provizioning 0.9.17 → 0.9.18

data/bootstrap/bootstrap.sh

@@ -77,6 +77,7 @@ apt-get -y autoremove
 ##############################################################################
 
 gem install puppet --no-ri --no-rdoc
-puppet resource group puppet ensure=present
+groupadd puppet
+#puppet resource group puppet ensure=present
 puppet resource user puppet ensure=present gid=puppet shell='/sbin/nologin'
 reboot

data/lib/provizioning/puppet.rb

@@ -12,7 +12,7 @@ Capistrano::Configuration.instance(:must_exist).load do
     desc "Deploy our puppet recipes to the server"
     task :deploy_recipes do
       with_puppet_user do
-        run "rm -rf #{puppet_path}"
+        run "#{try_sudo} rm -rf #{puppet_path}"
         upload File.expand_path("../../../puppet", __FILE__), puppet_path
       end
     end
@@ -35,7 +35,7 @@ Capistrano::Configuration.instance(:must_exist).load do
     desc 'Bootstrap puppet'
     task :bootstrap do
       with_puppet_user do
-        run "wget -q -O - https://raw.github.com/seasonlabs/provizioning/master/bootstrap/bootstrap.sh | sh"
+        run "wget -q -O - https://raw.github.com/seasonlabs/provizioning/master/bootstrap/bootstrap.sh | #{try_sudo} sh"
       end
     end
 
@@ -70,7 +70,7 @@ Capistrano::Configuration.instance(:must_exist).load do
     dryrun_option = fetch('puppet_dryrun') ? "--noop " : ""
     debug_option = fetch('puppet_debug') ? "-d " : ""
     with_puppet_user do
-      run "puppet apply --modulepath '#{puppet_app_modules_path}:#{puppet_path}/modules' --templatedir #{puppet_path}/classes #{dryrun_option}-v #{debug_option}#{manifest}", options
+      run "#{try_sudo} puppet apply --modulepath '#{puppet_app_modules_path}:#{puppet_path}/modules' --templatedir #{puppet_path}/classes #{dryrun_option}-v #{debug_option}#{manifest}", options
     end
   end
   

data/lib/provizioning/version.rb

@@ -1,3 +1,3 @@
 module Provizioning
-  VERSION = "0.9.17"
+  VERSION = "0.9.18"
 end

data/puppet/classes/apache.pp

@@ -18,8 +18,7 @@ class apache {
   }
 
   user { $apache_user:
-    groups => application,
-    require => [Package[httpd], Class["base::application"]],
+    require => [Package[httpd]],
     notify => Service[httpd]
   }
 

data/puppet/modules/ssh/manifests/init.pp

@@ -1,74 +1,19 @@
-import "*.pp"
-
+# Manage a bit of ssh properties
 class ssh {
-
-    package { ssh:
-        name   => $operatingsystem ? {
-            default    => "openssh",
-            },
-        ensure => present,
+	define append_ssh_key_to_root($key) {
+    append_ssh_key_to_user {$name:
+      user => "root", 
+      key => $key,
     }
-
-    package { ssh-client:
-        name   => $operatingsystem ? {
-            default    => "openssh-clients",
-            },
-        ensure => present,
+  }
+
+  define append_ssh_key_to_user($user, $key, $key_type="ssh-rsa") {
+    ssh_authorized_key {$name:
+      ensure => present,
+      user => $user,
+      key => $key,
+      name => $name,
+      type => $key_type,
     }
-
-}
-
-class ssh::server {
-
-    include ssh
-
-    package { sshd:
-        name   => $operatingsystem ? {
-            default    => "openssh-server",
-            },
-        ensure => present,
-    }
-
-    service { sshd:
-        name => $operatingsystem ? {
-            default => "sshd",
-            },
-        ensure => running,
-        enable => true,
-        hasrestart => true,
-        hasstatus => true,
-        require => Package["sshd"],
-        subscribe => File["sshd.conf"],
-    }
-
-    file {    
-             "sshd_config":
-            mode => 600, owner => root, group => root,
-            require => Package[ssh-server],
-            ensure => present,
-            path => $operatingsystem ?{
-                default => "/etc/ssh/sshd_config",
-            },
-    }
-
-}
-
-define ssh::config ($value) {
-
-    # Augeas version. 
-    augeas {
-        "sshd_config_$name":
-        context =>  "/files/etc/ssh/sshd_config",
-        changes =>  "set $name $value",
-        onlyif  =>  "get $name != $value",
-        # onlyif  =>  "match $name/*[.='$value'] size == 0",
-    }
-
-    # Davids' replaceline version (to fix) 
-    # replaceline {
-    #    "sshd_config_$name":
-    #    file => "/etc/ssh/sshd_config",
-    #    pattern => "$name",
-    #    replacement => "^$name $value",
-    # }
-}
+  }
+}

data/puppet/modules/ufw/Gemfile

@@ -0,0 +1,8 @@
+source :rubygems
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 2.7']
+
+gem 'rake'
+gem 'puppet-lint'
+gem 'rspec-puppet'
+gem 'puppet', puppetversion

data/puppet/modules/ufw/LICENSE

@@ -0,0 +1,19 @@
+Copyright (C) 2011 by Eivind Uggedal <eivind@uggedal.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/puppet/modules/ufw/Modulefile

@@ -0,0 +1,13 @@
+name 'uggedal-puppet-module-ufw'
+version '1.0.0'
+
+author 'Eivind Uggedal <eivind@uggedal.com>'
+license 'MIT License'
+project_page 'https://github.com/uggedal/puppet-module-ufw'
+source 'git://github.com/uggedal/puppet-module-ufw.git'
+summary 'Puppet UFW Module'
+description 'Module for configuring UFW (Uncomplicated Firewall).
+
+Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with
+Puppet 2.6. Patches for other operating systems are welcome.'
+dependency 'puppetlabs/stdlib', '>=2.2.1'

data/puppet/modules/ufw/README.md

@@ -0,0 +1,63 @@
+Puppet UFW Module
+=================
+
+Module for configuring UFW (Uncomplicated Firewall).
+
+Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with
+Puppet 2.6. Patches for other operating systems are welcome.
+
+
+Installation
+------------
+
+Clone this repo to a ufw directory under your Puppet modules directory:
+
+    git clone git://github.com/uggedal/puppet-module-ufw.git ufw
+
+If you don't have a Puppet Master you can create a manifest file
+based on the notes below and run Puppet in stand-alone mode
+providing the module directory you cloned this repo to:
+
+    puppet apply --modulepath=modules test_ufw.pp
+
+
+Usage
+-----
+
+If you include the ufw class the package will be installed, the service
+will be enabled, and all incomming connections will be denied:
+
+    include ufw
+
+Note that you'll need to define a global search path for the `exec`
+resource to make this module function properly. This should ideally be
+placed in `manifests/site.pp`:
+
+    Exec {
+      path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+    }
+
+You can then allow certain connections:
+
+    ufw::allow { "allow-ssh-from-all":
+      port => 22,
+    }
+
+    ufw::allow { "allow-all-from-trusted":
+      from => "10.0.0.145",
+    }
+
+    ufw::allow { "allow-http-on-specific-interface":
+      port => 80,
+      ip => "10.0.0.20",
+    }
+
+    ufw::allow { "allow-dns-over-udp":
+      port => 53,
+      proto => "udp",
+    }
+
+You can also rate limit certain ports (the IP is blocked if it initiates
+6 or more connections within 30 seconds):
+
+    ufw::limit { 22: }

data/puppet/modules/ufw/Rakefile

@@ -0,0 +1,17 @@
+require 'rake'
+
+begin
+  require 'rspec/core/rake_task'
+  require 'puppet-lint/tasks/puppet-lint'
+rescue LoadError
+  require 'rubygems'
+  retry
+end
+
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.pattern = 'spec/*/*_spec.rb'
+end
+
+task :test => [:spec, :lint]
+
+task :default => :test

data/puppet/modules/ufw/manifests/allow.pp

@@ -0,0 +1,31 @@
+define ufw::allow($proto='tcp', $port='all', $ip='', $from='any') {
+
+  if $::ipaddress_eth0 != undef {
+    $ipadr = $ip ? {
+      ''      => $::ipaddress_eth0,
+      default => $ip,
+    }
+  } else {
+    $ipadr = 'any'
+  }
+
+  $from_match = $from ? {
+    'any'   => 'Anywhere',
+    default => $from,
+  }
+
+  exec { "ufw-allow-${proto}-from-${from}-to-${ipadr}-port-${port}":
+    command => $port ? {
+      'all'   => "ufw allow proto $proto from $from to $ipadr",
+      default => "ufw allow proto $proto from $from to $ipadr port $port",
+    },
+    unless  => "$ipadr:$port" ? {
+      'any:all'    => "ufw status | grep -E \" +ALLOW +$from_match\"",
+      /[0-9]:all$/ => "ufw status | grep -E \"$ipadr/$proto +ALLOW +$from_match\"",
+      /^any:[0-9]/ => "ufw status | grep -E \"$port/$proto +ALLOW +$from_match\"",
+      default      => "ufw status | grep -E \"$ipadr $port/$proto +ALLOW +$from_match\"",
+    },
+    require => Exec['ufw-default-deny'],
+    before  => Exec['ufw-enable'],
+  }
+}

data/puppet/modules/ufw/manifests/deny.pp

@@ -0,0 +1,29 @@
+define ufw::deny($proto='tcp', $port='all', $ip='', $from='any') {
+
+  if $::ipaddress_eth0 != undef {
+    $ipadr = $ip ? {
+      ''      => $::ipaddress_eth0,
+      default => $ip,
+    }
+  } else {
+    $ipadr = 'any'
+  }
+
+  $from_match = $from ? {
+    'any'   => 'Anywhere',
+    default => "$from/$proto",
+  }
+
+  exec { "ufw-deny-${proto}-from-${from}-to-${ipadr}-port-${port}":
+    command => $port ? {
+      'all'   => "ufw deny proto $proto from $from to $ipadr",
+      default => "ufw deny proto $proto from $from to $ipadr port $port",
+    },
+    unless  => $port ? {
+      'all'   => "ufw status | grep -E \"$ipadr/$proto +DENY +$from_match\"",
+      default => "ufw status | grep -E \"$ipadr $port/$proto +DENY +$from_match\"",
+    },
+    require => Exec['ufw-default-deny'],
+    before  => Exec['ufw-enable'],
+  }
+}

data/puppet/modules/ufw/manifests/init.pp

@@ -1,12 +1,24 @@
 class ufw {
-  package{ "ufw":
-    ensure => installed,
+  package { 'ufw':
+    ensure => present,
   }
-  
-  exec { "Set default rules":
-    user => "root",
-    path => "/usr/bin:/usr/sbin:/bin",
-    command => "ufw allow to 0.0.0.0/0 port 80 && ufw allow to 0.0.0.0/0 port 443 && ufw allow to 0.0.0.0/0 port 3000 && ufw allow 10000:10020/tcp && ufw allow to 0.0.0.0/0 port 22",
-    require => Package["ufw"],
+
+  Package['ufw'] -> Exec['ufw-default-deny'] -> Exec['ufw-enable']
+
+  exec { 'ufw-default-deny':
+    command => 'ufw default deny',
+    unless  => 'ufw status verbose | grep "Default: deny (incoming), allow (outgoing)"',
   }
-}
+
+  exec { 'ufw-enable':
+    command => 'yes | ufw enable',
+    unless  => 'ufw status | grep "Status: active"',
+  }
+
+  service { 'ufw':
+    ensure    => running,
+    enable    => true,
+    hasstatus => true,
+    subscribe => Package['ufw'],
+  }
+}

data/puppet/modules/ufw/manifests/limit.pp

@@ -0,0 +1,7 @@
+define ufw::limit($proto='tcp') {
+  exec { "ufw limit $name/$proto":
+    unless  => "ufw status | grep -E \"^$name/$proto +LIMIT +Anywhere\"",
+    require => Exec['ufw-default-deny'],
+    before  => Exec['ufw-enable'],
+  }
+}

data/puppet/modules/ufw/metadata.json

@@ -0,0 +1,33 @@
+{
+  "name": "uggedal-puppet-module-ufw",
+  "author": "Eivind Uggedal \u003ceivind@uggedal.com\u003e",
+  "description": "Module for configuring UFW (Uncomplicated Firewall).\n\nTested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with\nPuppet 2.6. Patches for other operating systems are welcome.",
+  "license": "MIT License",
+  "project_page": "https://github.com/uggedal/puppet-module-ufw",
+  "source": "git://github.com/uggedal/puppet-module-ufw.git",
+  "summary": "Puppet UFW Module",
+  "version": "1.0.0",
+  "checksums": {
+    "Gemfile": "7a90ba90918a5972eb038190feaf7fb4",
+    "LICENSE": "2d9c14720c9adef6ab3197a70adb690c",
+    "Modulefile": "996b93de77287312124328bf7aa9f6dd",
+    "README.md": "361ee8c51c9ab4c2983f100dbc500ace",
+    "Rakefile": "30135290361360248d8139853a15c8a2",
+    "manifests/allow.pp": "2d6bcf6fbd6565d5c523feecfa5a0a2f",
+    "manifests/deny.pp": "99d3a9e0415b1b3c37114acd51caedb8",
+    "manifests/init.pp": "fa6506b5c8d4926453c2a9539ef0c65a",
+    "manifests/limit.pp": "096c50250cbdbe4401ceae423714ea67",
+    "spec/spec.opts": "a600ded995d948e393fbe2320ba8e51c",
+    "spec/spec_helper.rb": "ca19ec4f451ebc7fdb035b52eae6e909",
+    "tests/allow.pp": "6c792330a86393231d9a5c5a2e0e9949",
+    "tests/deny.pp": "96377cee0084b96c14ff1a828961946f",
+    "tests/init.pp": "0571b366ccfc29695d3df3651845a9b3",
+    "tests/limit.pp": "6e4fe2cae76ef2488dc9e6263736e162"
+  },
+  "dependencies": [
+    {
+      "name": "puppetlabs/stdlib",
+      "version_requirement": "\u003e\u003d2.2.1"
+    }
+  ]
+}

data/puppet/modules/ufw/spec/spec.opts

@@ -0,0 +1,6 @@
+--format
+s
+--colour
+--loadby
+mtime
+--backtrace

data/puppet/modules/ufw/spec/spec_helper.rb

@@ -0,0 +1,18 @@
+require 'pathname'
+dir = Pathname.new(__FILE__).parent
+$LOAD_PATH.unshift(dir, dir + 'lib', dir + '../lib')
+
+require 'mocha'
+require 'puppet'
+gem 'rspec', '=1.2.9'
+require 'spec/autorun'
+
+Spec::Runner.configure do |config|
+    config.mock_with :mocha
+end
+
+# We need this because the RAL uses 'should' as a method.  This
+# allows us the same behaviour but with a different method name.
+class Object
+    alias :must :should
+end

data/puppet/modules/ufw/tests/allow.pp

@@ -0,0 +1,10 @@
+Exec {
+  path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+}
+
+ufw::allow{ 'allow-all-from-trusted':
+  proto => 'udp',
+  port  => 80,
+  ip    => '10.0.0.1',
+  from  => '10.0.0.2',
+}

data/puppet/modules/ufw/tests/deny.pp

@@ -0,0 +1,10 @@
+Exec {
+  path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+}
+
+ufw::deny{ 'allow-all-from-trusted':
+  proto => 'udp',
+  port  => 80,
+  ip    => '10.0.0.1',
+  from  => '10.0.0.2',
+}

data/puppet/modules/ufw/tests/init.pp

@@ -0,0 +1,5 @@
+Exec {
+  path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+}
+
+class { 'ufw': }

data/puppet/modules/ufw/tests/limit.pp

@@ -0,0 +1,5 @@
+Exec {
+  path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+}
+
+ufw::limit { 22: }

data/puppet/modules/ufw.old/manifests/init.pp

@@ -0,0 +1,12 @@
+class ufw {
+  package{ "ufw":
+    ensure => installed,
+  }
+  
+  exec { "Set default rules":
+    user => "root",
+    path => "/usr/bin:/usr/sbin:/bin",
+    command => "ufw allow to 0.0.0.0/0 port 80 && ufw allow to 0.0.0.0/0 port 443 && ufw allow to 0.0.0.0/0 port 3000 && ufw allow 10000:10020/tcp && ufw allow to 0.0.0.0/0 port 22",
+    require => Package["ufw"],
+  }
+}

data/puppet/site.pp

@@ -11,6 +11,6 @@ Exec {
 }
 
 import "classes/*"
-include base, gemrc, logrotate, ufw
+include base, gemrc, logrotate
 
 import "roles/*"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: provizioning
 version: !ruby/object:Gem::Version
-  version: 0.9.17
+  version: 0.9.18
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-10-23 00:00:00.000000000 Z
+date: 2012-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: capistrano
@@ -217,17 +217,29 @@ files:
 - puppet/modules/rvm/manifests/definitions/system_user.pp
 - puppet/modules/rvm/manifests/init.pp
 - puppet/modules/rvm/templates/passenger-apache.conf.erb
-- puppet/modules/ssh/README
-- puppet/modules/ssh/manifests/auth.pp
-- puppet/modules/ssh/manifests/auth.pp.good
-- puppet/modules/ssh/manifests/eal4.pp
 - puppet/modules/ssh/manifests/init.pp
 - puppet/modules/stow/manifests/init.pp
 - puppet/modules/sudo/files/sudoers
 - puppet/modules/sudo/manifests/init.pp
 - puppet/modules/sudo/manifests/install.pp
 - puppet/modules/sudo/manifests/sudoers.pp
+- puppet/modules/ufw.old/manifests/init.pp
+- puppet/modules/ufw/Gemfile
+- puppet/modules/ufw/LICENSE
+- puppet/modules/ufw/Modulefile
+- puppet/modules/ufw/README.md
+- puppet/modules/ufw/Rakefile
+- puppet/modules/ufw/manifests/allow.pp
+- puppet/modules/ufw/manifests/deny.pp
 - puppet/modules/ufw/manifests/init.pp
+- puppet/modules/ufw/manifests/limit.pp
+- puppet/modules/ufw/metadata.json
+- puppet/modules/ufw/spec/spec.opts
+- puppet/modules/ufw/spec/spec_helper.rb
+- puppet/modules/ufw/tests/allow.pp
+- puppet/modules/ufw/tests/deny.pp
+- puppet/modules/ufw/tests/init.pp
+- puppet/modules/ufw/tests/limit.pp
 - puppet/modules/webmin/manifests/init.pp
 - puppet/roles/blank.pp
 - puppet/site.pp

data/puppet/modules/ssh/README

@@ -1,4 +0,0 @@
-# Lab42 Puppet Infrastructure #
-# PROVIDED 'AS IS'
-
-

data/puppet/modules/ssh/manifests/auth.pp

@@ -1,39 +0,0 @@
-# Fake null class 
-
-class ssh::auth {
-
-define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
-
-} 
-
-
-class keymaster {
-} # class keymaster
-
-
-define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
-} # define client
-
-
-define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
-} # define server
-
-} # class ssh::auth
-
-
-define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
-
-} # define ssh_auth_key_master
-
-define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
-
-} # define ssh_auth_key_client
-
-define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
-
-} # define ssh_auth_key_server
-
-
-define ssh_auth_key_namecheck ($parm, $value) {
-} # define namecheck
-

data/puppet/modules/ssh/manifests/auth.pp.good

@@ -1,340 +0,0 @@
-# This class has been written by Andrew E. Schulman 
-# It has been imported in Example42 under the terms of GPL3  
-#
-# =========
-# ssh::auth
-# =========
-#
-# The latest official release and documentation for ssh::auth can always
-# be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
-#
-# Version:          0.3.2
-# Release date:     2009-12-29
-
-class ssh::auth {
-
-$keymaster_storage = "/var/lib/keys" 
-
-Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
-Notify { withpath => false }
-
-
-##########################################################################
-
-
-# ssh::auth::key 
-
-# Declare keys.  The approach here is just to define a bunch of
-# virtual resources, representing key files on the keymaster, client,
-# and server.  The virtual keys are then realized by
-# ssh::auth::{keymaster,client,server}, respectively.  The reason for
-# doing things that way is that it makes ssh::auth::key into a "one
-# stop shop" where users can declare their keys with all of their
-# parameters, whether those parameters apply to the keymaster, server,
-# or client.  The real work of creating, installing, and removing keys
-# is done in the private definitions called by the virtual resources:
-# ssh_auth_key_{master,server,client}.
-
-define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
-
-  ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
-
-  # apply defaults
-  $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
-  $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }
-  $_user = $user ? {
-    ""      => regsubst($title, '^([^@]*)@?.*$', '\1'),
-    default => $user,
-  }
-  $_home = $home ? { "" => "/home/$_user",  default => $home }
-
-  ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
-
-  @ssh_auth_key_master { $title:
-    ensure  => $ensure,
-    force   => $force,
-    keytype => $keytype,
-    length  => $_length,
-    maxdays => $maxdays,
-    mindate => $mindate,
-  }
-  @ssh_auth_key_client { $title:
-    ensure   => $ensure,
-    filename => $_filename,
-    group    => $group,
-    home     => $_home,
-    user     => $_user,
-  }
-  @ssh_auth_key_server { $title:
-    ensure  => $ensure,
-    group   => $group,
-    home    => $_home,
-    options => $options,
-    user    => $_user,
-  }
-}
-
-
-##########################################################################
-
-
-# ssh::auth::keymaster
-#
-# Keymaster host:
-# Create key storage; create, regenerate, and remove key pairs
-
-class keymaster {
-
-  # Set up key storage
-
-  file { $ssh::auth::keymaster_storage:
-    ensure => directory,
-    owner  => puppet,
-    group  => puppet,
-    mode   => 644,
-  }
-  
-  # Realize all virtual master keys
-  Ssh_auth_key_master <| |>
-
-} # class keymaster
-
-
-##########################################################################
-
-
-# ssh::auth::client
-#
-# Install generated key pairs onto clients
-
-define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
-
-  # Realize the virtual client keys.
-  # Override the defaults set in ssh::auth::key, as needed.
-  if $ensure   { Ssh_auth_key_client <| title == $title |> { ensure   => $ensure   } }
-  if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
-  if $group    { Ssh_auth_key_client <| title == $title |> { group    => $group    } }
-
-  if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
-  if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }
-
-  realize Ssh_auth_key_client[$title]
-
-} # define client
-
-
-##########################################################################
-
-
-# ssh::auth::server
-#
-# Install public keys onto clients
-
-define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
-
-  # Realize the virtual server keys.
-  # Override the defaults set in ssh::auth::key, as needed.
-  if $ensure  { Ssh_auth_key_server <| title == $title |> { ensure  => $ensure  } }
-  if $group   { Ssh_auth_key_server <| title == $title |> { group   => $group   } }
-  if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
-
-  if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
-  if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }
-
-  realize Ssh_auth_key_server[$title]
-
-} # define server
-
-} # class ssh::auth
-
-
-##########################################################################
-
-
-# ssh_auth_key_master
-#
-# Create/regenerate/remove a key pair on the keymaster.
-# This definition is private, i.e. it is not intended to be called directly by users.
-# ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
-
-define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
-
-  Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
-  File {
-    owner => puppet,
-    group => puppet,
-    mode  => 600,
-  }
-
-  $keydir = "${ssh::auth::keymaster_storage}/${title}"
-  $keyfile = "${keydir}/key"
-
-  file { 
-    "$keydir":
-      ensure => directory,
-      mode   => 644;
-    "$keyfile":
-      ensure => $ensure;
-    "${keyfile}.pub":
-      ensure => $ensure,
-      mode   => 644;
-  }
-
-  if $ensure == "present" {
-
-    # Remove the existing key pair, if
-    # * $force is true, or
-    # * $maxdays or $mindate criteria aren't met, or
-    # * $keytype or $length have changed
-
-    $keycontent = file("${keyfile}.pub", "/dev/null")
-    if $keycontent {
-
-      if $force {
-        $reason = "force=true"
-      }
-      if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
-        $reason = "created before ${mindate}"
-      }
-      if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
-        $reason = "older than ${maxdays} days"
-      }
-      if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
-        if       $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }
-        else { if $length != $2 { $reason = "length changed: $2 -> $length" } }
-      }
-      if $reason {
-        exec { "Revoke previous key ${title}: ${reason}":
-          command => "rm $keyfile ${keyfile}.pub",
-          before  => Exec["Create key $title: $keytype, $length bits"],
-        }
-      }
-    }
-
-    # Create the key pair.
-    # We "repurpose" the comment field in public keys on the keymaster to
-    # store data about the key, i.e. $keytype and $length.  This avoids
-    # having to rerun ssh-keygen -l on every key at every run to determine
-    # the key length.
-    exec { "Create key $title: $keytype, $length bits":
-      command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
-      user    => "puppet",
-      group   => "puppet",
-      creates => $keyfile,
-      require => File[$keydir],
-      before  => File[$keyfile, "${keyfile}.pub"],
-    }
-
-  } # if $ensure  == "present"
-
-} # define ssh_auth_key_master
-
-
-##########################################################################
-
-
-# ssh_auth_key_client
-#
-# Install a key pair into a user's account.
-# This definition is private, i.e. it is not intended to be called directly by users.
-
-define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
-
-  File {
-    owner   => $user,
-    group   => $group,
-    mode    => 600,
-    require => User[$user],
-  }
-
-  $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
-  $key_tgt_file = "${home}/.ssh/${filename}" # on the client
-
-  $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
-  if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
-    $keytype = $1
-    $modulus = $2
-    file {
-      $key_tgt_file:
-        ensure  => $ensure,
-        content => file($key_src_file, "/dev/null");
-      "${key_tgt_file}.pub":
-        ensure  => $ensure,
-        content => "$keytype $modulus $title\n",
-        mode    => 644;
-    }
-  } else {
-    notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
-  }
-
-} # define ssh_auth_key_client
-
-
-##########################################################################
-
-
-# ssh_auth_key_server
-#
-# Install a public key into a server user's authorized_keys(5) file.
-# This definition is private, i.e. it is not intended to be called directly by users.
-
-define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
-
-  # on the keymaster:
-  $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
-  $key_src_file = "${key_src_dir}/key.pub"
-  # on the server:
-  $key_tgt_file = "${home}/.ssh/authorized_keys"
-  
-  File {
-    owner   => $user,
-    group   => $group,
-    require => User[$user],
-    mode    => 600,
-  }
-  Ssh_authorized_key {
-    user   => $user,
-    target => $key_tgt_file,
-  }
-
-  if $ensure == "absent" {
-    ssh_authorized_key { $title: ensure => "absent" }
-  }
-  else {
-    $key_src_content = file($key_src_file, "/dev/null")
-    if ! $key_src_content {
-      notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
-    } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
-      err("Can't parse public key file $key_src_file")
-      notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
-    } else {
-      $keytype = $1
-      $modulus = $2
-      ssh_authorized_key { $title:
-        ensure  => "present",
-        type    => $keytype,
-        key     => $modulus,
-        options => $options ? { "" => undef, default => $options },
-      }
-    }} # if ... else ... else
-  } # if ... else
-
-} # define ssh_auth_key_server
-
-
-##########################################################################
-
-
-# ssh_auth_key_namecheck
-#
-# Check a name (e.g. key title or filename) for the allowed form
-
-define ssh_auth_key_namecheck ($parm, $value) {
-  if $value !~ /^[A-Za-z0-9]/ {
-    fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
-  }
-  if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
-    fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
-  }
-} # define namecheck
-

data/puppet/modules/ssh/manifests/eal4.pp

@@ -1,69 +0,0 @@
-class ssh::eal4 {
-
-    # Cripto settings
-    ssh::config { Protocol:
-        value => "2",
-    }
-
-    ssh::config { Ciphers:
-        value => "3des-cbc",
-    }
-
-    # X11 forwarding (You MAY allow)
-    ssh::config { X11Forwarding:
-        value => "no",
-    }
-
-
-    # Login settings
-    ssh::config { UsePAM:
-        value => "yes",
-    }
-
-    ssh::config { PermitRootLogin:
-        value => "no",
-    }
-
-    ssh::config { PermitEmptyPasswords:
-        value => "no",
-    }
-
-    ssh::config { PasswordAuthentication:
-        value => "no",
-    }
-
-    ssh::config { ChallengeResponseAuthentication:
-        value => "yes",
-    }
-
-    # Disables other authentication methods (you MAY want to change some of these settings)
-
-    ssh::config { IgnoreRhosts:
-        value => "yes",
-    }
-
-    ssh::config { HostbasedAuthentication:
-        value => "no",
-    }
-
-    ssh::config { PubkeyAuthentication:
-        value => "no",
-    }
-
-    ssh::config { RhostsRSAAuthentication:
-        value => "no",
-    }
-
-    ssh::config { RSAAuthentication:
-        value => "no",
-    }
-
-    ssh::config { KerberosAuthentication:
-        value => "no",
-    }
-
-    ssh::config { GSSAPIAuthentication:
-        value => "no",
-    }
-
-}