aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README2
-rw-r--r--manifests/client.pp7
-rw-r--r--manifests/init.pp82
3 files changed, 48 insertions, 43 deletions
diff --git a/README b/README
index 7e1b1f5..15742d3 100644
--- a/README
+++ b/README
@@ -24,7 +24,7 @@ Nagios
------
To have nagios checks setup automatically for sshd services, simply set
-use_nagios to true in hiera. If you want to disable ssh
+manage_nagios to true for that class. If you want to disable ssh
nagios checking for a particular node (such as when ssh is firewalled), then you
can set the class parameter nagios_check_ssh to false and that node will not bei
monitored.
diff --git a/manifests/client.pp b/manifests/client.pp
index c99cf27..84dd7ab 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -1,8 +1,9 @@
# manifests/client.pp
class sshd::client(
- $shared_ip = hiera('sshd_shared_ip','no'),
- $ensure_version = hiera('sshd_ensure_version','installed')
+ $shared_ip = 'no',
+ $ensure_version = 'installed',
+ $manage_shorewall = false
) {
case $::operatingsystem {
@@ -15,7 +16,7 @@ class sshd::client(
}
}
- if hiera('use_shorewall',false) {
+ if $manage_shorewall{
include shorewall::rules::out::ssh
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index f183acd..4d66b81 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,42 +1,45 @@
class sshd(
- $nagios_check_ssh = hiera('nagios_check_ssh',true),
- $nagios_check_ssh_hostname = hiera('nagios_check_ssh_hostname','absent'),
- $ports = hiera('sshd_ports',[ 22 ]),
- $shared_ip = hiera('sshd_shared_ip','no'),
- $ensure_version = hiera('sshd_ensure_version','installed'),
- $listen_address = hiera('sshd_listen_address',[ '0.0.0.0', '::' ]),
- $allowed_users = hiera('sshd_allowed_users',''),
- $allowed_groups = hiera('sshd_allowed_groups',''),
- $use_pam = hiera('sshd_use_pam','no'),
- $permit_root_login = hiera('sshd_permit_root_login','without-password'),
- $password_authentication = hiera('sshd_password_authentication','no'),
- $kerberos_authentication = hiera('sshd_kerberos_authentication','no'),
- $kerberos_orlocalpasswd = hiera('sshd_sshd_kerberos_orlocalpasswd','yes'),
- $kerberos_ticketcleanup = hiera('sshd_kerberos_ticketcleanup','yes'),
- $gssapi_authentication = hiera('sshd_gssapi_authentication','no'),
- $gssapi_cleanupcredentials = hiera('sshd_gssapi_cleanupcredentials','yes'),
- $tcp_forwarding = hiera('sshd_tcp_forwarding','no'),
- $x11_forwarding = hiera('sshd_x11_forwarding','no'),
- $agent_forwarding = hiera('sshd_agent_forwarding','no'),
- $challenge_response_authentication = hiera('sshd_challenge_response_authentication','no'),
- $pubkey_authentication = hiera('sshd_pubkey_authentication','yes'),
- $rsa_authentication = hiera('rsa_authentication','no'),
- $strict_modes = hiera('sshd_strict_modes','yes'),
- $ignore_rhosts = hiera('sshd_ignore_rhosts','yes'),
- $rhosts_rsa_authentication = hiera('sshd_rhosts_rsa_authentication','no'),
- $hostbased_authentication = hiera('sshd_hostbased_authentication','no'),
- $permit_empty_passwords = hiera('sshd_permit_empty_passwords','no'),
- $authorized_keys_file = hiera('sshd_authorized_keys_file','%h/.ssh/authorized_keys'),
- $hardened_ssl = hiera('sshd_hardened_ssl','no'),
- $sftp_subsystem = hiera('sshd_sftp_subsystem',''),
- $head_additional_options = hiera('sshd_head_additional_options',''),
- $tail_additional_options = hiera('sshd_tail_additional_options',''),
- $print_motd = hiera('sshd_print_motd','yes')
+ $manage_nagios = true,
+ $nagios_check_ssh_hostname = 'absent',
+ $ports = [ 22 ],
+ $shared_ip = 'no',
+ $ensure_version = 'installed',
+ $listen_address = [ '0.0.0.0', '::' ],
+ $allowed_users = '',
+ $allowed_groups = '',
+ $use_pam = 'no',
+ $permit_root_login = 'without-password',
+ $password_authentication = 'no',
+ $kerberos_authentication = 'no',
+ $kerberos_orlocalpasswd = 'yes',
+ $kerberos_ticketcleanup = 'yes',
+ $gssapi_authentication = 'no',
+ $gssapi_cleanupcredentials = 'yes',
+ $tcp_forwarding = 'no',
+ $x11_forwarding = 'no',
+ $agent_forwarding = 'no',
+ $challenge_response_authentication = 'no',
+ $pubkey_authentication = 'yes',
+ $rsa_authentication = 'no',
+ $strict_modes = 'yes',
+ $ignore_rhosts = 'yes',
+ $rhosts_rsa_authentication = 'no',
+ $hostbased_authentication = 'no',
+ $permit_empty_passwords = 'no',
+ $authorized_keys_file = '%h/.ssh/authorized_keys',
+ $hardened_ssl = 'no',
+ $sftp_subsystem = '',
+ $head_additional_options = '',
+ $tail_additional_options = '',
+ $print_motd = 'yes',
+ $manage_shorewall = false,
+ $shorewall_source = 'net'
) {
class{'sshd::client':
shared_ip => $sshd::shared_ip,
- ensure_version => $sshd::ensure_version
+ ensure_version => $sshd::ensure_version,
+ manage_shorewall => $manage_shorewall,
}
case $::operatingsystem {
@@ -47,15 +50,16 @@ class sshd(
default: { include sshd::base }
}
- if hiera('use_nagios',false) and $sshd::nagios_check_ssh {
- sshd::nagios{$sshd::ports:
- check_hostname => $sshd::nagios_check_ssh_hostname
+ if $manage_nagios {
+ sshd::nagios{$ports:
+ check_hostname => $nagios_check_ssh_hostname
}
}
- if hiera('use_shorewall', false) {
+ if $manage_shorewall {
class{'shorewall::rules::ssh':
- ports => $sshd::ports,
+ ports => $ports,
+ source => $shorewall_source
}
}
}