diff options
| author | mh <mh@immerda.ch> | 2012-06-05 18:23:03 -0300 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2012-06-05 18:23:03 -0300 |
| commit | 2204eb01f6cf10992ccdd7e092d1fc522e5ec3e1 (patch) | |
| tree | 3f778bf16c6da3585e087454527a45afd3ea3871 /manifests | |
| parent | d5404bbdbaeaea4178eb854f5890be471000785f (diff) | |
new style for 2.7
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 22 | ||||
| -rw-r--r-- | manifests/client.pp | 16 | ||||
| -rw-r--r-- | manifests/client/base.pp | 5 | ||||
| -rw-r--r-- | manifests/client/linux.pp | 3 | ||||
| -rw-r--r-- | manifests/debian.pp | 2 | ||||
| -rw-r--r-- | manifests/init.pp | 167 | ||||
| -rw-r--r-- | manifests/libssh2.pp | 6 | ||||
| -rw-r--r-- | manifests/libssh2/devel.pp | 6 | ||||
| -rw-r--r-- | manifests/linux.pp | 2 | ||||
| -rw-r--r-- | manifests/nagios.pp | 2 |
10 files changed, 76 insertions, 155 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 848e547..4001985 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,31 +1,31 @@ -class sshd::base { +class sshd::base { file { 'sshd_config': path => '/etc/ssh/sshd_config', - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + content => $::lsbdistcodename ? { + '' => template("sshd/sshd_config/${::operatingsystem}.erb"), + default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"), }, notify => Service[sshd], owner => root, group => 0, mode => 600; } # Now add the key, if we've got one - case $sshrsakey { - '': { info("no sshrsakey on $fqdn") } + case $::sshrsakey { + '': { info("no sshrsakey on ${::fqdn}") } default: { - @@sshkey{"$fqdn": + @@sshkey{$::fqdn: tag => "fqdn", type => ssh-rsa, - key => $sshrsakey, + key => $::sshrsakey, ensure => present, } # In case the node has uses a shared network address, # we don't define a sshkey resource using an IP address - if $sshd_shared_ip == "no" { - @@sshkey{"$ipaddress": + if $sshd::shared_ip == "no" { + @@sshkey{$::ipaddress: tag => "ipaddress", type => ssh-rsa, - key => $sshrsakey, + key => $::sshrsakey, ensure => present, } } diff --git a/manifests/client.pp b/manifests/client.pp index 5eed5fc..c99cf27 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,23 +1,21 @@ # manifests/client.pp -class sshd::client { +class sshd::client( + $shared_ip = hiera('sshd_shared_ip','no'), + $ensure_version = hiera('sshd_ensure_version','installed') +) { - case $sshd_shared_ip { - '': { $sshd_shared_ip = "no" } - } - - case $operatingsystem { + case $::operatingsystem { debian,ubuntu: { include sshd::client::debian } default: { - case $kernel { + case $::kernel { linux: { include sshd::client::linux } default: { include sshd::client::base } } } } - if $use_shorewall{ + if hiera('use_shorewall',false) { include shorewall::rules::out::ssh } - } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 1fe2b14..c2580c1 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,10 +1,11 @@ class sshd::client::base { # this is needed because the gid might have changed - config_file { '/etc/ssh/ssh_known_hosts': + file { '/etc/ssh/ssh_known_hosts': + mode => 0644, owner => root, group => 0; } # Now collect all server keys - case $sshd_shared_ip { + case $sshd::client::shared_ip { no: { Sshkey <<||>> } yes: { Sshkey <<| tag == "fqdn" |>> } } diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp index 8c58ca8..0c420be 100644 --- a/manifests/client/linux.pp +++ b/manifests/client/linux.pp @@ -1,6 +1,5 @@ class sshd::client::linux inherits sshd::client::base { - if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } package {'openssh-clients': - ensure => $ssh_ensure_version, + ensure => $sshd::client::ensure_version, } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 43dc26c..45eb901 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -7,7 +7,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $sshd_restartandstatus = $lsbdistcodename ? { + $sshd_restartandstatus = $::lsbdistcodename ? { etch => false, default => true } diff --git a/manifests/init.pp b/manifests/init.pp index 8b3361c..f183acd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,138 +1,61 @@ -class sshd { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_kerberos_authentication { - '': { $sshd_kerberos_authentication = 'no' } - } - case $sshd_kerberos_orlocalpasswd { - '': { $sshd_kerberos_orlocalpasswd = 'yes' } - } - case $sshd_kerberos_ticketcleanup { - '': { $sshd_kerberos_ticketcleanup = 'yes' } - } - case $sshd_gssapi_authentication { - '': { $sshd_gssapi_authentication = 'no' } - } - case $sshd_gssapi_cleanupcredentials { - '': { $sshd_gssapi_cleanupcredentials = 'yes' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - if ( $sshd_port != '' ) and ( $sshd_ports != []) { - err("Cannot use sshd_port and sshd_ports at the same time.") - } - if $sshd_port != '' { - $sshd_ports = [ $sshd_port ] - } elsif ! $sshd_ports { - $sshd_ports = [ 22 ] - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_hardened_ssl { - '': { $sshd_hardened_ssl = 'no' } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_head_additional_options { - '': { $sshd_head_additional_options = '' } - } - case $sshd_tail_additional_options { - '': { $sshd_tail_additional_options = '' } - } - case $sshd_ensure_version { - '': { $sshd_ensure_version = "present" } - } - case $sshd_print_motd { - '': { - case $operatingsystem { - debian,ubuntu: { $sshd_print_motd = "no" } - default: { $sshd_print_motd = "yes" } - } - } - } - case $sshd_shared_ip { - '': { $sshd_shared_ip = "no" } - } +class sshd( + $nagios_check_ssh = hiera('nagios_check_ssh',true), + $nagios_check_ssh_hostname = hiera('nagios_check_ssh_hostname','absent'), + $ports = hiera('sshd_ports',[ 22 ]), + $shared_ip = hiera('sshd_shared_ip','no'), + $ensure_version = hiera('sshd_ensure_version','installed'), + $listen_address = hiera('sshd_listen_address',[ '0.0.0.0', '::' ]), + $allowed_users = hiera('sshd_allowed_users',''), + $allowed_groups = hiera('sshd_allowed_groups',''), + $use_pam = hiera('sshd_use_pam','no'), + $permit_root_login = hiera('sshd_permit_root_login','without-password'), + $password_authentication = hiera('sshd_password_authentication','no'), + $kerberos_authentication = hiera('sshd_kerberos_authentication','no'), + $kerberos_orlocalpasswd = hiera('sshd_sshd_kerberos_orlocalpasswd','yes'), + $kerberos_ticketcleanup = hiera('sshd_kerberos_ticketcleanup','yes'), + $gssapi_authentication = hiera('sshd_gssapi_authentication','no'), + $gssapi_cleanupcredentials = hiera('sshd_gssapi_cleanupcredentials','yes'), + $tcp_forwarding = hiera('sshd_tcp_forwarding','no'), + $x11_forwarding = hiera('sshd_x11_forwarding','no'), + $agent_forwarding = hiera('sshd_agent_forwarding','no'), + $challenge_response_authentication = hiera('sshd_challenge_response_authentication','no'), + $pubkey_authentication = hiera('sshd_pubkey_authentication','yes'), + $rsa_authentication = hiera('rsa_authentication','no'), + $strict_modes = hiera('sshd_strict_modes','yes'), + $ignore_rhosts = hiera('sshd_ignore_rhosts','yes'), + $rhosts_rsa_authentication = hiera('sshd_rhosts_rsa_authentication','no'), + $hostbased_authentication = hiera('sshd_hostbased_authentication','no'), + $permit_empty_passwords = hiera('sshd_permit_empty_passwords','no'), + $authorized_keys_file = hiera('sshd_authorized_keys_file','%h/.ssh/authorized_keys'), + $hardened_ssl = hiera('sshd_hardened_ssl','no'), + $sftp_subsystem = hiera('sshd_sftp_subsystem',''), + $head_additional_options = hiera('sshd_head_additional_options',''), + $tail_additional_options = hiera('sshd_tail_additional_options',''), + $print_motd = hiera('sshd_print_motd','yes') +) { - include sshd::client + class{'sshd::client': + shared_ip => $sshd::shared_ip, + ensure_version => $sshd::ensure_version + } - case $operatingsystem { + case $::operatingsystem { gentoo: { include sshd::gentoo } redhat,centos: { include sshd::redhat } - centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } default: { include sshd::base } } - if $use_nagios { - case $nagios_check_ssh { - false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { - sshd::nagios{$sshd_ports: - check_hostname => $nagios_check_ssh_hostname ? { - '' => 'absent', - undef => 'absent', - default => $nagios_check_ssh_hostname - } - } - } + if hiera('use_nagios',false) and $sshd::nagios_check_ssh { + sshd::nagios{$sshd::ports: + check_hostname => $sshd::nagios_check_ssh_hostname } } - if $use_shorewall{ + if hiera('use_shorewall', false) { class{'shorewall::rules::ssh': - ports => $sshd_ports, + ports => $sshd::ports, } } } diff --git a/manifests/libssh2.pp b/manifests/libssh2.pp index 5b4e363..403ac7b 100644 --- a/manifests/libssh2.pp +++ b/manifests/libssh2.pp @@ -1,7 +1,7 @@ # manifests/libssh2.pp class sshd::libssh2 { - package{'libssh2': - ensure => present, - } + package{'libssh2': + ensure => present, + } } diff --git a/manifests/libssh2/devel.pp b/manifests/libssh2/devel.pp index 87a8697..261e34c 100644 --- a/manifests/libssh2/devel.pp +++ b/manifests/libssh2/devel.pp @@ -1,7 +1,7 @@ # manifests/libssh2/devel.pp class sshd::libssh2::devel inherits sshd::libssh2 { - package{"libssh2-devel.${architecture}": - ensure => installed, - } + package{"libssh2-devel.${::architecture}": + ensure => installed, + } } diff --git a/manifests/linux.pp b/manifests/linux.pp index a1f4e2a..f071ada 100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@ -1,6 +1,6 @@ class sshd::linux inherits sshd::base { package{openssh: - ensure => $sshd_ensure_version, + ensure => $sshd::ensure_version, } File[sshd_config]{ require +> Package[openssh], diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 7742cdb..ef5fe10 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -11,7 +11,7 @@ define sshd::nagios( 'absent': { nagios::service{"ssh_port_${name}": ensure => $ensure, - check_command => "check_ssh_port!$real_port" + check_command => "check_ssh_port!${real_port}" } } default: { |