From c92d3ac0780e813a5440c5e475bfdba5de5a0447 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 30 May 2013 17:06:14 -0700 Subject: site_sshd -- added xterm title, optional support for mosh --- puppet/modules/site_sshd/files/xterm-title.sh | 8 +++++ puppet/modules/site_sshd/manifests/init.pp | 42 ++++++++++++++++++++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_sshd/files/xterm-title.sh (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/files/xterm-title.sh b/puppet/modules/site_sshd/files/xterm-title.sh new file mode 100644 index 00000000..3cff0e3a --- /dev/null +++ b/puppet/modules/site_sshd/files/xterm-title.sh @@ -0,0 +1,8 @@ +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' + ;; +*) + ;; +esac diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 630e9bdf..c1c4d3b3 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1 +1,41 @@ -class site_sshd {} +class site_sshd { + $ssh = hiera_hash('ssh') + + ## + ## XTERM TITLE + ## + + file {'/etc/profile.d/xterm-title.sh': + source => "puppet://$server/modules/site_sshd/xterm-title.sh", + owner => root, group => 0, mode => 0644; + } + + ## + ## OPTIONAL MOSH SUPPORT + ## + + $mosh = $ssh['mosh'] + $mosh_ports = $mosh['ports'] + if $ssh['mosh']['enabled'] { + $mosh_ensure = present + } else { + $mosh_ensure = absent + } + + package { 'mosh': + ensure => $mosh_ensure; + } + file { '/etc/shorewall/macro.mosh': + ensure => $mosh_ensure, + content => "PARAM - - udp $mosh_ports", + notify => Service['shorewall'], + require => Package['shorewall']; + } + shorewall::rule { 'net2fw-mosh': + ensure => $mosh_ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From e6bd481933bd4104fb7839703c88de971559d3db Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Jun 2013 10:52:54 +0200 Subject: added site_sshd::authorized_keys --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 6 ++++++ puppet/modules/site_sshd/manifests/authorized_keys/key.pp | 8 ++++++++ puppet/modules/site_sshd/manifests/init.pp | 3 +++ puppet/modules/site_sshd/manifests/ssh_key.pp | 3 --- 4 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_sshd/manifests/authorized_keys.pp create mode 100644 puppet/modules/site_sshd/manifests/authorized_keys/key.pp delete mode 100644 puppet/modules/site_sshd/manifests/ssh_key.pp (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp new file mode 100644 index 00000000..edd6e3c4 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -0,0 +1,6 @@ +class site_sshd::authorized_keys { + tag 'leap_authorized_keys' + + create_resources(site_sshd::authorized_keys::key, $site_sshd::ssh_authorized_keys) + +} diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp new file mode 100644 index 00000000..56271cdc --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp @@ -0,0 +1,8 @@ +define site_sshd::authorized_keys::key ($key, $type) { + ssh_authorized_key { + $name: + type => $type, + user => 'root', + key => $key + } +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index c1c4d3b3..714c0c5a 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,8 @@ class site_sshd { $ssh = hiera_hash('ssh') + $ssh_authorized_keys = $ssh['authorized_keys'] + + include site_sshd::authorized_keys ## ## XTERM TITLE diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp deleted file mode 100644 index b47b2ebd..00000000 --- a/puppet/modules/site_sshd/manifests/ssh_key.pp +++ /dev/null @@ -1,3 +0,0 @@ -define site_sshd::ssh_key($key) { - # ... todo: deploy ssh_key -} -- cgit v1.2.3 From 3b6f11a60778d5cb3ae265980e4e4870bf065de2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 28 Jun 2013 12:11:32 -0400 Subject: modularize and standardize site_sshd: . move the setting of the xterm title to site_config::shell . change the xterm file resource to use standard source lines, switch to single quotes, quote mode, and line up parameters . move the mosh pieces into a site_ssh::mosh class and only include it if the right mosh variable is enabled, passing into the class the necessary hiera parameters . lint the site_ssh::mosh resources . change the authorized_keys class to accept the key parameter which is passed in from the main ssh class (but allow for out of scope variable lookup when the tag is passed) Change-Id: Ieec5a3932de9bad1b98633032b28f88e91e46604 --- puppet/modules/site_sshd/files/xterm-title.sh | 8 ----- .../modules/site_sshd/manifests/authorized_keys.pp | 4 +-- puppet/modules/site_sshd/manifests/init.pp | 41 ++++++++-------------- puppet/modules/site_sshd/manifests/mosh.pp | 21 +++++++++++ 4 files changed, 37 insertions(+), 37 deletions(-) delete mode 100644 puppet/modules/site_sshd/files/xterm-title.sh create mode 100644 puppet/modules/site_sshd/manifests/mosh.pp (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/files/xterm-title.sh b/puppet/modules/site_sshd/files/xterm-title.sh deleted file mode 100644 index 3cff0e3a..00000000 --- a/puppet/modules/site_sshd/files/xterm-title.sh +++ /dev/null @@ -1,8 +0,0 @@ -# If this is an xterm set the title to user@host:dir -case "$TERM" in -xterm*|rxvt*) - PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' - ;; -*) - ;; -esac diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index edd6e3c4..8e0c15ac 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,6 @@ -class site_sshd::authorized_keys { +class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { tag 'leap_authorized_keys' - create_resources(site_sshd::authorized_keys::key, $site_sshd::ssh_authorized_keys) + create_resources(site_sshd::authorized_keys::key, $keys) } diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 714c0c5a..905d5c9b 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,16 +1,14 @@ class site_sshd { $ssh = hiera_hash('ssh') - $ssh_authorized_keys = $ssh['authorized_keys'] - - include site_sshd::authorized_keys ## - ## XTERM TITLE + ## SETUP AUTHORIZED KEYS ## - file {'/etc/profile.d/xterm-title.sh': - source => "puppet://$server/modules/site_sshd/xterm-title.sh", - owner => root, group => 0, mode => 0644; + $authorized_keys = $ssh['authorized_keys'] + + class { 'site_sshd::authorized_keys': + keys => $authorized_keys } ## @@ -18,27 +16,16 @@ class site_sshd { ## $mosh = $ssh['mosh'] - $mosh_ports = $mosh['ports'] - if $ssh['mosh']['enabled'] { - $mosh_ensure = present - } else { - $mosh_ensure = absent - } - package { 'mosh': - ensure => $mosh_ensure; - } - file { '/etc/shorewall/macro.mosh': - ensure => $mosh_ensure, - content => "PARAM - - udp $mosh_ports", - notify => Service['shorewall'], - require => Package['shorewall']; + if $mosh['enabled'] { + class { 'site_sshd::mosh': + ensure => present, + ports => $mosh['ports'] + } } - shorewall::rule { 'net2fw-mosh': - ensure => $mosh_ensure, - source => 'net', - destination => '$FW', - action => 'mosh(ACCEPT)', - order => 200; + else { + class { 'site_sshd::mosh': + ensure => absent + } } } diff --git a/puppet/modules/site_sshd/manifests/mosh.pp b/puppet/modules/site_sshd/manifests/mosh.pp new file mode 100644 index 00000000..49f56ca0 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/mosh.pp @@ -0,0 +1,21 @@ +class site_sshd::mosh ( $ensure = present, $ports = '60000-61000' ) { + + package { 'mosh': + ensure => $ensure + } + + file { '/etc/shorewall/macro.mosh': + ensure => $ensure, + content => "PARAM - - udp ${ports}", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-mosh': + ensure => $ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 6c34c73f7e4c5203321547b699c6eaba9de8e2fe Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Jun 2013 10:52:54 +0200 Subject: switch to own define for managing ssh keys The problem with puppet's built-in ssh_authorized_key is that you can purge unmanaged keys in a authorized_keys file. see https://leap.se/code/issues/3010 for details. Conflicts: puppet/modules/site_sshd/manifests/authorized_keys.pp Change-Id: I640bf7ebc0f0f7fb19cc46feb4cb2702d6561a9b --- .../modules/site_sshd/manifests/authorized_keys.pp | 23 +++++++++++++++++----- .../site_sshd/manifests/authorized_keys/key.pp | 8 -------- .../site_sshd/manifests/deploy_authorized_keys.pp | 9 +++++++++ puppet/modules/site_sshd/manifests/init.pp | 2 +- .../site_sshd/templates/authorized_keys.erb | 6 ++++++ 5 files changed, 34 insertions(+), 14 deletions(-) delete mode 100644 puppet/modules/site_sshd/manifests/authorized_keys/key.pp create mode 100644 puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp create mode 100644 puppet/modules/site_sshd/templates/authorized_keys.erb (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 8e0c15ac..c18f691c 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,19 @@ -class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { - tag 'leap_authorized_keys' - - create_resources(site_sshd::authorized_keys::key, $keys) - +define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # This line allows default homedir based on $title variable. + # If $home is empty, the default is used. + $homedir = $home ? {'' => "/home/${title}", default => $home} + file { + "${homedir}/.ssh": + ensure => 'directory', + owner => $title, + group => $title, + mode => '0700'; + "${homedir}/.ssh/authorized_keys": + ensure => $ensure, + owner => $ensure ? {'present' => $title, default => undef }, + group => $ensure ? {'present' => $title, default => undef }, + mode => '0600', + require => File["${homedir}/.ssh"], + content => template('site_sshd/authorized_keys.erb'); + } } diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp deleted file mode 100644 index 56271cdc..00000000 --- a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp +++ /dev/null @@ -1,8 +0,0 @@ -define site_sshd::authorized_keys::key ($key, $type) { - ssh_authorized_key { - $name: - type => $type, - user => 'root', - key => $key - } -} diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp new file mode 100644 index 00000000..97ca058f --- /dev/null +++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp @@ -0,0 +1,9 @@ +class site_sshd::deploy_authorized_keys ( $keys ) { + tag 'leap_authorized_keys' + + site_sshd::authorized_keys {'root': + keys => $keys, + home => '/root' + } + +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 905d5c9b..90dd2d0e 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -7,7 +7,7 @@ class site_sshd { $authorized_keys = $ssh['authorized_keys'] - class { 'site_sshd::authorized_keys': + class { 'site_sshd::deploy_authorized_keys': keys => $authorized_keys } diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb new file mode 100644 index 00000000..3c65e8ab --- /dev/null +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -0,0 +1,6 @@ +# NOTICE: This file is autogenerated by Puppet +# all manually added keys will be overridden + +<% keys.sort.each do |user, hash| -%> +<%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> -- cgit v1.2.3