From fe1c86b8f938283e9dd8196a8b11a9648f4b49e6 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 12 Apr 2013 17:09:03 -0300
Subject: Major refactor

---
 manifests/defines/monkeysphere_host.pp | 20 ++++++++++++++
 manifests/defines/munin_client.pp      | 21 ++++++++++++++
 manifests/defines/ssh_config.pp        | 26 ++++++++++++++++++
 manifests/defines/ssh_create_key.pp    | 11 ++++++++
 manifests/defines/ssh_known_hosts.pp   | 50 ++++++++++++++++++++++++++++++++++
 5 files changed, 128 insertions(+)
 create mode 100644 manifests/defines/monkeysphere_host.pp
 create mode 100644 manifests/defines/munin_client.pp
 create mode 100644 manifests/defines/ssh_config.pp
 create mode 100644 manifests/defines/ssh_create_key.pp
 create mode 100644 manifests/defines/ssh_known_hosts.pp

(limited to 'manifests/defines')

diff --git a/manifests/defines/monkeysphere_host.pp b/manifests/defines/monkeysphere_host.pp
new file mode 100644
index 0000000..b4b21e0
--- /dev/null
+++ b/manifests/defines/monkeysphere_host.pp
@@ -0,0 +1,20 @@
+define monkeysphere_host(
+  $port           = hiera('nodo::monkeysphere_host::ssh_port', ''),
+  $mail_recipient = hiera('mail::root_mail_recipient', 'nobody')
+) {
+  include monkeysphere
+
+  # Ensure the server's ssh key is imported into your monkeysphere key ring
+  monkeysphere::import_key { "ssh":
+    port => $port,
+  }
+
+  # TODO
+  # Currently we don't have a defined policy regarding whether
+  # to publish all our node keys to public keyservers, so leave
+  # automatic publishing disabled for now.
+  #monkeysphere::publish_server_keys { } 
+  
+  # Email the server key
+  monkeysphere::email_server_keys { "$mail_recipient": }
+}
diff --git a/manifests/defines/munin_client.pp b/manifests/defines/munin_client.pp
new file mode 100644
index 0000000..770d551
--- /dev/null
+++ b/manifests/defines/munin_client.pp
@@ -0,0 +1,21 @@
+# Define a munin node
+define munin_node(
+  $port   = hiera('nodo::munin_node::port',   '4949'),
+  $allow  = hiera('nodo::munin_node::allow',  ''),
+  $host   = hiera('nodo::munin_node::host',    $::fqdn),
+  $listen = hiera('nodo::munin_node::listen', '*')
+) {
+
+  case $allow {
+    '': { fail("Please set nodo::munin_node::allow in your config") }
+  }
+
+  class { 'munin::client':
+    port   => $port,
+    allow  => $allow,
+    host   => $host,
+    listen => $listen,
+  }
+
+  munin::plugin { apt_all: ensure => present; }
+}
diff --git a/manifests/defines/ssh_config.pp b/manifests/defines/ssh_config.pp
new file mode 100644
index 0000000..62e1d66
--- /dev/null
+++ b/manifests/defines/ssh_config.pp
@@ -0,0 +1,26 @@
+# Manage ssh config for a particular user
+define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+  include nodo::subsystem::ssh_folder
+
+  file { "${home}/.ssh/config":
+    ensure  => present,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0600,
+    require => File["${home}/.ssh"],
+  }
+
+  # The NoHostAuthenticationForLocalhost ssh option might be useful
+  # for automated deployment environments so your ikiwiki user doesn't
+  # get stuck with the fingerprint confirmation prompt when pushing
+  # content via ssh in the first time it runs.
+  line { 'NoHostAuthenticationForLocalhost-${owner}':
+    file   => "${home}/.ssh/config",
+    line   => "NoHostAuthenticationForLocalhost yes",
+    ensure => $ssh_localhost_auth ? {
+      'auto'        => present,
+      'fingerprint' => absent,
+      default       => absent,
+    },
+  }
+}
diff --git a/manifests/defines/ssh_create_key.pp b/manifests/defines/ssh_create_key.pp
new file mode 100644
index 0000000..e380b18
--- /dev/null
+++ b/manifests/defines/ssh_create_key.pp
@@ -0,0 +1,11 @@
+define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') {
+  include nodo::subsystem::ssh_folder
+
+  exec { "ssh-keygen-${owner}":
+    command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}",
+    creates => "${home}/.ssh/${keyfile}",
+    user    => $owner,
+    group   => $group,
+    require => File["${home}/.ssh"],
+  }
+}
diff --git a/manifests/defines/ssh_known_hosts.pp b/manifests/defines/ssh_known_hosts.pp
new file mode 100644
index 0000000..50ae87e
--- /dev/null
+++ b/manifests/defines/ssh_known_hosts.pp
@@ -0,0 +1,50 @@
+# Manage known_hosts for a particular user
+define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+  include nodo::subsystem::ssh_folder
+
+  file { "${home}/.ssh/known_hosts":
+    ensure  => present,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0600,
+    require => File["${home}/.ssh"],
+  }
+
+  # You can choose to include the host's fingeprints
+  # directly into the known_hosts file.
+  if $::sshrsakey != '' {
+    line { 'known_hosts-localhost-rsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ssh-rsa ${::sshrsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+
+  if $::sshdsakey != '' {
+    line { 'known_hosts-localhost-dsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ssh-dss ${::sshdsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+
+  if $::sshecdsakey != '' {
+    line { 'known_hosts-localhost-ecdsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+}
-- 
cgit v1.2.3