diff options
Diffstat (limited to 'manifests/defines')
-rw-r--r-- | manifests/defines/monkeysphere_host.pp | 20 | ||||
-rw-r--r-- | manifests/defines/munin_client.pp | 21 | ||||
-rw-r--r-- | manifests/defines/ssh_config.pp | 26 | ||||
-rw-r--r-- | manifests/defines/ssh_create_key.pp | 11 | ||||
-rw-r--r-- | manifests/defines/ssh_known_hosts.pp | 50 |
5 files changed, 128 insertions, 0 deletions
diff --git a/manifests/defines/monkeysphere_host.pp b/manifests/defines/monkeysphere_host.pp new file mode 100644 index 0000000..b4b21e0 --- /dev/null +++ b/manifests/defines/monkeysphere_host.pp @@ -0,0 +1,20 @@ +define monkeysphere_host( + $port = hiera('nodo::monkeysphere_host::ssh_port', ''), + $mail_recipient = hiera('mail::root_mail_recipient', 'nobody') +) { + include monkeysphere + + # Ensure the server's ssh key is imported into your monkeysphere key ring + monkeysphere::import_key { "ssh": + port => $port, + } + + # TODO + # Currently we don't have a defined policy regarding whether + # to publish all our node keys to public keyservers, so leave + # automatic publishing disabled for now. + #monkeysphere::publish_server_keys { } + + # Email the server key + monkeysphere::email_server_keys { "$mail_recipient": } +} diff --git a/manifests/defines/munin_client.pp b/manifests/defines/munin_client.pp new file mode 100644 index 0000000..770d551 --- /dev/null +++ b/manifests/defines/munin_client.pp @@ -0,0 +1,21 @@ +# Define a munin node +define munin_node( + $port = hiera('nodo::munin_node::port', '4949'), + $allow = hiera('nodo::munin_node::allow', ''), + $host = hiera('nodo::munin_node::host', $::fqdn), + $listen = hiera('nodo::munin_node::listen', '*') +) { + + case $allow { + '': { fail("Please set nodo::munin_node::allow in your config") } + } + + class { 'munin::client': + port => $port, + allow => $allow, + host => $host, + listen => $listen, + } + + munin::plugin { apt_all: ensure => present; } +} diff --git a/manifests/defines/ssh_config.pp b/manifests/defines/ssh_config.pp new file mode 100644 index 0000000..62e1d66 --- /dev/null +++ b/manifests/defines/ssh_config.pp @@ -0,0 +1,26 @@ +# Manage ssh config for a particular user +define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + include nodo::subsystem::ssh_folder + + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + default => absent, + }, + } +} diff --git a/manifests/defines/ssh_create_key.pp b/manifests/defines/ssh_create_key.pp new file mode 100644 index 0000000..e380b18 --- /dev/null +++ b/manifests/defines/ssh_create_key.pp @@ -0,0 +1,11 @@ +define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') { + include nodo::subsystem::ssh_folder + + exec { "ssh-keygen-${owner}": + command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}", + creates => "${home}/.ssh/${keyfile}", + user => $owner, + group => $group, + require => File["${home}/.ssh"], + } +} diff --git a/manifests/defines/ssh_known_hosts.pp b/manifests/defines/ssh_known_hosts.pp new file mode 100644 index 0000000..50ae87e --- /dev/null +++ b/manifests/defines/ssh_known_hosts.pp @@ -0,0 +1,50 @@ +# Manage known_hosts for a particular user +define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + include nodo::subsystem::ssh_folder + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # You can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } +} |