merged with riseup module, various cleaning up

9 files changed, 195 insertions, 158 deletions

diff --git a/manifests/base.pp b/manifests/base.pp
index b249974..2ac2385 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,31 +1,35 @@
 class sshd::base {     
-    file { 'sshd_config':
-        path => '/etc/ssh/sshd_config',
-        owner => root,
-        group => 0,
-        mode => 600,
-        content => $lsbdistcodename ? {
-          '' => template("sshd/sshd_config/${operatingsystem}.erb"),
-          default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
-        },
-        notify => Service[sshd],
-    }
-    # Now add the key, if we've got one
-    case $sshrsakey_key {
-        '': { info("no sshrsakey on $fqdn") }
-        default: {
-            @@sshkey{"$hostname.$domain":
-                type => ssh-rsa,
-                key => $sshrsakey_key,
-                ensure => present,
-            }
-        }
-    }
-    service{'sshd':
-        name => 'sshd',
-        enable => true,
-        ensure => running,
-        hasstatus => true,
-		    require => File[sshd_config],
+  file { 'sshd_config':
+    path => '/etc/ssh/sshd_config',
+    content => $lsbdistcodename ? {
+      '' => template("sshd/sshd_config/${operatingsystem}.erb"),
+      default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
+    },
+    notify => Service[sshd],
+    owner => root, group => 0, mode => 600;
+  }
+
+  # Now add the key, if we've got one
+  case $sshrsakey_key {
+    '': { info("no sshrsakey on $fqdn") }
+    default: {
+      @@sshkey{"$hostname.$domain":
+        type => ssh-rsa,
+        key => $sshrsakey_key,
+        ensure => present,
+      }
+      @@sshkey{"$ipaddress":
+        type => ssh-rsa,
+        key => $sshrsakey,
+        ensure => present,
+      }
     }
+  }
+  service{'sshd':
+    name => 'sshd',
+    enable => true,
+    ensure => running,
+    hasstatus => true,
+    require => File[sshd_config],
+  }
 }
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
index 2c3e31f..33d9f9e 100644
--- a/manifests/client/base.pp
+++ b/manifests/client/base.pp
@@ -1,9 +1,9 @@
 class sshd::client::base {
-    # this is needed because the gid might have changed
-    file { '/etc/ssh/ssh_known_hosts':
-            mode => 0644, owner => root, group => 0;
-    }
+  # this is needed because the gid might have changed
+  file { '/etc/ssh/ssh_known_hosts':
+    owner => root, group => 0, mode => 0644;
+  }
 
-    # Now collect all server keys
-    Sshkey <<||>>
+  # Now collect all server keys
+  Sshkey <<||>>
 }
diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp
index 9ca6da9..2aaf3fb 100644
--- a/manifests/client/debian.pp
+++ b/manifests/client/debian.pp
@@ -1,5 +1,5 @@
 class sshd::client::debian inherits sshd::client::linux {
-    Package['openssh-clients']{
-        name => 'openssh-client',
-    }
+  Package['openssh-clients']{
+    name => 'openssh-client',
+  }
 }
diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp
index 522fa50..8c58ca8 100644
--- a/manifests/client/linux.pp
+++ b/manifests/client/linux.pp
@@ -1,5 +1,6 @@
 class sshd::client::linux inherits sshd::client::base {
-    package {'openssh-clients':
-        ensure => installed,
-    }
+  if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' }
+  package {'openssh-clients':
+    ensure => $ssh_ensure_version,
+  }
 }
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 528779c..849d9f4 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -3,14 +3,23 @@ class sshd::debian inherits sshd::linux {
   # the templates for Debian need lsbdistcodename
   include lsb
   File['sshd_config']{
-    require => Package['lsb']
+    require +> Package['lsb']
   }
 
   Package[openssh]{
     name => 'openssh-server',
   }
+
+  $sshd_restartandstatus = $lsbdistcodename ? {
+    etch => false,
+    lenny => true,
+    default => false
+  }
+
   Service[sshd]{
     name => 'ssh',
-    hasstatus => false,
+    pattern => 'sshd',
+    hasstatus => $sshd_restartandstatus,
+    hasrestart => $sshd_restartandstatus,
   }
 }
diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp
index f56a96d..631f3d1 100644
--- a/manifests/gentoo.pp
+++ b/manifests/gentoo.pp
@@ -1,5 +1,5 @@
 class sshd::gentoo inherits sshd::linux {
-    Package[openssh]{
-        category => 'net-misc',
-    }
+  Package[openssh]{
+    category => 'net-misc',
+  }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 8489a6a..83b26c1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -28,6 +28,13 @@
 # $sshd_use_pam = yes
 # include sshd::debian
 #
+# If you need to install a version of the ssh daemon or client package other than
+# the default one that would be installed by 'ensure => installed', then you can
+# set the following variables:
+#
+# $sshd_ensure_version = "1:5.2p2-6"
+# $ssh_ensure_version = "1:5.2p2-6"
+#
 # The following is a list of the currently available variables:
 #
 # sshd_listen_address:          specify the addresses sshd should listen on
@@ -113,95 +120,105 @@
 #                       Might be interesting for sftponly usage
 #                       Default: empty -> no change of the default
 #
-# sshd_additional_options:  Set this to any additional sshd_options which aren't listed above.
-#                           As well this option might be usefull to define complexer Match Blocks
-#                           This string is going to be included, like it is defined. So take care!
-#                           Default: empty -> not added.
+# sshd_head_additional_options:  Set this to any additional sshd_options which aren't listed above.
+#                                Anything set here will be added to the beginning of the sshd_config file.
+#                                This option might be useful to define complicated Match Blocks
+#                                This string is going to be included, like it is defined. So take care!
+#                                Default: empty -> not added.
+#
+# sshd_tail_additional_options:  Set this to any additional sshd_options which aren't listed above.
+#                                Anything set here will be added to the end of the sshd_config file.
+#                                This option might be useful to define complicated Match Blocks
+#                                This string is going to be included, like it is defined. So take care!
+#                                Default: empty -> not added.
 
 class sshd {
-    # prepare variables to use in templates
-    case $sshd_listen_address {
-      '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
-    }
-    case $sshd_allowed_users {
-        '': { $sshd_allowed_users = '' }
-    }
-    case $sshd_allowed_groups {
-      '': { $sshd_allowed_groups = '' }
-    }
-    case $sshd_use_pam {
-        '': { $sshd_use_pam = 'no' }
-    }
-    case $sshd_permit_root_login {
-        '': { $sshd_permit_root_login = 'without-password' }
-    }
-    case $sshd_password_authentication {
-        '': { $sshd_password_authentication = 'no' }
-    }
-    case $sshd_tcp_forwarding {
-    	'': { $sshd_tcp_forwarding = 'no' }
-    }
-    case $sshd_x11_forwarding {
-        '': { $sshd_x11_forwarding = 'no' }
-    }
-    case $sshd_agent_forwarding {
-    	'': { $sshd_agent_forwarding = 'no' }
-    }
-    case $sshd_challenge_response_authentication {
-        '': { $sshd_challenge_response_authentication = 'no' }
-    }
-    case $sshd_pubkey_authentication {
-    	'': { $sshd_pubkey_authentication = 'yes' }
-    }
-    case $sshd_rsa_authentication {
-    	'': { $sshd_rsa_authentication = 'no' }
-    }
-    case $sshd_strict_modes {
-    	'': { $sshd_strict_modes = 'yes' }
-    }
-    case $sshd_ignore_rhosts {
-        '': { $sshd_ignore_rhosts = 'yes' }
-    }
-    case $sshd_rhosts_rsa_authentication {
-    	'': { $sshd_rhosts_rsa_authentication = 'no' }
-    }
-    case $sshd_hostbased_authentication {
-    	'': { $sshd_hostbased_authentication = 'no' }
-    }
-    case $sshd_permit_empty_passwords {
-    	'': { $sshd_permit_empty_passwords = 'no' }
-    }
-    case $sshd_port {
-      '': { $sshd_port = 22 }
-    }
-    case $sshd_authorized_keys_file {
-      '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
-    }
-    case $sshd_sftp_subsystem {
-        '': { $sshd_sftp_subsystem = '' }
-    }
-    case $sshd_additional_options {
-        '': { $sshd_additional_options = '' }
-    }
- 
-    include sshd::client 
+   # prepare variables to use in templates
+  case $sshd_listen_address {
+    '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
+  }
+  case $sshd_allowed_users {
+    '': { $sshd_allowed_users = '' }
+  }
+  case $sshd_allowed_groups {
+    '': { $sshd_allowed_groups = '' }
+  }
+  case $sshd_use_pam {
+    '': { $sshd_use_pam = 'no' }
+  }
+  case $sshd_permit_root_login {
+    '': { $sshd_permit_root_login = 'without-password' }
+  }
+  case $sshd_password_authentication {
+    '': { $sshd_password_authentication = 'no' }
+  }
+  case $sshd_tcp_forwarding {
+    '': { $sshd_tcp_forwarding = 'no' }
+  }
+  case $sshd_x11_forwarding {
+    '': { $sshd_x11_forwarding = 'no' }
+  }
+  case $sshd_agent_forwarding {
+    '': { $sshd_agent_forwarding = 'no' }
+  }
+  case $sshd_challenge_response_authentication {
+    '': { $sshd_challenge_response_authentication = 'no' }
+  }
+  case $sshd_pubkey_authentication {
+    '': { $sshd_pubkey_authentication = 'yes' }
+  }
+  case $sshd_rsa_authentication {
+    '': { $sshd_rsa_authentication = 'no' }
+  }
+  case $sshd_strict_modes {
+    '': { $sshd_strict_modes = 'yes' }
+  }
+  case $sshd_ignore_rhosts {
+    '': { $sshd_ignore_rhosts = 'yes' }
+  }
+  case $sshd_rhosts_rsa_authentication {
+    '': { $sshd_rhosts_rsa_authentication = 'no' }
+  }
+  case $sshd_hostbased_authentication {
+    '': { $sshd_hostbased_authentication = 'no' }
+  }
+  case $sshd_permit_empty_passwords {
+    '': { $sshd_permit_empty_passwords = 'no' }
+  }
+  case $sshd_port {
+    '': { $sshd_port = 22 }
+  }
+  case $sshd_authorized_keys_file {
+    '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
+  }
+  case $sshd_sftp_subsystem {
+    '': { $sshd_sftp_subsystem = '' }
+  }
+  case $sshd_head_additional_options {
+    '': { $sshd_head_additional_options = '' }
+  }
+  case $sshd_tail_additional_options {
+    '': { $sshd_tail_additional_options = '' }
+  }
+  case $sshd_ensure_version {
+    '': { $sshd_ensure_version = "present" }
+  }
 
-    case $operatingsystem {
-        gentoo: { include sshd::gentoo }
-        redhat,centos: { include sshd::redhat }
-        centos: { include sshd::centos }
-        openbsd: { include sshd::openbsd }
-        debian,ubuntu: { include sshd::debian }
-        default: { include sshd::default }
-    }
+  include sshd::client 
 
-    if $use_nagios {
-        if $nagios_check_ssh {
-            nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" }
-        }
-    }
+  case $operatingsystem {
+    gentoo: { include sshd::gentoo }
+    redhat,centos: { include sshd::redhat }
+    centos: { include sshd::centos }
+    openbsd: { include sshd::openbsd }
+    debian,ubuntu: { include sshd::debian }
+    default: { include sshd::default }
+  }
 
-    if $use_shorewall{
-      include shorewall::rules::ssh
+  if $use_nagios {
+    case $nagios_check_ssh {
+      'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
+      default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } }
     }
+  }
 }
diff --git a/manifests/linux.pp b/manifests/linux.pp
index f659808..a1f4e2a 100644
--- a/manifests/linux.pp
+++ b/manifests/linux.pp
@@ -1,8 +1,8 @@
 class sshd::linux inherits sshd::base {
-    package{openssh:
-      ensure => present,
+  package{openssh:
+    ensure => $sshd_ensure_version,
+  }
+  File[sshd_config]{
+    require +> Package[openssh],
   }
-    File[sshd_config]{
-        require +> Package[openssh],
-    }
 }
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
index 2d528da..9374e15 100644
--- a/manifests/ssh_authorized_key.pp
+++ b/manifests/ssh_authorized_key.pp
@@ -3,34 +3,40 @@ define sshd::ssh_authorized_key(
     $type = 'ssh-dss',
     $key,
     $user = 'root',
-    $target = 'absent',
+    $target = undef,
     $options = 'absent'
 ){
 
-    case $target {
-        'absent': {
-            case $user {
-                'root': { $real_target = '/root/.ssh/authorized_keys' }
-                default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
-            }
-        }
-        default: {
-            $real_target = $target
-        }
+  $real_user = $user ? {
+    false => $name,
+    "" => $name,
+    default => $user,
+  }
+
+  case $target {
+    undef: {
+      case $user {
+        'root': { $real_target = '/root/.ssh/authorized_keys' }
+        default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
+      }
     }
-    ssh_authorized_key{$name:
-        type => $type,
-        key => $key,
-        user => $user,
-        target => $real_target,
+    default: {
+      $real_target = $target
     }
+  }
+  ssh_authorized_key{$name:
+    type => $type,
+    key => $key,
+    user => $real_user,
+    target => $real_target,
+  }
 
-    case $options {
-        'absent': { info("not setting any option for ssh_authorized_key: $name") }
-        default: {
-            Ssh_authorized_key[$name]{
-                options => $options,
-            }
-        }
+  case $options {
+    'absent': { info("not setting any option for ssh_authorized_key: $name") }
+    default: {
+      Ssh_authorized_key[$name]{
+        options => $options,
+      }
     }
+  }
 }