provizioning 0.9.17 → 0.9.18

Sign up to get free protection for your applications and to get access to all the features.
@@ -77,6 +77,7 @@ apt-get -y autoremove
77
77
  ##############################################################################
78
78
 
79
79
  gem install puppet --no-ri --no-rdoc
80
- puppet resource group puppet ensure=present
80
+ groupadd puppet
81
+ #puppet resource group puppet ensure=present
81
82
  puppet resource user puppet ensure=present gid=puppet shell='/sbin/nologin'
82
83
  reboot
@@ -12,7 +12,7 @@ Capistrano::Configuration.instance(:must_exist).load do
12
12
  desc "Deploy our puppet recipes to the server"
13
13
  task :deploy_recipes do
14
14
  with_puppet_user do
15
- run "rm -rf #{puppet_path}"
15
+ run "#{try_sudo} rm -rf #{puppet_path}"
16
16
  upload File.expand_path("../../../puppet", __FILE__), puppet_path
17
17
  end
18
18
  end
@@ -35,7 +35,7 @@ Capistrano::Configuration.instance(:must_exist).load do
35
35
  desc 'Bootstrap puppet'
36
36
  task :bootstrap do
37
37
  with_puppet_user do
38
- run "wget -q -O - https://raw.github.com/seasonlabs/provizioning/master/bootstrap/bootstrap.sh | sh"
38
+ run "wget -q -O - https://raw.github.com/seasonlabs/provizioning/master/bootstrap/bootstrap.sh | #{try_sudo} sh"
39
39
  end
40
40
  end
41
41
 
@@ -70,7 +70,7 @@ Capistrano::Configuration.instance(:must_exist).load do
70
70
  dryrun_option = fetch('puppet_dryrun') ? "--noop " : ""
71
71
  debug_option = fetch('puppet_debug') ? "-d " : ""
72
72
  with_puppet_user do
73
- run "puppet apply --modulepath '#{puppet_app_modules_path}:#{puppet_path}/modules' --templatedir #{puppet_path}/classes #{dryrun_option}-v #{debug_option}#{manifest}", options
73
+ run "#{try_sudo} puppet apply --modulepath '#{puppet_app_modules_path}:#{puppet_path}/modules' --templatedir #{puppet_path}/classes #{dryrun_option}-v #{debug_option}#{manifest}", options
74
74
  end
75
75
  end
76
76
 
@@ -1,3 +1,3 @@
1
1
  module Provizioning
2
- VERSION = "0.9.17"
2
+ VERSION = "0.9.18"
3
3
  end
@@ -18,8 +18,7 @@ class apache {
18
18
  }
19
19
 
20
20
  user { $apache_user:
21
- groups => application,
22
- require => [Package[httpd], Class["base::application"]],
21
+ require => [Package[httpd]],
23
22
  notify => Service[httpd]
24
23
  }
25
24
 
@@ -1,74 +1,19 @@
1
- import "*.pp"
2
-
1
+ # Manage a bit of ssh properties
3
2
  class ssh {
4
-
5
- package { ssh:
6
- name => $operatingsystem ? {
7
- default => "openssh",
8
- },
9
- ensure => present,
3
+ define append_ssh_key_to_root($key) {
4
+ append_ssh_key_to_user {$name:
5
+ user => "root",
6
+ key => $key,
10
7
  }
11
-
12
- package { ssh-client:
13
- name => $operatingsystem ? {
14
- default => "openssh-clients",
15
- },
16
- ensure => present,
8
+ }
9
+
10
+ define append_ssh_key_to_user($user, $key, $key_type="ssh-rsa") {
11
+ ssh_authorized_key {$name:
12
+ ensure => present,
13
+ user => $user,
14
+ key => $key,
15
+ name => $name,
16
+ type => $key_type,
17
17
  }
18
-
19
- }
20
-
21
- class ssh::server {
22
-
23
- include ssh
24
-
25
- package { sshd:
26
- name => $operatingsystem ? {
27
- default => "openssh-server",
28
- },
29
- ensure => present,
30
- }
31
-
32
- service { sshd:
33
- name => $operatingsystem ? {
34
- default => "sshd",
35
- },
36
- ensure => running,
37
- enable => true,
38
- hasrestart => true,
39
- hasstatus => true,
40
- require => Package["sshd"],
41
- subscribe => File["sshd.conf"],
42
- }
43
-
44
- file {
45
- "sshd_config":
46
- mode => 600, owner => root, group => root,
47
- require => Package[ssh-server],
48
- ensure => present,
49
- path => $operatingsystem ?{
50
- default => "/etc/ssh/sshd_config",
51
- },
52
- }
53
-
54
- }
55
-
56
- define ssh::config ($value) {
57
-
58
- # Augeas version.
59
- augeas {
60
- "sshd_config_$name":
61
- context => "/files/etc/ssh/sshd_config",
62
- changes => "set $name $value",
63
- onlyif => "get $name != $value",
64
- # onlyif => "match $name/*[.='$value'] size == 0",
65
- }
66
-
67
- # Davids' replaceline version (to fix)
68
- # replaceline {
69
- # "sshd_config_$name":
70
- # file => "/etc/ssh/sshd_config",
71
- # pattern => "$name",
72
- # replacement => "^$name $value",
73
- # }
74
- }
18
+ }
19
+ }
@@ -0,0 +1,8 @@
1
+ source :rubygems
2
+
3
+ puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 2.7']
4
+
5
+ gem 'rake'
6
+ gem 'puppet-lint'
7
+ gem 'rspec-puppet'
8
+ gem 'puppet', puppetversion
@@ -0,0 +1,19 @@
1
+ Copyright (C) 2011 by Eivind Uggedal <eivind@uggedal.com>
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining a copy
4
+ of this software and associated documentation files (the "Software"), to deal
5
+ in the Software without restriction, including without limitation the rights
6
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
7
+ copies of the Software, and to permit persons to whom the Software is
8
+ furnished to do so, subject to the following conditions:
9
+
10
+ The above copyright notice and this permission notice shall be included in
11
+ all copies or substantial portions of the Software.
12
+
13
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
19
+ THE SOFTWARE.
@@ -0,0 +1,13 @@
1
+ name 'uggedal-puppet-module-ufw'
2
+ version '1.0.0'
3
+
4
+ author 'Eivind Uggedal <eivind@uggedal.com>'
5
+ license 'MIT License'
6
+ project_page 'https://github.com/uggedal/puppet-module-ufw'
7
+ source 'git://github.com/uggedal/puppet-module-ufw.git'
8
+ summary 'Puppet UFW Module'
9
+ description 'Module for configuring UFW (Uncomplicated Firewall).
10
+
11
+ Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with
12
+ Puppet 2.6. Patches for other operating systems are welcome.'
13
+ dependency 'puppetlabs/stdlib', '>=2.2.1'
@@ -0,0 +1,63 @@
1
+ Puppet UFW Module
2
+ =================
3
+
4
+ Module for configuring UFW (Uncomplicated Firewall).
5
+
6
+ Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with
7
+ Puppet 2.6. Patches for other operating systems are welcome.
8
+
9
+
10
+ Installation
11
+ ------------
12
+
13
+ Clone this repo to a ufw directory under your Puppet modules directory:
14
+
15
+ git clone git://github.com/uggedal/puppet-module-ufw.git ufw
16
+
17
+ If you don't have a Puppet Master you can create a manifest file
18
+ based on the notes below and run Puppet in stand-alone mode
19
+ providing the module directory you cloned this repo to:
20
+
21
+ puppet apply --modulepath=modules test_ufw.pp
22
+
23
+
24
+ Usage
25
+ -----
26
+
27
+ If you include the ufw class the package will be installed, the service
28
+ will be enabled, and all incomming connections will be denied:
29
+
30
+ include ufw
31
+
32
+ Note that you'll need to define a global search path for the `exec`
33
+ resource to make this module function properly. This should ideally be
34
+ placed in `manifests/site.pp`:
35
+
36
+ Exec {
37
+ path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
38
+ }
39
+
40
+ You can then allow certain connections:
41
+
42
+ ufw::allow { "allow-ssh-from-all":
43
+ port => 22,
44
+ }
45
+
46
+ ufw::allow { "allow-all-from-trusted":
47
+ from => "10.0.0.145",
48
+ }
49
+
50
+ ufw::allow { "allow-http-on-specific-interface":
51
+ port => 80,
52
+ ip => "10.0.0.20",
53
+ }
54
+
55
+ ufw::allow { "allow-dns-over-udp":
56
+ port => 53,
57
+ proto => "udp",
58
+ }
59
+
60
+ You can also rate limit certain ports (the IP is blocked if it initiates
61
+ 6 or more connections within 30 seconds):
62
+
63
+ ufw::limit { 22: }
@@ -0,0 +1,17 @@
1
+ require 'rake'
2
+
3
+ begin
4
+ require 'rspec/core/rake_task'
5
+ require 'puppet-lint/tasks/puppet-lint'
6
+ rescue LoadError
7
+ require 'rubygems'
8
+ retry
9
+ end
10
+
11
+ RSpec::Core::RakeTask.new(:spec) do |t|
12
+ t.pattern = 'spec/*/*_spec.rb'
13
+ end
14
+
15
+ task :test => [:spec, :lint]
16
+
17
+ task :default => :test
@@ -0,0 +1,31 @@
1
+ define ufw::allow($proto='tcp', $port='all', $ip='', $from='any') {
2
+
3
+ if $::ipaddress_eth0 != undef {
4
+ $ipadr = $ip ? {
5
+ '' => $::ipaddress_eth0,
6
+ default => $ip,
7
+ }
8
+ } else {
9
+ $ipadr = 'any'
10
+ }
11
+
12
+ $from_match = $from ? {
13
+ 'any' => 'Anywhere',
14
+ default => $from,
15
+ }
16
+
17
+ exec { "ufw-allow-${proto}-from-${from}-to-${ipadr}-port-${port}":
18
+ command => $port ? {
19
+ 'all' => "ufw allow proto $proto from $from to $ipadr",
20
+ default => "ufw allow proto $proto from $from to $ipadr port $port",
21
+ },
22
+ unless => "$ipadr:$port" ? {
23
+ 'any:all' => "ufw status | grep -E \" +ALLOW +$from_match\"",
24
+ /[0-9]:all$/ => "ufw status | grep -E \"$ipadr/$proto +ALLOW +$from_match\"",
25
+ /^any:[0-9]/ => "ufw status | grep -E \"$port/$proto +ALLOW +$from_match\"",
26
+ default => "ufw status | grep -E \"$ipadr $port/$proto +ALLOW +$from_match\"",
27
+ },
28
+ require => Exec['ufw-default-deny'],
29
+ before => Exec['ufw-enable'],
30
+ }
31
+ }
@@ -0,0 +1,29 @@
1
+ define ufw::deny($proto='tcp', $port='all', $ip='', $from='any') {
2
+
3
+ if $::ipaddress_eth0 != undef {
4
+ $ipadr = $ip ? {
5
+ '' => $::ipaddress_eth0,
6
+ default => $ip,
7
+ }
8
+ } else {
9
+ $ipadr = 'any'
10
+ }
11
+
12
+ $from_match = $from ? {
13
+ 'any' => 'Anywhere',
14
+ default => "$from/$proto",
15
+ }
16
+
17
+ exec { "ufw-deny-${proto}-from-${from}-to-${ipadr}-port-${port}":
18
+ command => $port ? {
19
+ 'all' => "ufw deny proto $proto from $from to $ipadr",
20
+ default => "ufw deny proto $proto from $from to $ipadr port $port",
21
+ },
22
+ unless => $port ? {
23
+ 'all' => "ufw status | grep -E \"$ipadr/$proto +DENY +$from_match\"",
24
+ default => "ufw status | grep -E \"$ipadr $port/$proto +DENY +$from_match\"",
25
+ },
26
+ require => Exec['ufw-default-deny'],
27
+ before => Exec['ufw-enable'],
28
+ }
29
+ }
@@ -1,12 +1,24 @@
1
1
  class ufw {
2
- package{ "ufw":
3
- ensure => installed,
2
+ package { 'ufw':
3
+ ensure => present,
4
4
  }
5
-
6
- exec { "Set default rules":
7
- user => "root",
8
- path => "/usr/bin:/usr/sbin:/bin",
9
- command => "ufw allow to 0.0.0.0/0 port 80 && ufw allow to 0.0.0.0/0 port 443 && ufw allow to 0.0.0.0/0 port 3000 && ufw allow 10000:10020/tcp && ufw allow to 0.0.0.0/0 port 22",
10
- require => Package["ufw"],
5
+
6
+ Package['ufw'] -> Exec['ufw-default-deny'] -> Exec['ufw-enable']
7
+
8
+ exec { 'ufw-default-deny':
9
+ command => 'ufw default deny',
10
+ unless => 'ufw status verbose | grep "Default: deny (incoming), allow (outgoing)"',
11
11
  }
12
- }
12
+
13
+ exec { 'ufw-enable':
14
+ command => 'yes | ufw enable',
15
+ unless => 'ufw status | grep "Status: active"',
16
+ }
17
+
18
+ service { 'ufw':
19
+ ensure => running,
20
+ enable => true,
21
+ hasstatus => true,
22
+ subscribe => Package['ufw'],
23
+ }
24
+ }
@@ -0,0 +1,7 @@
1
+ define ufw::limit($proto='tcp') {
2
+ exec { "ufw limit $name/$proto":
3
+ unless => "ufw status | grep -E \"^$name/$proto +LIMIT +Anywhere\"",
4
+ require => Exec['ufw-default-deny'],
5
+ before => Exec['ufw-enable'],
6
+ }
7
+ }
@@ -0,0 +1,33 @@
1
+ {
2
+ "name": "uggedal-puppet-module-ufw",
3
+ "author": "Eivind Uggedal \u003ceivind@uggedal.com\u003e",
4
+ "description": "Module for configuring UFW (Uncomplicated Firewall).\n\nTested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with\nPuppet 2.6. Patches for other operating systems are welcome.",
5
+ "license": "MIT License",
6
+ "project_page": "https://github.com/uggedal/puppet-module-ufw",
7
+ "source": "git://github.com/uggedal/puppet-module-ufw.git",
8
+ "summary": "Puppet UFW Module",
9
+ "version": "1.0.0",
10
+ "checksums": {
11
+ "Gemfile": "7a90ba90918a5972eb038190feaf7fb4",
12
+ "LICENSE": "2d9c14720c9adef6ab3197a70adb690c",
13
+ "Modulefile": "996b93de77287312124328bf7aa9f6dd",
14
+ "README.md": "361ee8c51c9ab4c2983f100dbc500ace",
15
+ "Rakefile": "30135290361360248d8139853a15c8a2",
16
+ "manifests/allow.pp": "2d6bcf6fbd6565d5c523feecfa5a0a2f",
17
+ "manifests/deny.pp": "99d3a9e0415b1b3c37114acd51caedb8",
18
+ "manifests/init.pp": "fa6506b5c8d4926453c2a9539ef0c65a",
19
+ "manifests/limit.pp": "096c50250cbdbe4401ceae423714ea67",
20
+ "spec/spec.opts": "a600ded995d948e393fbe2320ba8e51c",
21
+ "spec/spec_helper.rb": "ca19ec4f451ebc7fdb035b52eae6e909",
22
+ "tests/allow.pp": "6c792330a86393231d9a5c5a2e0e9949",
23
+ "tests/deny.pp": "96377cee0084b96c14ff1a828961946f",
24
+ "tests/init.pp": "0571b366ccfc29695d3df3651845a9b3",
25
+ "tests/limit.pp": "6e4fe2cae76ef2488dc9e6263736e162"
26
+ },
27
+ "dependencies": [
28
+ {
29
+ "name": "puppetlabs/stdlib",
30
+ "version_requirement": "\u003e\u003d2.2.1"
31
+ }
32
+ ]
33
+ }
@@ -0,0 +1,6 @@
1
+ --format
2
+ s
3
+ --colour
4
+ --loadby
5
+ mtime
6
+ --backtrace
@@ -0,0 +1,18 @@
1
+ require 'pathname'
2
+ dir = Pathname.new(__FILE__).parent
3
+ $LOAD_PATH.unshift(dir, dir + 'lib', dir + '../lib')
4
+
5
+ require 'mocha'
6
+ require 'puppet'
7
+ gem 'rspec', '=1.2.9'
8
+ require 'spec/autorun'
9
+
10
+ Spec::Runner.configure do |config|
11
+ config.mock_with :mocha
12
+ end
13
+
14
+ # We need this because the RAL uses 'should' as a method. This
15
+ # allows us the same behaviour but with a different method name.
16
+ class Object
17
+ alias :must :should
18
+ end
@@ -0,0 +1,10 @@
1
+ Exec {
2
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
3
+ }
4
+
5
+ ufw::allow{ 'allow-all-from-trusted':
6
+ proto => 'udp',
7
+ port => 80,
8
+ ip => '10.0.0.1',
9
+ from => '10.0.0.2',
10
+ }
@@ -0,0 +1,10 @@
1
+ Exec {
2
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
3
+ }
4
+
5
+ ufw::deny{ 'allow-all-from-trusted':
6
+ proto => 'udp',
7
+ port => 80,
8
+ ip => '10.0.0.1',
9
+ from => '10.0.0.2',
10
+ }
@@ -0,0 +1,5 @@
1
+ Exec {
2
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
3
+ }
4
+
5
+ class { 'ufw': }
@@ -0,0 +1,5 @@
1
+ Exec {
2
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
3
+ }
4
+
5
+ ufw::limit { 22: }
@@ -0,0 +1,12 @@
1
+ class ufw {
2
+ package{ "ufw":
3
+ ensure => installed,
4
+ }
5
+
6
+ exec { "Set default rules":
7
+ user => "root",
8
+ path => "/usr/bin:/usr/sbin:/bin",
9
+ command => "ufw allow to 0.0.0.0/0 port 80 && ufw allow to 0.0.0.0/0 port 443 && ufw allow to 0.0.0.0/0 port 3000 && ufw allow 10000:10020/tcp && ufw allow to 0.0.0.0/0 port 22",
10
+ require => Package["ufw"],
11
+ }
12
+ }
data/puppet/site.pp CHANGED
@@ -11,6 +11,6 @@ Exec {
11
11
  }
12
12
 
13
13
  import "classes/*"
14
- include base, gemrc, logrotate, ufw
14
+ include base, gemrc, logrotate
15
15
 
16
16
  import "roles/*"
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: provizioning
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.17
4
+ version: 0.9.18
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-10-23 00:00:00.000000000 Z
12
+ date: 2012-10-26 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: capistrano
@@ -217,17 +217,29 @@ files:
217
217
  - puppet/modules/rvm/manifests/definitions/system_user.pp
218
218
  - puppet/modules/rvm/manifests/init.pp
219
219
  - puppet/modules/rvm/templates/passenger-apache.conf.erb
220
- - puppet/modules/ssh/README
221
- - puppet/modules/ssh/manifests/auth.pp
222
- - puppet/modules/ssh/manifests/auth.pp.good
223
- - puppet/modules/ssh/manifests/eal4.pp
224
220
  - puppet/modules/ssh/manifests/init.pp
225
221
  - puppet/modules/stow/manifests/init.pp
226
222
  - puppet/modules/sudo/files/sudoers
227
223
  - puppet/modules/sudo/manifests/init.pp
228
224
  - puppet/modules/sudo/manifests/install.pp
229
225
  - puppet/modules/sudo/manifests/sudoers.pp
226
+ - puppet/modules/ufw.old/manifests/init.pp
227
+ - puppet/modules/ufw/Gemfile
228
+ - puppet/modules/ufw/LICENSE
229
+ - puppet/modules/ufw/Modulefile
230
+ - puppet/modules/ufw/README.md
231
+ - puppet/modules/ufw/Rakefile
232
+ - puppet/modules/ufw/manifests/allow.pp
233
+ - puppet/modules/ufw/manifests/deny.pp
230
234
  - puppet/modules/ufw/manifests/init.pp
235
+ - puppet/modules/ufw/manifests/limit.pp
236
+ - puppet/modules/ufw/metadata.json
237
+ - puppet/modules/ufw/spec/spec.opts
238
+ - puppet/modules/ufw/spec/spec_helper.rb
239
+ - puppet/modules/ufw/tests/allow.pp
240
+ - puppet/modules/ufw/tests/deny.pp
241
+ - puppet/modules/ufw/tests/init.pp
242
+ - puppet/modules/ufw/tests/limit.pp
231
243
  - puppet/modules/webmin/manifests/init.pp
232
244
  - puppet/roles/blank.pp
233
245
  - puppet/site.pp
@@ -1,4 +0,0 @@
1
- # Lab42 Puppet Infrastructure #
2
- # PROVIDED 'AS IS'
3
-
4
-
@@ -1,39 +0,0 @@
1
- # Fake null class
2
-
3
- class ssh::auth {
4
-
5
- define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
6
-
7
- }
8
-
9
-
10
- class keymaster {
11
- } # class keymaster
12
-
13
-
14
- define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
15
- } # define client
16
-
17
-
18
- define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
19
- } # define server
20
-
21
- } # class ssh::auth
22
-
23
-
24
- define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
25
-
26
- } # define ssh_auth_key_master
27
-
28
- define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
29
-
30
- } # define ssh_auth_key_client
31
-
32
- define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
33
-
34
- } # define ssh_auth_key_server
35
-
36
-
37
- define ssh_auth_key_namecheck ($parm, $value) {
38
- } # define namecheck
39
-
@@ -1,340 +0,0 @@
1
- # This class has been written by Andrew E. Schulman
2
- # It has been imported in Example42 under the terms of GPL3
3
- #
4
- # =========
5
- # ssh::auth
6
- # =========
7
- #
8
- # The latest official release and documentation for ssh::auth can always
9
- # be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
10
- #
11
- # Version: 0.3.2
12
- # Release date: 2009-12-29
13
-
14
- class ssh::auth {
15
-
16
- $keymaster_storage = "/var/lib/keys"
17
-
18
- Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
19
- Notify { withpath => false }
20
-
21
-
22
- ##########################################################################
23
-
24
-
25
- # ssh::auth::key
26
-
27
- # Declare keys. The approach here is just to define a bunch of
28
- # virtual resources, representing key files on the keymaster, client,
29
- # and server. The virtual keys are then realized by
30
- # ssh::auth::{keymaster,client,server}, respectively. The reason for
31
- # doing things that way is that it makes ssh::auth::key into a "one
32
- # stop shop" where users can declare their keys with all of their
33
- # parameters, whether those parameters apply to the keymaster, server,
34
- # or client. The real work of creating, installing, and removing keys
35
- # is done in the private definitions called by the virtual resources:
36
- # ssh_auth_key_{master,server,client}.
37
-
38
- define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
39
-
40
- ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
41
-
42
- # apply defaults
43
- $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
44
- $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }
45
- $_user = $user ? {
46
- "" => regsubst($title, '^([^@]*)@?.*$', '\1'),
47
- default => $user,
48
- }
49
- $_home = $home ? { "" => "/home/$_user", default => $home }
50
-
51
- ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
52
-
53
- @ssh_auth_key_master { $title:
54
- ensure => $ensure,
55
- force => $force,
56
- keytype => $keytype,
57
- length => $_length,
58
- maxdays => $maxdays,
59
- mindate => $mindate,
60
- }
61
- @ssh_auth_key_client { $title:
62
- ensure => $ensure,
63
- filename => $_filename,
64
- group => $group,
65
- home => $_home,
66
- user => $_user,
67
- }
68
- @ssh_auth_key_server { $title:
69
- ensure => $ensure,
70
- group => $group,
71
- home => $_home,
72
- options => $options,
73
- user => $_user,
74
- }
75
- }
76
-
77
-
78
- ##########################################################################
79
-
80
-
81
- # ssh::auth::keymaster
82
- #
83
- # Keymaster host:
84
- # Create key storage; create, regenerate, and remove key pairs
85
-
86
- class keymaster {
87
-
88
- # Set up key storage
89
-
90
- file { $ssh::auth::keymaster_storage:
91
- ensure => directory,
92
- owner => puppet,
93
- group => puppet,
94
- mode => 644,
95
- }
96
-
97
- # Realize all virtual master keys
98
- Ssh_auth_key_master <| |>
99
-
100
- } # class keymaster
101
-
102
-
103
- ##########################################################################
104
-
105
-
106
- # ssh::auth::client
107
- #
108
- # Install generated key pairs onto clients
109
-
110
- define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
111
-
112
- # Realize the virtual client keys.
113
- # Override the defaults set in ssh::auth::key, as needed.
114
- if $ensure { Ssh_auth_key_client <| title == $title |> { ensure => $ensure } }
115
- if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
116
- if $group { Ssh_auth_key_client <| title == $title |> { group => $group } }
117
-
118
- if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
119
- if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }
120
-
121
- realize Ssh_auth_key_client[$title]
122
-
123
- } # define client
124
-
125
-
126
- ##########################################################################
127
-
128
-
129
- # ssh::auth::server
130
- #
131
- # Install public keys onto clients
132
-
133
- define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
134
-
135
- # Realize the virtual server keys.
136
- # Override the defaults set in ssh::auth::key, as needed.
137
- if $ensure { Ssh_auth_key_server <| title == $title |> { ensure => $ensure } }
138
- if $group { Ssh_auth_key_server <| title == $title |> { group => $group } }
139
- if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
140
-
141
- if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
142
- if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }
143
-
144
- realize Ssh_auth_key_server[$title]
145
-
146
- } # define server
147
-
148
- } # class ssh::auth
149
-
150
-
151
- ##########################################################################
152
-
153
-
154
- # ssh_auth_key_master
155
- #
156
- # Create/regenerate/remove a key pair on the keymaster.
157
- # This definition is private, i.e. it is not intended to be called directly by users.
158
- # ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
159
-
160
- define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
161
-
162
- Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
163
- File {
164
- owner => puppet,
165
- group => puppet,
166
- mode => 600,
167
- }
168
-
169
- $keydir = "${ssh::auth::keymaster_storage}/${title}"
170
- $keyfile = "${keydir}/key"
171
-
172
- file {
173
- "$keydir":
174
- ensure => directory,
175
- mode => 644;
176
- "$keyfile":
177
- ensure => $ensure;
178
- "${keyfile}.pub":
179
- ensure => $ensure,
180
- mode => 644;
181
- }
182
-
183
- if $ensure == "present" {
184
-
185
- # Remove the existing key pair, if
186
- # * $force is true, or
187
- # * $maxdays or $mindate criteria aren't met, or
188
- # * $keytype or $length have changed
189
-
190
- $keycontent = file("${keyfile}.pub", "/dev/null")
191
- if $keycontent {
192
-
193
- if $force {
194
- $reason = "force=true"
195
- }
196
- if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
197
- $reason = "created before ${mindate}"
198
- }
199
- if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
200
- $reason = "older than ${maxdays} days"
201
- }
202
- if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
203
- if $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }
204
- else { if $length != $2 { $reason = "length changed: $2 -> $length" } }
205
- }
206
- if $reason {
207
- exec { "Revoke previous key ${title}: ${reason}":
208
- command => "rm $keyfile ${keyfile}.pub",
209
- before => Exec["Create key $title: $keytype, $length bits"],
210
- }
211
- }
212
- }
213
-
214
- # Create the key pair.
215
- # We "repurpose" the comment field in public keys on the keymaster to
216
- # store data about the key, i.e. $keytype and $length. This avoids
217
- # having to rerun ssh-keygen -l on every key at every run to determine
218
- # the key length.
219
- exec { "Create key $title: $keytype, $length bits":
220
- command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
221
- user => "puppet",
222
- group => "puppet",
223
- creates => $keyfile,
224
- require => File[$keydir],
225
- before => File[$keyfile, "${keyfile}.pub"],
226
- }
227
-
228
- } # if $ensure == "present"
229
-
230
- } # define ssh_auth_key_master
231
-
232
-
233
- ##########################################################################
234
-
235
-
236
- # ssh_auth_key_client
237
- #
238
- # Install a key pair into a user's account.
239
- # This definition is private, i.e. it is not intended to be called directly by users.
240
-
241
- define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
242
-
243
- File {
244
- owner => $user,
245
- group => $group,
246
- mode => 600,
247
- require => User[$user],
248
- }
249
-
250
- $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
251
- $key_tgt_file = "${home}/.ssh/${filename}" # on the client
252
-
253
- $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
254
- if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
255
- $keytype = $1
256
- $modulus = $2
257
- file {
258
- $key_tgt_file:
259
- ensure => $ensure,
260
- content => file($key_src_file, "/dev/null");
261
- "${key_tgt_file}.pub":
262
- ensure => $ensure,
263
- content => "$keytype $modulus $title\n",
264
- mode => 644;
265
- }
266
- } else {
267
- notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
268
- }
269
-
270
- } # define ssh_auth_key_client
271
-
272
-
273
- ##########################################################################
274
-
275
-
276
- # ssh_auth_key_server
277
- #
278
- # Install a public key into a server user's authorized_keys(5) file.
279
- # This definition is private, i.e. it is not intended to be called directly by users.
280
-
281
- define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
282
-
283
- # on the keymaster:
284
- $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
285
- $key_src_file = "${key_src_dir}/key.pub"
286
- # on the server:
287
- $key_tgt_file = "${home}/.ssh/authorized_keys"
288
-
289
- File {
290
- owner => $user,
291
- group => $group,
292
- require => User[$user],
293
- mode => 600,
294
- }
295
- Ssh_authorized_key {
296
- user => $user,
297
- target => $key_tgt_file,
298
- }
299
-
300
- if $ensure == "absent" {
301
- ssh_authorized_key { $title: ensure => "absent" }
302
- }
303
- else {
304
- $key_src_content = file($key_src_file, "/dev/null")
305
- if ! $key_src_content {
306
- notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
307
- } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
308
- err("Can't parse public key file $key_src_file")
309
- notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
310
- } else {
311
- $keytype = $1
312
- $modulus = $2
313
- ssh_authorized_key { $title:
314
- ensure => "present",
315
- type => $keytype,
316
- key => $modulus,
317
- options => $options ? { "" => undef, default => $options },
318
- }
319
- }} # if ... else ... else
320
- } # if ... else
321
-
322
- } # define ssh_auth_key_server
323
-
324
-
325
- ##########################################################################
326
-
327
-
328
- # ssh_auth_key_namecheck
329
- #
330
- # Check a name (e.g. key title or filename) for the allowed form
331
-
332
- define ssh_auth_key_namecheck ($parm, $value) {
333
- if $value !~ /^[A-Za-z0-9]/ {
334
- fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
335
- }
336
- if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
337
- fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
338
- }
339
- } # define namecheck
340
-
@@ -1,69 +0,0 @@
1
- class ssh::eal4 {
2
-
3
- # Cripto settings
4
- ssh::config { Protocol:
5
- value => "2",
6
- }
7
-
8
- ssh::config { Ciphers:
9
- value => "3des-cbc",
10
- }
11
-
12
- # X11 forwarding (You MAY allow)
13
- ssh::config { X11Forwarding:
14
- value => "no",
15
- }
16
-
17
-
18
- # Login settings
19
- ssh::config { UsePAM:
20
- value => "yes",
21
- }
22
-
23
- ssh::config { PermitRootLogin:
24
- value => "no",
25
- }
26
-
27
- ssh::config { PermitEmptyPasswords:
28
- value => "no",
29
- }
30
-
31
- ssh::config { PasswordAuthentication:
32
- value => "no",
33
- }
34
-
35
- ssh::config { ChallengeResponseAuthentication:
36
- value => "yes",
37
- }
38
-
39
- # Disables other authentication methods (you MAY want to change some of these settings)
40
-
41
- ssh::config { IgnoreRhosts:
42
- value => "yes",
43
- }
44
-
45
- ssh::config { HostbasedAuthentication:
46
- value => "no",
47
- }
48
-
49
- ssh::config { PubkeyAuthentication:
50
- value => "no",
51
- }
52
-
53
- ssh::config { RhostsRSAAuthentication:
54
- value => "no",
55
- }
56
-
57
- ssh::config { RSAAuthentication:
58
- value => "no",
59
- }
60
-
61
- ssh::config { KerberosAuthentication:
62
- value => "no",
63
- }
64
-
65
- ssh::config { GSSAPIAuthentication:
66
- value => "no",
67
- }
68
-
69
- }