Make an /etc/ssh/puppetkeys for future use, and have sshd read keys from there already
[mirror/dsa-puppet.git] / modules / ssh / manifests / init.pp
1 class ssh {
2
3         package { [ 'openssh-client', 'openssh-server']:
4                 ensure => installed
5         }
6
7         service { 'ssh':
8                 ensure  => running,
9                 require => Package['openssh-server']
10         }
11
12         ferm::rule { 'dsa-ssh':
13                 description => 'Allow SSH from DSA',
14                 rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_SOURCES)'
15         }
16         ferm::rule { 'dsa-ssh-v6':
17                 description => 'Allow SSH from DSA',
18                 domain      => 'ip6',
19                 rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_V6_SOURCES)'
20         }
21
22         file { '/etc/ssh/ssh_config':
23                 content => template('ssh/ssh_config.erb'),
24                 require => Package['openssh-client']
25         }
26         file { '/etc/ssh/sshd_config':
27                 content => template('ssh/sshd_config.erb'),
28                 require => Package['openssh-server'],
29                 notify  => Service['ssh']
30         }
31         file { '/etc/ssh/userkeys':
32                 ensure  => directory,
33                 mode    => '0755',
34                 require => Package['openssh-server']
35         }
36         file { '/etc/ssh/puppetkeys':
37                 ensure  => directory,
38                 mode    => '0755',
39                 purge   => true,
40                 recurse => true,
41                 force   => true,
42                 source  => 'puppet:///files/empty/',
43                 require => Package['openssh-server']
44         }
45         file { '/etc/ssh/userkeys/root':
46                 content => template('ssh/authorized_keys.erb'),
47         }
48
49         if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
50                 if ! $has_etc_ssh_ssh_host_ed25519_key {
51                         exec { 'create-ed25519-host-key':
52                                 command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
53                         }
54                 }
55
56                 if $systemd {
57                         package { [ 'libpam-systemd' ]:
58                                 ensure => installed
59                         }
60                 }
61         }
62 }