diff options
Diffstat (limited to 'puppet/modules/site_sshd/manifests')
-rw-r--r-- | puppet/modules/site_sshd/manifests/authorized_keys.pp | 16 | ||||
-rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 21 |
2 files changed, 30 insertions, 7 deletions
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index f36fe20f..90a33d8d 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,7 +1,17 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We use a custom define here to deploy the authorized_keys file - # cause puppet doesn't allow purgin before populating this file - # (see https://tickets.puppetlabs.com/browse/PUP-1174) + # We want to purge unmanaged keys from the authorized_keys file so that only + # keys added in the provider are valid. Any manually added keys will be + # overridden. + # + # In order to do this, we have to use a custom define to deploy the + # authorized_keys file because puppet's internal resource doesn't allow + # purging before populating this file. + # + # See the following for more information: + # https://tickets.puppetlabs.com/browse/PUP-1174 + # https://leap.se/code/issues/2990 + # https://leap.se/code/issues/3010 + # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d9bc1d51..400c21ea 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,5 @@ class site_sshd { - $ssh = hiera_hash('ssh') + $ssh = hiera_hash('ssh') $hosts = hiera('hosts', '') ## @@ -22,10 +22,11 @@ class site_sshd { group => root, mode => '0644', content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': - owner => root, - group => root, - mode => '0644', + owner => root, + group => root, + mode => '0644', content => template('site_sshd/ssh_config.erb'); } @@ -46,4 +47,16 @@ class site_sshd { ensure => absent } } + + ## + ## SSHD SERVER CONFIGURATION + ## + class { '::sshd': + manage_nagios => 'no', + ports => $ssh['port'], + use_pam => 'yes', + hardened_ssl => 'yes', + print_motd => 'no', + manage_client => false + } } |