aboutsummaryrefslogtreecommitdiff
path: root/manifests/defines
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/defines')
-rw-r--r--manifests/defines/monkeysphere_host.pp20
-rw-r--r--manifests/defines/munin_client.pp21
-rw-r--r--manifests/defines/ssh_config.pp26
-rw-r--r--manifests/defines/ssh_create_key.pp11
-rw-r--r--manifests/defines/ssh_known_hosts.pp50
5 files changed, 128 insertions, 0 deletions
diff --git a/manifests/defines/monkeysphere_host.pp b/manifests/defines/monkeysphere_host.pp
new file mode 100644
index 0000000..b4b21e0
--- /dev/null
+++ b/manifests/defines/monkeysphere_host.pp
@@ -0,0 +1,20 @@
+define monkeysphere_host(
+ $port = hiera('nodo::monkeysphere_host::ssh_port', ''),
+ $mail_recipient = hiera('mail::root_mail_recipient', 'nobody')
+) {
+ include monkeysphere
+
+ # Ensure the server's ssh key is imported into your monkeysphere key ring
+ monkeysphere::import_key { "ssh":
+ port => $port,
+ }
+
+ # TODO
+ # Currently we don't have a defined policy regarding whether
+ # to publish all our node keys to public keyservers, so leave
+ # automatic publishing disabled for now.
+ #monkeysphere::publish_server_keys { }
+
+ # Email the server key
+ monkeysphere::email_server_keys { "$mail_recipient": }
+}
diff --git a/manifests/defines/munin_client.pp b/manifests/defines/munin_client.pp
new file mode 100644
index 0000000..770d551
--- /dev/null
+++ b/manifests/defines/munin_client.pp
@@ -0,0 +1,21 @@
+# Define a munin node
+define munin_node(
+ $port = hiera('nodo::munin_node::port', '4949'),
+ $allow = hiera('nodo::munin_node::allow', ''),
+ $host = hiera('nodo::munin_node::host', $::fqdn),
+ $listen = hiera('nodo::munin_node::listen', '*')
+) {
+
+ case $allow {
+ '': { fail("Please set nodo::munin_node::allow in your config") }
+ }
+
+ class { 'munin::client':
+ port => $port,
+ allow => $allow,
+ host => $host,
+ listen => $listen,
+ }
+
+ munin::plugin { apt_all: ensure => present; }
+}
diff --git a/manifests/defines/ssh_config.pp b/manifests/defines/ssh_config.pp
new file mode 100644
index 0000000..62e1d66
--- /dev/null
+++ b/manifests/defines/ssh_config.pp
@@ -0,0 +1,26 @@
+# Manage ssh config for a particular user
+define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+ include nodo::subsystem::ssh_folder
+
+ file { "${home}/.ssh/config":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # The NoHostAuthenticationForLocalhost ssh option might be useful
+ # for automated deployment environments so your ikiwiki user doesn't
+ # get stuck with the fingerprint confirmation prompt when pushing
+ # content via ssh in the first time it runs.
+ line { 'NoHostAuthenticationForLocalhost-${owner}':
+ file => "${home}/.ssh/config",
+ line => "NoHostAuthenticationForLocalhost yes",
+ ensure => $ssh_localhost_auth ? {
+ 'auto' => present,
+ 'fingerprint' => absent,
+ default => absent,
+ },
+ }
+}
diff --git a/manifests/defines/ssh_create_key.pp b/manifests/defines/ssh_create_key.pp
new file mode 100644
index 0000000..e380b18
--- /dev/null
+++ b/manifests/defines/ssh_create_key.pp
@@ -0,0 +1,11 @@
+define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') {
+ include nodo::subsystem::ssh_folder
+
+ exec { "ssh-keygen-${owner}":
+ command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}",
+ creates => "${home}/.ssh/${keyfile}",
+ user => $owner,
+ group => $group,
+ require => File["${home}/.ssh"],
+ }
+}
diff --git a/manifests/defines/ssh_known_hosts.pp b/manifests/defines/ssh_known_hosts.pp
new file mode 100644
index 0000000..50ae87e
--- /dev/null
+++ b/manifests/defines/ssh_known_hosts.pp
@@ -0,0 +1,50 @@
+# Manage known_hosts for a particular user
+define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+ include nodo::subsystem::ssh_folder
+
+ file { "${home}/.ssh/known_hosts":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # You can choose to include the host's fingeprints
+ # directly into the known_hosts file.
+ if $::sshrsakey != '' {
+ line { 'known_hosts-localhost-rsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-rsa ${::sshrsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+
+ if $::sshdsakey != '' {
+ line { 'known_hosts-localhost-dsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-dss ${::sshdsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+
+ if $::sshecdsakey != '' {
+ line { 'known_hosts-localhost-ecdsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+}