move sshd extra ports to class params instead of hardcoded in the template

[mirror/dsa-puppet.git] / modules / ssh / manifests / init.pp

diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index c802efe..df986bc 100644 (file)
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -1,33 +1,67 @@
-class ssh {
-       package {
-                openssh-client: ensure => installed;
-                openssh-server: ensure => installed;
-        }
+# @param extraports Addresses/ports to listen on, in addition to 22
+class ssh (
+  Array[String] $extraports = [],
+) {
+  package { [ 'openssh-client', 'openssh-server']:
+    ensure => installed
+  }
 
-       file { "/etc/ssh/ssh_config":
-               source  => [ "puppet:///ssh/ssh_config" ],
-               require => Package["openssh-client"]
-                ;
-              "/etc/ssh/sshd_config":
-               content => template("ssh/sshd_config.erb"),
-               require => Package["openssh-server"],
-                notify  => Exec["ssh restart"]
-                ;
-              "/etc/ssh/userkeys":
-               ensure  => directory,
-               owner   => root,
-               group   => root,
-               mode    => 755,
-                ;
-              "/etc/ssh/userkeys/root":
-                content => template("ssh/authorized_keys.erb"),
-                mode    => 444,
-                require => Package["openssh-server"]
-                ;
-       }
+  service { 'ssh':
+    ensure  => running,
+    require => Package['openssh-server']
+  }
 
-        exec { "ssh restart":
-            path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-            refreshonly => true,
-        }
+  ferm::rule::simple { 'dsa-ssh':
+    description => 'check ssh access',
+    port        => 'ssh',
+    target      => 'ssh',
+  }
+  ferm::rule { 'dsa-ssh-sources':
+    description => 'Allow SSH from DSA',
+    domain      => '(ip ip6)',
+    chain       => 'ssh',
+    rule        => 'saddr ($SSH_SOURCES) ACCEPT'
+  }
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::nagios' |>>
+
+  file { '/etc/ssh/ssh_config':
+    content => template('ssh/ssh_config.erb'),
+    require => Package['openssh-client']
+  }
+  file { '/etc/ssh/sshd_config':
+    content => template('ssh/sshd_config.erb'),
+    require => Package['openssh-server'],
+    notify  => Service['ssh']
+  }
+  file { '/etc/ssh/userkeys':
+    ensure  => directory,
+    mode    => '0755',
+    require => Package['openssh-server']
+  }
+  file { '/etc/ssh/puppetkeys':
+    ensure  => directory,
+    mode    => '0755',
+    purge   => true,
+    recurse => true,
+    force   => true,
+    source  => 'puppet:///files/empty/',
+    require => Package['openssh-server']
+  }
+  file { '/etc/ssh/userkeys/root':
+    content => template('ssh/authorized_keys.erb'),
+  }
+
+  if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
+    if ! $facts['has_etc_ssh_ssh_host_ed25519_key'] {
+      exec { 'create-ed25519-host-key':
+        command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
+      }
+    }
+
+    if $facts['systemd'] {
+      package { [ 'libpam-systemd' ]:
+        ensure => installed
+      }
+    }
+  }
 }