[feat] Optinally disable exported resources
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
See merge request !21
If run masterless, we cannot export resources, so
we move them to an own class. Including it can be
disabled by passing "use_storedconfig" to the sshd
class.
autossh support
this series of commits adds support for autossh, to automatically create a tunnel with port forwarding.
we use this to login to *really* remote servers reliably, behind multiple NATs and satellite connexions.
it rocks.
See merge request !18
disable the debian/ubuntu package version from being sent to clients
dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.
See merge request !17
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
See merge request !19
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
this is important to make it easier to guess the ssh port from the
central server.
we rely on ServerAliveInterval instead to reconnect when we lose the
server.
this was unintentionally removed in november 2012 in the isuma-autossh
package, saying it was "not supported everywhere" and due to some
confusion about the defaults (defaults are to *enable* the port). see
commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there.
sync LoginGraceTime with debian defaults
for some reason this was 10 minutes in our module, yet 120s everywhere else.
and only in wheezy too, wtf...
See merge request !13
add override_builtin parameter to handle the common authorized_key directory case
riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code.
See merge request !15
Some people might want to inject their own logic before including nagios
resources. We can explain that since the nagios resources are in their
own part of the manifests, they can shortcut the module's automatic
handling of it, and call it manually from their own manifests.
