diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 22 | ||||
| -rw-r--r-- | manifests/client.pp | 17 | ||||
| -rw-r--r-- | manifests/client/base.pp | 5 | ||||
| -rw-r--r-- | manifests/client/linux.pp | 3 | ||||
| -rw-r--r-- | manifests/debian.pp | 2 | ||||
| -rw-r--r-- | manifests/init.pp | 171 | ||||
| -rw-r--r-- | manifests/libssh2.pp | 6 | ||||
| -rw-r--r-- | manifests/libssh2/devel.pp | 6 | ||||
| -rw-r--r-- | manifests/linux.pp | 2 | ||||
| -rw-r--r-- | manifests/nagios.pp | 2 |
10 files changed, 81 insertions, 155 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 848e547..4001985 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,31 +1,31 @@ -class sshd::base { +class sshd::base { file { 'sshd_config': path => '/etc/ssh/sshd_config', - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + content => $::lsbdistcodename ? { + '' => template("sshd/sshd_config/${::operatingsystem}.erb"), + default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"), }, notify => Service[sshd], owner => root, group => 0, mode => 600; } # Now add the key, if we've got one - case $sshrsakey { - '': { info("no sshrsakey on $fqdn") } + case $::sshrsakey { + '': { info("no sshrsakey on ${::fqdn}") } default: { - @@sshkey{"$fqdn": + @@sshkey{$::fqdn: tag => "fqdn", type => ssh-rsa, - key => $sshrsakey, + key => $::sshrsakey, ensure => present, } # In case the node has uses a shared network address, # we don't define a sshkey resource using an IP address - if $sshd_shared_ip == "no" { - @@sshkey{"$ipaddress": + if $sshd::shared_ip == "no" { + @@sshkey{$::ipaddress: tag => "ipaddress", type => ssh-rsa, - key => $sshrsakey, + key => $::sshrsakey, ensure => present, } } diff --git a/manifests/client.pp b/manifests/client.pp index 5eed5fc..84dd7ab 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,23 +1,22 @@ # manifests/client.pp -class sshd::client { +class sshd::client( + $shared_ip = 'no', + $ensure_version = 'installed', + $manage_shorewall = false +) { - case $sshd_shared_ip { - '': { $sshd_shared_ip = "no" } - } - - case $operatingsystem { + case $::operatingsystem { debian,ubuntu: { include sshd::client::debian } default: { - case $kernel { + case $::kernel { linux: { include sshd::client::linux } default: { include sshd::client::base } } } } - if $use_shorewall{ + if $manage_shorewall{ include shorewall::rules::out::ssh } - } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 1fe2b14..c2580c1 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,10 +1,11 @@ class sshd::client::base { # this is needed because the gid might have changed - config_file { '/etc/ssh/ssh_known_hosts': + file { '/etc/ssh/ssh_known_hosts': + mode => 0644, owner => root, group => 0; } # Now collect all server keys - case $sshd_shared_ip { + case $sshd::client::shared_ip { no: { Sshkey <<||>> } yes: { Sshkey <<| tag == "fqdn" |>> } } diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp index 8c58ca8..0c420be 100644 --- a/manifests/client/linux.pp +++ b/manifests/client/linux.pp @@ -1,6 +1,5 @@ class sshd::client::linux inherits sshd::client::base { - if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } package {'openssh-clients': - ensure => $ssh_ensure_version, + ensure => $sshd::client::ensure_version, } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 43dc26c..45eb901 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -7,7 +7,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $sshd_restartandstatus = $lsbdistcodename ? { + $sshd_restartandstatus = $::lsbdistcodename ? { etch => false, default => true } diff --git a/manifests/init.pp b/manifests/init.pp index 8b3361c..4d66b81 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,138 +1,65 @@ -class sshd { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_kerberos_authentication { - '': { $sshd_kerberos_authentication = 'no' } - } - case $sshd_kerberos_orlocalpasswd { - '': { $sshd_kerberos_orlocalpasswd = 'yes' } - } - case $sshd_kerberos_ticketcleanup { - '': { $sshd_kerberos_ticketcleanup = 'yes' } - } - case $sshd_gssapi_authentication { - '': { $sshd_gssapi_authentication = 'no' } - } - case $sshd_gssapi_cleanupcredentials { - '': { $sshd_gssapi_cleanupcredentials = 'yes' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - if ( $sshd_port != '' ) and ( $sshd_ports != []) { - err("Cannot use sshd_port and sshd_ports at the same time.") - } - if $sshd_port != '' { - $sshd_ports = [ $sshd_port ] - } elsif ! $sshd_ports { - $sshd_ports = [ 22 ] - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_hardened_ssl { - '': { $sshd_hardened_ssl = 'no' } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_head_additional_options { - '': { $sshd_head_additional_options = '' } - } - case $sshd_tail_additional_options { - '': { $sshd_tail_additional_options = '' } - } - case $sshd_ensure_version { - '': { $sshd_ensure_version = "present" } - } - case $sshd_print_motd { - '': { - case $operatingsystem { - debian,ubuntu: { $sshd_print_motd = "no" } - default: { $sshd_print_motd = "yes" } - } - } - } - case $sshd_shared_ip { - '': { $sshd_shared_ip = "no" } - } +class sshd( + $manage_nagios = true, + $nagios_check_ssh_hostname = 'absent', + $ports = [ 22 ], + $shared_ip = 'no', + $ensure_version = 'installed', + $listen_address = [ '0.0.0.0', '::' ], + $allowed_users = '', + $allowed_groups = '', + $use_pam = 'no', + $permit_root_login = 'without-password', + $password_authentication = 'no', + $kerberos_authentication = 'no', + $kerberos_orlocalpasswd = 'yes', + $kerberos_ticketcleanup = 'yes', + $gssapi_authentication = 'no', + $gssapi_cleanupcredentials = 'yes', + $tcp_forwarding = 'no', + $x11_forwarding = 'no', + $agent_forwarding = 'no', + $challenge_response_authentication = 'no', + $pubkey_authentication = 'yes', + $rsa_authentication = 'no', + $strict_modes = 'yes', + $ignore_rhosts = 'yes', + $rhosts_rsa_authentication = 'no', + $hostbased_authentication = 'no', + $permit_empty_passwords = 'no', + $authorized_keys_file = '%h/.ssh/authorized_keys', + $hardened_ssl = 'no', + $sftp_subsystem = '', + $head_additional_options = '', + $tail_additional_options = '', + $print_motd = 'yes', + $manage_shorewall = false, + $shorewall_source = 'net' +) { - include sshd::client + class{'sshd::client': + shared_ip => $sshd::shared_ip, + ensure_version => $sshd::ensure_version, + manage_shorewall => $manage_shorewall, + } - case $operatingsystem { + case $::operatingsystem { gentoo: { include sshd::gentoo } redhat,centos: { include sshd::redhat } - centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } default: { include sshd::base } } - if $use_nagios { - case $nagios_check_ssh { - false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { - sshd::nagios{$sshd_ports: - check_hostname => $nagios_check_ssh_hostname ? { - '' => 'absent', - undef => 'absent', - default => $nagios_check_ssh_hostname - } - } - } + if $manage_nagios { + sshd::nagios{$ports: + check_hostname => $nagios_check_ssh_hostname } } - if $use_shorewall{ + if $manage_shorewall { class{'shorewall::rules::ssh': - ports => $sshd_ports, + ports => $ports, + source => $shorewall_source } } } diff --git a/manifests/libssh2.pp b/manifests/libssh2.pp index 5b4e363..403ac7b 100644 --- a/manifests/libssh2.pp +++ b/manifests/libssh2.pp @@ -1,7 +1,7 @@ # manifests/libssh2.pp class sshd::libssh2 { - package{'libssh2': - ensure => present, - } + package{'libssh2': + ensure => present, + } } diff --git a/manifests/libssh2/devel.pp b/manifests/libssh2/devel.pp index e33f6c7..261e34c 100644 --- a/manifests/libssh2/devel.pp +++ b/manifests/libssh2/devel.pp @@ -1,7 +1,7 @@ # manifests/libssh2/devel.pp class sshd::libssh2::devel inherits sshd::libssh2 { - package{'libssh2-devel': - ensure => installed, - } + package{"libssh2-devel.${::architecture}": + ensure => installed, + } } diff --git a/manifests/linux.pp b/manifests/linux.pp index a1f4e2a..f071ada 100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@ -1,6 +1,6 @@ class sshd::linux inherits sshd::base { package{openssh: - ensure => $sshd_ensure_version, + ensure => $sshd::ensure_version, } File[sshd_config]{ require +> Package[openssh], diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 7742cdb..ef5fe10 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -11,7 +11,7 @@ define sshd::nagios( 'absent': { nagios::service{"ssh_port_${name}": ensure => $ensure, - check_command => "check_ssh_port!$real_port" + check_command => "check_ssh_port!${real_port}" } } default: { |