factor everything into its own file

This commit is contained in:
mh 2009-09-29 19:53:04 +02:00 committed by Micah Anderson
parent 57eae8bc84
commit 5e20e07d1f
12 changed files with 196 additions and 203 deletions

96
manifests/base.pp Normal file
View file

@ -0,0 +1,96 @@
class sshd::base {
# prepare variables to use in templates
case $sshd_listen_address {
'': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
}
case $sshd_allowed_users {
'': { $sshd_allowed_users = '' }
}
case $sshd_allowed_groups {
'': { $sshd_allowed_groups = '' }
}
case $sshd_use_pam {
'': { $sshd_use_pam = 'no' }
}
case $sshd_permit_root_login {
'': { $sshd_permit_root_login = 'without-password' }
}
case $sshd_password_authentication {
'': { $sshd_password_authentication = 'no' }
}
case $sshd_tcp_forwarding {
'': { $sshd_tcp_forwarding = 'no' }
}
case $sshd_x11_forwarding {
'': { $sshd_x11_forwarding = 'no' }
}
case $sshd_agent_forwarding {
'': { $sshd_agent_forwarding = 'no' }
}
case $sshd_challenge_response_authentication {
'': { $sshd_challenge_response_authentication = 'no' }
}
case $sshd_pubkey_authentication {
'': { $sshd_pubkey_authentication = 'yes' }
}
case $sshd_rsa_authentication {
'': { $sshd_rsa_authentication = 'no' }
}
case $sshd_strict_modes {
'': { $sshd_strict_modes = 'yes' }
}
case $sshd_ignore_rhosts {
'': { $sshd_ignore_rhosts = 'yes' }
}
case $sshd_rhosts_rsa_authentication {
'': { $sshd_rhosts_rsa_authentication = 'no' }
}
case $sshd_hostbased_authentication {
'': { $sshd_hostbased_authentication = 'no' }
}
case $sshd_permit_empty_passwords {
'': { $sshd_permit_empty_passwords = 'no' }
}
case $sshd_port {
'': { $sshd_port = 22 }
}
case $sshd_authorized_keys_file {
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
}
case $sshd_sftp_subsystem {
'': { $sshd_sftp_subsystem = '' }
}
case $sshd_additional_options {
'': { $sshd_additional_options = '' }
}
file { 'sshd_config':
path => '/etc/ssh/sshd_config',
owner => root,
group => 0,
mode => 600,
content => $lsbdistcodename ? {
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
},
notify => Service[sshd],
}
# Now add the key, if we've got one
case $sshrsakey_key {
'': { info("no sshrsakey on $fqdn") }
default: {
@@sshkey{"$hostname.$domain":
type => ssh-rsa,
key => $sshrsakey_key,
ensure => present,
}
}
}
service{'sshd':
name => 'sshd',
enable => true,
ensure => running,
hasstatus => true,
require => File[sshd_config],
}
}

View file

@ -10,26 +10,7 @@ class sshd::client {
}
}
}
}
class sshd::client::base {
# this is needed because the gid might have changed
file { '/etc/ssh/ssh_known_hosts':
mode => 0644, owner => root, group => 0;
}
# Now collect all server keys
Sshkey <<||>>
}
class sshd::client::linux inherits sshd::client::base {
package {'openssh-clients':
ensure => installed,
}
}
class sshd::client::debian inherits sshd::client::linux {
Package['openssh-clients']{
name => 'openssh-client',
if $use_shorewall{
include shorewall::rules::out::ssh
}
}

9
manifests/client/base.pp Normal file
View file

@ -0,0 +1,9 @@
class sshd::client::base {
# this is needed because the gid might have changed
file { '/etc/ssh/ssh_known_hosts':
mode => 0644, owner => root, group => 0;
}
# Now collect all server keys
Sshkey <<||>>
}

View file

@ -0,0 +1,5 @@
class sshd::client::debian inherits sshd::client::linux {
Package['openssh-clients']{
name => 'openssh-client',
}
}

View file

@ -0,0 +1,5 @@
class sshd::client::linux inherits sshd::client::base {
package {'openssh-clients':
ensure => installed,
}
}

13
manifests/debian.pp Normal file
View file

@ -0,0 +1,13 @@
class sshd::debian inherits sshd::linux {
# the templates for Debian need lsbdistcodename
include assert_lsbdistcodename
Package[openssh]{
name => 'openssh-server',
}
Service[sshd]{
name => 'ssh',
hasstatus => false,
}
}

5
manifests/gentoo.pp Normal file
View file

@ -0,0 +1,5 @@
class sshd::gentoo inherits sshd::linux {
Package[openssh]{
category => 'net-misc',
}
}

View file

@ -123,198 +123,20 @@ class sshd {
case $operatingsystem {
gentoo: { include sshd::gentoo }
redhat: { include sshd::redhat }
redhat,centos: { include sshd::redhat }
centos: { include sshd::centos }
openbsd: { include sshd::openbsd }
debian: { include sshd::debian }
ubuntu: { include sshd::ubuntu }
debian,ubuntu: { include sshd::debian }
default: { include sshd::default }
}
}
class sshd::base {
# prepare variables to use in templates
case $sshd_listen_address {
'': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
}
case $sshd_allowed_users {
'': { $sshd_allowed_users = '' }
}
case $sshd_allowed_groups {
'': { $sshd_allowed_groups = '' }
}
case $sshd_use_pam {
'': { $sshd_use_pam = 'no' }
}
case $sshd_permit_root_login {
'': { $sshd_permit_root_login = 'without-password' }
}
case $sshd_password_authentication {
'': { $sshd_password_authentication = 'no' }
}
case $sshd_tcp_forwarding {
'': { $sshd_tcp_forwarding = 'no' }
}
case $sshd_x11_forwarding {
'': { $sshd_x11_forwarding = 'no' }
}
case $sshd_agent_forwarding {
'': { $sshd_agent_forwarding = 'no' }
}
case $sshd_challenge_response_authentication {
'': { $sshd_challenge_response_authentication = 'no' }
}
case $sshd_pubkey_authentication {
'': { $sshd_pubkey_authentication = 'yes' }
}
case $sshd_rsa_authentication {
'': { $sshd_rsa_authentication = 'no' }
}
case $sshd_strict_modes {
'': { $sshd_strict_modes = 'yes' }
}
case $sshd_ignore_rhosts {
'': { $sshd_ignore_rhosts = 'yes' }
}
case $sshd_rhosts_rsa_authentication {
'': { $sshd_rhosts_rsa_authentication = 'no' }
}
case $sshd_hostbased_authentication {
'': { $sshd_hostbased_authentication = 'no' }
}
case $sshd_permit_empty_passwords {
'': { $sshd_permit_empty_passwords = 'no' }
}
case $sshd_port {
'': { $sshd_port = 22 }
}
case $sshd_authorized_keys_file {
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
}
case $sshd_sftp_subsystem {
'': { $sshd_sftp_subsystem = '' }
}
case $sshd_additional_options {
'': { $sshd_additional_options = '' }
}
file { 'sshd_config':
path => '/etc/ssh/sshd_config',
owner => root,
group => 0,
mode => 600,
content => $lsbdistcodename ? {
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
},
notify => Service[sshd],
}
# Now add the key, if we've got one
case $sshrsakey_key {
'': { info("no sshrsakey on $fqdn") }
default: {
@@sshkey{"$hostname.$domain":
type => ssh-rsa,
key => $sshrsakey_key,
ensure => present,
}
}
}
service{'sshd':
name => 'sshd',
enable => true,
ensure => running,
hasstatus => true,
require => File[sshd_config],
}
if $use_nagios {
if $nagios_check_ssh {
nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" }
}
}
}
class sshd::linux inherits sshd::base {
package{openssh:
ensure => present,
}
File[sshd_config]{
require +> Package[openssh],
}
}
class sshd::gentoo inherits sshd::linux {
Package[openssh]{
category => 'net-misc',
}
}
class sshd::debian inherits sshd::linux {
# the templates for Debian need lsbdistcodename
include assert_lsbdistcodename
Package[openssh]{
name => 'openssh-server',
}
Service[sshd]{
name => 'ssh',
hasstatus => false,
}
}
class sshd::ubuntu inherits sshd::debian {}
class sshd::redhat inherits sshd::linux {
Package[openssh]{
name => 'openssh-server',
}
}
class sshd::centos inherits sshd::redhat {}
class sshd::openbsd inherits sshd::base {
Service[sshd]{
restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
start => '/usr/sbin/sshd',
hasstatus => false,
}
}
### defines
# wrapper to have some defaults.
define sshd::ssh_authorized_key(
$type = 'ssh-dss',
$key,
$user = 'root',
$target = 'absent',
$options = 'absent'
){
case $target {
'absent': {
case $user {
'root': { $real_target = '/root/.ssh/authorized_keys' }
default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
}
}
default: {
$real_target = $target
}
}
ssh_authorized_key{$name:
type => $type,
key => $key,
user => $user,
target => $real_target,
}
case $options {
'absent': { info("not setting any option for ssh_authorized_key: $name") }
default: {
Ssh_authorized_key[$name]{
options => $options,
}
}
if $use_shorewall{
include shorewall::rules::ssh
}
}

8
manifests/linux.pp Normal file
View file

@ -0,0 +1,8 @@
class sshd::linux inherits sshd::base {
package{openssh:
ensure => present,
}
File[sshd_config]{
require +> Package[openssh],
}
}

8
manifests/openbsd.pp Normal file
View file

@ -0,0 +1,8 @@
class sshd::openbsd inherits sshd::base {
Service[sshd]{
restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
start => '/usr/sbin/sshd',
hasstatus => false,
}
}

5
manifests/redhat.pp Normal file
View file

@ -0,0 +1,5 @@
class sshd::redhat inherits sshd::linux {
Package[openssh]{
name => 'openssh-server',
}
}

View file

@ -0,0 +1,36 @@
# wrapper to have some defaults.
define sshd::ssh_authorized_key(
$type = 'ssh-dss',
$key,
$user = 'root',
$target = 'absent',
$options = 'absent'
){
case $target {
'absent': {
case $user {
'root': { $real_target = '/root/.ssh/authorized_keys' }
default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
}
}
default: {
$real_target = $target
}
}
ssh_authorized_key{$name:
type => $type,
key => $key,
user => $user,
target => $real_target,
}
case $options {
'absent': { info("not setting any option for ssh_authorized_key: $name") }
default: {
Ssh_authorized_key[$name]{
options => $options,
}
}
}
}