homedir based on $title variable.
# If $home is empty, the default is used.
$homedir = $home ? {'' => "/home/${title}", default => $home}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index d9bc1d51..400c21ea 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,5 +1,5 @@
class site_sshd {
- $ssh = hiera_hash('ssh')
+ $ssh = hiera_hash('ssh')
$hosts = hiera('hosts', '')
##
@@ -22,10 +22,11 @@ class site_sshd {
group => root,
mode => '0644',
content => template('site_sshd/ssh_known_hosts.erb');
+
'/etc/ssh/ssh_config':
- owner => root,
- group => root,
- mode => '0644',
+ owner => root,
+ group => root,
+ mode => '0644',
content => template('site_sshd/ssh_config.erb');
}
@@ -46,4 +47,16 @@ class site_sshd {
ensure => absent
}
}
+
+ ##
+ ## SSHD SERVER CONFIGURATION
+ ##
+ class { '::sshd':
+ manage_nagios => 'no',
+ ports => $ssh['port'],
+ use_pam => 'yes',
+ hardened_ssl => 'yes',
+ print_motd => 'no',
+ manage_client => false
+ }
}