From: Peter Palfrader Date: Sun, 15 Sep 2019 15:09:29 +0000 (+0200) Subject: Revert "Revert "ssh_upload -> hiera role"" X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=d165b198d00bc06003487f344350d5366d1b39bd;hp=acedb9e4e2990168c5e7f05ae870f49fba1dd0b5;p=mirror%2Fdsa-puppet.git Revert "Revert "ssh_upload -> hiera role"" This reverts commit 13581ee3cf37c33606b8c8317c0901459e34c313. Try this again, now with an extra change in sshd_config --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 2e4b0e610..c63ec9a86 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -112,10 +112,6 @@ roles: - soriano.debian.org security_upload: - suchon.debian.org - ssh.upload.d.o: - - coccia.debian.org - - suchon.debian.org - - usper.debian.org sso: - diabelli.debian.org # single sign on relying party (host) - also required apache2 module enabled on that host via other means diff --git a/hieradata/nodes/coccia.debian.org.yaml b/hieradata/nodes/coccia.debian.org.yaml index dfa719bd1..17868edf8 100644 --- a/hieradata/nodes/coccia.debian.org.yaml +++ b/hieradata/nodes/coccia.debian.org.yaml @@ -2,4 +2,5 @@ classes: - roles::api_ftp_master - roles::ftp_upload + - roles::ssh_upload - roles::static_source diff --git a/hieradata/nodes/suchon.debian.org.yaml b/hieradata/nodes/suchon.debian.org.yaml new file mode 100644 index 000000000..49ef5b055 --- /dev/null +++ b/hieradata/nodes/suchon.debian.org.yaml @@ -0,0 +1,3 @@ +--- +classes: + - roles::ssh_upload diff --git a/hieradata/nodes/usper.debian.org.yaml b/hieradata/nodes/usper.debian.org.yaml index 7d70f599f..3883d9756 100644 --- a/hieradata/nodes/usper.debian.org.yaml +++ b/hieradata/nodes/usper.debian.org.yaml @@ -1,3 +1,4 @@ --- classes: - roles::ftp_upload + - roles::ssh_upload diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index f1e24a740..83ddc6c30 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -34,9 +34,6 @@ class roles { include roles::dakmaster include roles::signing } - if has_role('ssh.upload.d.o') { - include roles::ssh_upload - } if has_role('security_upload') { include roles::security_upload } diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 870f16fa6..84e750229 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -21,7 +21,7 @@ HostKey /etc/ssh/ssh_host_rsa_key <%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%> HostKey /etc/ssh/ssh_host_ed25519_key <% end %> -<% if scope.function_has_role(['ssh.upload.d.o']) -%> +<% if classes.include?("roles::ssh_upload") -%> # On ssh upload hosts we have many clients doing ssh connections to us. # sshd has - by default - a limit of 10 on the number of currently # unauthenticated (or not yet authenticated) connections. Raise that limit.