itamae-plugin-recipe-openssh 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6477bb08a13b2409a83f5d0a10b09d2947f55f74
+  data.tar.gz: fa01895ea95dddd8f56dfd9d0f0e0f22e3011b7e
+SHA512:
+  metadata.gz: ddc2e34cb755ef108eef87b75c0f0c822b15c6e489ccd24dd5a0728002292789d4db8caaf0f804d49dd36b921c5d4d12fe1380117f0f9be72bd07670cd315be8
+  data.tar.gz: 2bddbc68f4edab97b735d3e4ca9da5deb23bbf27c4dbbf3d5fd0f42e39db48b98db470dce441982a991f843871b559b5607833193cfa27f6110031fb471dcc43

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.2.2

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in itamae-plugin-recipe-sshd.gemspec
+gemspec

data/README.md

@@ -0,0 +1,37 @@
+# Itamae::Plugin::Recipe::Openssh
+
+Itamae recipe plugin for openssh
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'itamae-plugin-recipe-sshd'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install itamae-plugin-recipe-sshd
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/itamae-plugin-recipe-sshd/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,27 @@
+require 'rake'
+require 'rspec/core/rake_task'
+
+task :spec    => 'spec:all'
+task :default => :spec
+
+namespace :spec do
+  targets = []
+  Dir.glob('./spec/*').each do |dir|
+    next unless File.directory?(dir)
+    target = File.basename(dir)
+    target = "_#{target}" if target == "default"
+    targets << target
+  end
+
+  task :all     => targets
+  task :default => :all
+
+  targets.each do |target|
+    original_target = target == "_default" ? target[1..-1] : target
+    desc "Run serverspec tests to #{original_target}"
+    RSpec::Core::RakeTask.new(target.to_sym) do |t|
+      ENV['TARGET_HOST'] = original_target
+      t.pattern = "spec/#{original_target}/*_spec.rb"
+    end
+  end
+end

data/Vagrantfile

@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+
+  config.vm.define :centos66 do |c|
+    c.vm.box = "centos6.6"
+    c.vm.box_url = 'https://github.com/tommy-muehle/puppet-vagrant-boxes/releases/download/1.0.0/centos-6.6-x86_64.box'
+    c.vm.network :private_network, ip: '192.168.33.11'
+  end
+
+  config.vm.define :ubuntu1404 do |c|
+    c.vm.box = "ubuntu1404"
+    c.vm.box_url = 'https://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box'
+    c.vm.network :private_network, ip: '192.168.33.12'
+  end
+end

data/itamae-plugin-recipe-openssh.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'itamae/plugin/recipe/openssh/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "itamae-plugin-recipe-openssh"
+  spec.version       = Itamae::Plugin::Recipe::Openssh::VERSION
+  spec.authors       = ["namusyaka"]
+  spec.email         = ["namusyaka@gmail.com"]
+
+  spec.summary       = %q{itamae recipe plugin for openssh.}
+  spec.description   = spec.summary
+  spec.homepage      = "https://github.com/namusyaka/itamae-plugin-recipe-openssh"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "itamae-plugin-resource-iptables"
+  spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "serverspec"
+end

data/lib/itamae/plugin/recipe/openssh/attributes.rb

@@ -0,0 +1,129 @@
+node["openssh"]["server"] ||= {}
+node["openssh"]["client"] ||= {}
+node["openssh"]["server"]["port"] ||= 22
+
+node['openssh']['package_name'] ||=
+  case node['platform_family']
+  when 'rhel', 'fedora'
+    %w(openssh-clients openssh-server)
+  when 'arch', 'suse', 'gentoo'
+    %w(openssh)
+  when 'freebsd', 'smartos'
+    %w()
+  else
+    %w(openssh-client openssh-server)
+  end
+
+node['openssh']['service_name'] ||=
+  case node['platform_family']
+  when 'rhel', 'fedora', 'suse', 'freebsd', 'gentoo', 'arch'
+    'sshd'
+  else
+    'ssh'
+  end
+
+node['openssh']['config_mode'] ||=
+  case node['platform_family']
+  when 'rhel', 'fedora'
+    '0600'
+  else
+    '0644'
+  end
+
+node['openssh']['rootgroup'] ||=
+  case node['platform_family']
+  when 'freebsd'
+    'wheel'
+  else
+    'root'
+  end
+
+node['openssh']['client']['host'] ||= '*'
+# node['openssh']['client']['forward_agent'] ||= 'no'
+# node['openssh']['client']['forward_x11'] ||= 'no'
+# node['openssh']['client']['rhosts_rsa_authentication'] ||= 'no'
+# node['openssh']['client']['rsa_authentication'] ||= 'yes'
+# node['openssh']['client']['password_authentication'] ||= 'yes'
+# node['openssh']['client']['host_based_authentication'] ||= 'no'
+# node['openssh']['client']['gssapi_authentication'] ||= 'no'
+# node['openssh']['client']['gssapi_delegate_credentials'] ||= 'no'
+# node['openssh']['client']['batch_mode'] ||= 'no'
+# node['openssh']['client']['check_host_ip'] ||= 'yes'
+# node['openssh']['client']['address_family'] ||= 'any'
+# node['openssh']['client']['connect_timeout'] ||= '0'
+# node['openssh']['client']['strict_host_key_checking'] ||= 'ask'
+# node['openssh']['client']['identity_file'] ||= '~/.ssh/identity'
+# node['openssh']['client']['identity_file_rsa'] ||= '~/.ssh/id_rsa'
+# node['openssh']['client']['identity_file_dsa'] ||= '~/.ssh/id_dsa'
+# node['openssh']['client']['port'] ||= '22'
+# node['openssh']['client']['protocol'] ||= [ '2 1' ]
+# node['openssh']['client']['cipher'] ||= '3des'
+# node['openssh']['client']['ciphers'] ||= [ 'aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-cbc 3des-cbc' ]
+# node['openssh']['client']['macs'] ||= [ 'hmac-md5 hmac-sha1 umac-64@openssh.com hmac-ripemd160' ]
+# node['openssh']['client']['escape_char'] ||= '~'
+# node['openssh']['client']['tunnel'] ||= 'no'
+# node['openssh']['client']['tunnel_device'] ||= 'any:any'
+# node['openssh']['client']['permit_local_command'] ||= 'no'
+# node['openssh']['client']['visual_host_key'] ||= 'no'
+# node['openssh']['client']['proxy_command'] ||= 'ssh -q -W %h:%p gateway.example.com'
+# sshd config group
+# node['openssh']['server']['port'] ||= '22'
+# node['openssh']['server']['address_family'] ||= 'any'
+# node['openssh']['server']['listen_address'] ||= [ '0.0.0.0 ::' ]
+# node['openssh']['server']['protocol'] ||= '2'
+# node['openssh']['server']['host_key_v1'] ||= '/etc/ssh/ssh_host_key'
+# node['openssh']['server']['host_key_rsa'] ||= '/etc/ssh/ssh_host_rsa_key'
+# node['openssh']['server']['host_key_dsa'] ||= '/etc/ssh/ssh_host_dsa_key'
+if node['platform_family'] == 'smartos'
+  node['openssh']['server']['host_key'] ||= ['/var/ssh/ssh_host_rsa_key', '/var/ssh/ssh_host_dsa_key']
+end
+# node['openssh']['server']['host_key_ecdsa'] ||= '/etc/ssh/ssh_host_ecdsa_key'
+# node['openssh']['server']['key_regeneration_interval'] ||= '1h'
+# node['openssh']['server']['server_key_bits'] ||= '1024'
+# node['openssh']['server']['syslog_facility'] ||= 'AUTH'
+# node['openssh']['server']['log_level'] ||= 'INFO'
+# node['openssh']['server']['login_grace_time'] ||= '2m'
+# node['openssh']['server']['permit_root_login'] ||= 'yes'
+# node['openssh']['server']['strict_modes'] ||= 'yes'
+# node['openssh']['server']['max_auth_tries'] ||= '6'
+# node['openssh']['server']['max_sessions'] ||= '10'
+# node['openssh']['server']['r_s_a_authentication'] ||= 'yes'
+# node['openssh']['server']['pubkey_authentication'] ||= 'yes'
+# node['openssh']['server']['authorized_keys_file'] ||= '%h/.ssh/authorized_keys'
+# node['openssh']['server']['rhosts_r_s_a_authentication'] ||= 'no'
+# node['openssh']['server']['host_based_authentication'] ||= 'no'
+# node['openssh']['server']['ignore_user_known_hosts'] ||= 'no'
+# node['openssh']['server']['ignore_rhosts'] ||= 'yes'
+# node['openssh']['server']['password_authentication'] ||= 'yes'
+# node['openssh']['server']['permit_empty_passwords'] ||= 'no'
+node['openssh']['server']['challenge_response_authentication'] ||= 'no'
+# node['openssh']['server']['kerberos_authentication'] ||= 'no'
+# node['openssh']['server']['kerberos_or_localpasswd'] ||= 'yes'
+# node['openssh']['server']['kerberos_ticket_cleanup'] ||= 'yes'
+# node['openssh']['server']['kerberos_get_afs_token'] ||= 'no'
+# node['openssh']['server']['gssapi_authentication'] ||= 'no'
+# node['openssh']['server']['gssapi_clean_up_credentials'] ||= 'yes'
+node['openssh']['server']['use_p_a_m'] ||= 'yes' unless node['platform_family'] == 'smartos'
+# node['openssh']['server']['allow_agent_forwarding'] ||= 'yes'
+# node['openssh']['server']['allow_tcp_forwarding'] ||= 'yes'
+# node['openssh']['server']['gateway_ports'] ||= 'no'
+# node['openssh']['server']['x11_forwarding'] ||= 'no'
+# node['openssh']['server']['x11_display_offset'] ||= '10'
+# node['openssh']['server']['x11_use_localhost'] ||= 'yes'
+# node['openssh']['server']['print_motd'] ||= 'yes'
+# node['openssh']['server']['print_last_log'] ||= 'yes'
+# node['openssh']['server']['t_c_p_keep_alive'] ||= 'yes'
+# node['openssh']['server']['use_login'] ||= 'no'
+# node['openssh']['server']['use_privilege_separation'] ||= 'yes'
+# node['openssh']['server']['permit_user_environment'] ||= 'no'
+# node['openssh']['server']['compression'] ||= 'delayed'
+# node['openssh']['server']['client_alive_interval'] ||= '0'
+# node['openssh']['server']['client_alive_count_max'] ||= '3'
+# node['openssh']['server']['use_dns'] ||= 'yes'
+# node['openssh']['server']['pid_file'] ||= '/var/run/sshd.pid'
+# node['openssh']['server']['max_startups'] ||= '10'
+# node['openssh']['server']['permit_tunnel'] ||= 'no'
+# node['openssh']['server']['chroot_directory'] ||= 'none'
+# node['openssh']['server']['banner'] ||= 'none'
+# node['openssh']['server']['subsystem'] ||= 'sftp /usr/libexec/sftp-server'
+node['openssh']['server']['match'] ||= {}

data/lib/itamae/plugin/recipe/openssh/default.rb

@@ -0,0 +1,40 @@
+include_recipe "openssh::attributes"
+
+def listen_addr_for(interface, type)
+  interface_node = node['network']['interfaces'][interface]['addresses']
+  interface_node.select { |_address, data| data['family'] == type }.keys[0]
+end
+
+node['openssh']['package_name'].each do |name|
+  package name
+end
+
+template '/etc/ssh/ssh_config' do
+  source 'templates/ssh_config.erb'
+  mode '0644'
+  owner 'root'
+  group node['openssh']['rootgroup']
+end
+
+if node['openssh']['listen_interfaces']
+  listen_addresses = [].tap do |a|
+    node['openssh']['listen_interfaces'].each_pair do |interface, type|
+      a << listen_addr_for(interface, type)
+    end
+  end
+
+  node.set['openssh']['server']['listen_address'] = listen_addresses
+end
+
+template '/etc/ssh/sshd_config' do
+  source 'templates/sshd_config.erb'
+  mode node['openssh']['config_mode']
+  owner 'root'
+  group node['openssh']['rootgroup']
+  notifies :restart, 'service[sshd]'
+end
+
+service 'ssh' do
+  name node['openssh']['service_name']
+  action [:enable, :start]
+end

data/lib/itamae/plugin/recipe/openssh/iptables.rb

@@ -0,0 +1,13 @@
+require 'itamae/plugin/resource/iptables_rule'
+require 'itamae/plugin/resource/iptables_save'
+
+include_recipe "openssh::default"
+
+iptables_rule('accept ssh') do
+  action :accept
+  chain "FORWARD"
+  protocol "tcp"
+  dport node['openssh']['server']['port']
+end
+
+iptables_save '/etc/iptables.rules'

data/lib/itamae/plugin/recipe/openssh/openssh.rb

@@ -0,0 +1,11 @@
+require "itamae/plugin/recipe/openssh/version"
+
+module Itamae
+  module Plugin
+    module Recipe
+      module Openssh
+        # Your code goes here...
+      end
+    end
+  end
+end

data/lib/itamae/plugin/recipe/openssh/templates/ssh_config.erb

@@ -0,0 +1,17 @@
+# This file was generated by Chef for <%= node['fqdn'] %>
+# Do NOT modify this file by hand!
+
+<% node['openssh']['client'].each do |key, value| -%>
+<%  if value.kind_of? Array -%>
+<%    value.each do |item| -%>
+<%=     "#{key.split("_").map { |w| w.capitalize}.join} #{item}" %>
+<%    end -%>
+<%  elsif value.kind_of? Hash -%>
+<%=   "Host #{key}"%>
+<%    value.each do |host_key, host_value| -%>
+<%=     "#{host_key.split("_").map { |w| w.capitalize}.join} #{host_value}" %>
+<%    end -%>
+<%  else -%>
+<%=   "#{key.split("_").map { |w| w.capitalize}.join} #{value}"%>
+<%  end -%>
+<% end -%>

data/lib/itamae/plugin/recipe/openssh/templates/sshd_config.erb

@@ -0,0 +1,26 @@
+# This file was generated by Itamae for <%= node['fqdn'] %>
+
+<% node['openssh']['server'].dup.reject{|k,v| k=='match'}.map do |key, value| -%>
+<%  if value.kind_of? Array -%>
+<%    value.each do |item| -%>
+<%=     "#{key.split("_").map { |w| w.capitalize}.join} #{item}" %>
+<%    end -%>
+<%  else -%>
+<%=   "#{key.split("_").map { |w| w.capitalize}.join} #{value}"%>
+<%  end -%>
+<% end -%>
+
+<%  unless node['openssh']['server']['match'].empty? || !defined?(node['openssh']['server']['match']) -%>
+<%    node['openssh']['server']['match'].sort.map do |match_key, match_items| -%>
+Match <%= match_key %>
+<%      match_items.sort.map do |key, value| -%>
+<%        if value.kind_of? Array -%>
+<%          value.each do |item| -%>
+<%=           "  #{key.split("_").map { |w| w.capitalize}.join} #{item}" %>
+<%          end -%>
+<%        else -%>
+<%=         "  #{key.split("_").map { |w| w.capitalize}.join} #{value}"%>
+<%        end -%>
+<%      end -%>
+<%    end -%>
+<%  end -%>

data/lib/itamae/plugin/recipe/openssh/version.rb

@@ -0,0 +1,9 @@
+module Itamae
+  module Plugin
+    module Recipe
+      module Openssh
+        VERSION = "0.1.0"
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,115 @@
+--- !ruby/object:Gem::Specification
+name: itamae-plugin-recipe-openssh
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- namusyaka
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-06-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: itamae-plugin-resource-iptables
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: serverspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: itamae recipe plugin for openssh.
+email:
+- namusyaka@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- Vagrantfile
+- itamae-plugin-recipe-openssh.gemspec
+- lib/itamae/plugin/recipe/openssh/attributes.rb
+- lib/itamae/plugin/recipe/openssh/default.rb
+- lib/itamae/plugin/recipe/openssh/iptables.rb
+- lib/itamae/plugin/recipe/openssh/openssh.rb
+- lib/itamae/plugin/recipe/openssh/templates/ssh_config.erb
+- lib/itamae/plugin/recipe/openssh/templates/sshd_config.erb
+- lib/itamae/plugin/recipe/openssh/version.rb
+homepage: https://github.com/namusyaka/itamae-plugin-recipe-openssh
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: itamae recipe plugin for openssh.
+test_files: []
+has_rdoc: