diff --git a/manifests/client.pp b/manifests/client.pp index f700999..080b90f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,64 +1,64 @@ # @summary # This class add ssh client management # # @example Puppet usage # class { 'ssh::client': # ensure => present, # storeconfigs_enabled => true, # use_augeas => false, # } # # @param ensure # Ensurable param to ssh client # # @param storeconfigs_enabled # Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false # # @param options # Dynamic hash for openssh client options # # @param options_absent # Remove options (with augeas style) # class ssh::client( String $ensure = present, Boolean $storeconfigs_enabled = true, Hash $options = {}, Boolean $use_augeas = false, Array $options_absent = [], ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', {}) $fin_options = deep_merge($hiera_options, $options) if $use_augeas { - $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $::ssh::params::ssh_config }) + $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $ssh::params::ssh_config }) } else { $merged_options = merge($fin_options, delete($ssh::params::ssh_default_options, keys($fin_options))) } - include ::ssh::client::install - include ::ssh::client::config + include ssh::client::install + include ssh::client::config anchor { 'ssh::client::start': } anchor { 'ssh::client::end': } # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { - include ::ssh::knownhosts + include ssh::knownhosts Anchor['ssh::client::start'] -> Class['ssh::client::install'] -> Class['ssh::client::config'] -> Class['ssh::knownhosts'] -> Anchor['ssh::client::end'] } else { Anchor['ssh::client::start'] -> Class['ssh::client::install'] -> Class['ssh::client::config'] -> Anchor['ssh::client::end'] } } diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 5aa1f0f..68885c8 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,18 +1,18 @@ class ssh::client::config { - $options = $::ssh::client::merged_options - $use_augeas = $::ssh::client::use_augeas + $options = $ssh::client::merged_options + $use_augeas = $ssh::client::use_augeas if $use_augeas { create_resources('ssh_config', $options) } else { file { $ssh::params::ssh_config: ensure => present, owner => '0', group => '0', mode => '0644', content => template("${module_name}/ssh_config.erb"), require => Class['ssh::client::install'], } } } diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 04c1f81..35ec937 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -1,56 +1,56 @@ # # Copyright (c) IN2P3 Computing Centre, IN2P3, CNRS # Contributor: Remi Ferrand (2015) # Contributor: Tim Meusel (2017) # define ssh::client::config::user( Enum['present', 'absent'] $ensure = present, Optional[Stdlib::Absolutepath] $target = undef, Optional[Stdlib::Absolutepath] $user_home_dir = undef, Boolean $manage_user_ssh_dir = true, Hash $options = {}, String[1] $user = $name, ) { - include ::ssh::params + include ssh::params # If a specific target file was specified, # it must have higher priority than any # other parameter. if ($target != undef) { $_target = $target } else { if ($user_home_dir == undef) { $_user_home_dir = "/home/${user}" } else { $_user_home_dir = $user_home_dir } $user_ssh_dir = "${_user_home_dir}/.ssh" $_target = "${user_ssh_dir}/config" if ($manage_user_ssh_dir == true) { unless defined(File[$user_ssh_dir]) { file { $user_ssh_dir: ensure => directory, owner => $user, - mode => $::ssh::params::user_ssh_directory_default_mode, + mode => $ssh::params::user_ssh_directory_default_mode, before => Concat_file[$_target], } } } } unless defined(Concat_file[$_target]) { concat_file { $_target: ensure => $ensure, owner => $user, - mode => $::ssh::params::user_ssh_config_default_mode, + mode => $ssh::params::user_ssh_config_default_mode, tag => $name, } } concat_fragment { $name: tag => $name, content => template("${module_name}/ssh_config.erb"), target => $_target, } } diff --git a/manifests/init.pp b/manifests/init.pp index 392dddf..5d41585 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,153 +1,153 @@ # @summary # This class managed ssh, client and server # # @example Puppet usage # class { 'ssh': # storeconfigs_enabled => false, # server_options => { # 'Match User www-data' => { # 'ChrootDirectory' => '%h', # 'ForceCommand' => 'internal-sftp', # 'PasswordAuthentication' => 'yes', # 'AllowTcpForwarding' => 'no', # 'X11Forwarding' => 'no', # }, # 'Port' => [22, 2222, 2288], # }, # client_options => { # 'Host *.amazonaws.com' => { # 'User' => 'ec2-user', # }, # }, # users_client_options => { # 'bob' => { # options => { # 'Host *.alice.fr' => { # 'User' => 'alice', # }, # }, # }, # }, # } # # @example hiera usage # ssh::storeconfigs_enabled: true # # ssh::server_options: # Protocol: '2' # ListenAddress: # - '127.0.0.0' # - '%{::hostname}' # PasswordAuthentication: 'yes' # SyslogFacility: 'AUTHPRIV' # UsePAM: 'yes' # X11Forwarding: 'yes' # # ssh::server::match_block: # filetransfer: # type: group # options: # ChrootDirectory: /home/sftp # ForceCommand: internal-sftp # # ssh::client_options: # 'Host *': # SendEnv: 'LANG LC_*' # ForwardX11Trusted: 'yes' # ServerAliveInterval: '10' # # ssh::users_client_options: # 'bob': # 'options': # 'Host *.alice.fr': # 'User': 'alice' # 'PasswordAuthentication': 'no' # # # @param server_options # Add dynamic options for ssh server config # # @param server_match_block # Add match block for ssh server config # # @param client_options # Add dynamic options for ssh client config # # @param users_client_options # Add users options for ssh client config # # @param version # Define package version (pacakge ressource) # # @param storeconfigs_enabled # Default value for storeconfigs_enabled (client and server) # # @param validate_sshd_file # Default value for validate_sshd_file (server) # # @param use_augeas # Default value to use augeas (client and server) # # @param server_options_absent # List of options to remove for server config (augeas only) # # @param client_options_absent # List of options to remove for client config (augeas only) # # @param use_issue_net # Use issue_net header # class ssh ( Hash $server_options = {}, Hash $server_match_block = {}, Hash $client_options = {}, Hash $users_client_options = {}, String $version = 'present', Boolean $storeconfigs_enabled = true, - Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, + Boolean $validate_sshd_file = $ssh::params::validate_sshd_file, Boolean $use_augeas = false, Array $server_options_absent = [], Array $client_options_absent = [], Boolean $use_issue_net = false, Boolean $purge_unmanaged_sshkeys = true, ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {}) $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', {}) $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'deep', {}) $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'deep', {}) $fin_server_options = deep_merge($hiera_server_options, $server_options) $fin_server_match_block = deep_merge($hiera_server_match_block, $server_match_block) $fin_client_options = deep_merge($hiera_client_options, $client_options) $fin_users_client_options = deep_merge($hiera_users_client_options, $users_client_options) - class { '::ssh::server': + class { 'ssh::server': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, options => $fin_server_options, validate_sshd_file => $validate_sshd_file, use_augeas => $use_augeas, options_absent => $server_options_absent, use_issue_net => $use_issue_net, } - class { '::ssh::client': + class { 'ssh::client': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, options => $fin_client_options, use_augeas => $use_augeas, options_absent => $client_options_absent, } # If host keys are being managed, optionally purge unmanaged ones as well. if ($storeconfigs_enabled and $purge_unmanaged_sshkeys) { resources { 'sshkey': purge => true, } } - create_resources('::ssh::client::config::user', $fin_users_client_options) - create_resources('::ssh::server::match_block', $fin_server_match_block) + create_resources('ssh::client::config::user', $fin_users_client_options) + create_resources('ssh::server::match_block', $fin_server_match_block) } diff --git a/manifests/server.pp b/manifests/server.pp index ba9f502..7b3d89b 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,88 +1,88 @@ # @summary # This class managed ssh server # # @example Puppet usage # class { 'ssh::server': # ensure => present, # storeconfigs_enabled => true, # use_issue_net => false, # } # # @param ensure # Ensurable param to ssh server # # @param storeconfigs_enabled # Host keys will be collected and distributed unless storeconfigs_enabled is false. # # @param options # Dynamic hash for openssh server option # # @param validate_sshd_file # Add sshd file validate cmd # # @param use_augeas # Use augeas for configuration (default concat) # # @param options_absent # Remove options (with augeas style) # # @param match_block # Add sshd match_block (with concat) # # @use_issue_net # Add issue_net banner # class ssh::server( String $ensure = present, Boolean $storeconfigs_enabled = true, Hash $options = {}, Boolean $validate_sshd_file = false, Boolean $use_augeas = false, Array $options_absent = [], Hash $match_block = {}, Boolean $use_issue_net = false ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', {}) $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', {}) $fin_options = deep_merge($hiera_options, $options) $fin_match_block = deep_merge($hiera_match_block, $match_block) if $use_augeas { - $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $::ssh::params::sshd_config }) + $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $ssh::params::sshd_config }) } else { $merged_options = deep_merge($ssh::params::sshd_default_options, $fin_options) } - include ::ssh::server::install - include ::ssh::server::config - include ::ssh::server::service + include ssh::server::install + include ssh::server::config + include ssh::server::service anchor { 'ssh::server::start': } anchor { 'ssh::server::end': } # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { - include ::ssh::hostkeys - include ::ssh::knownhosts + include ssh::hostkeys + include ssh::knownhosts Anchor['ssh::server::start'] -> Class['ssh::server::install'] -> Class['ssh::server::config'] ~> Class['ssh::server::service'] -> Class['ssh::hostkeys'] -> Class['ssh::knownhosts'] -> Anchor['ssh::server::end'] } else { Anchor['ssh::server::start'] -> Class['ssh::server::install'] -> Class['ssh::server::config'] ~> Class['ssh::server::service'] -> Anchor['ssh::server::end'] } - create_resources('::ssh::server::match_block', $fin_match_block) + create_resources('ssh::server::match_block', $fin_match_block) } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 97dc5ce..e539a95 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,53 +1,53 @@ # @summary # Managed ssh server configuration # # @api private # class ssh::server::config { - $options = $::ssh::server::merged_options + $options = $ssh::server::merged_options case $ssh::server::validate_sshd_file { true: { $sshd_validate_cmd = '/usr/sbin/sshd -tf %' } default: { $sshd_validate_cmd = undef } } - if $::ssh::server::use_augeas { + if $ssh::server::use_augeas { create_resources('sshd_config', $options) } else { concat { $ssh::params::sshd_config: ensure => present, owner => 0, group => 0, mode => '0600', validate_cmd => $sshd_validate_cmd, notify => Service[$ssh::params::service_name], } concat::fragment { 'global config': target => $ssh::params::sshd_config, content => template("${module_name}/sshd_config.erb"), order => '00', } } - if $::ssh::server::use_issue_net { + if $ssh::server::use_issue_net { file { $ssh::params::issue_net: ensure => present, owner => 0, group => 0, mode => '0644', content => template("${module_name}/issue.net.erb"), notify => Service[$ssh::params::service_name], } concat::fragment { 'banner file': target => $ssh::params::sshd_config, content => "Banner ${ssh::params::issue_net}\n", order => '01', } } } diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 45a4d85..65e8768 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -1,153 +1,153 @@ # == Define: ssh::server::host_key # # This module install a ssh host key in the server (basically, it is # a file resource but it also notifies to the ssh service) # # Important! This define does not modify any option in sshd_config, so # you have to manually define the HostKey option in the server options # if you haven't done yet. # # == Parameters # # [*ensure*] # Set to 'absent' to remove host_key files # # [*public_key_source*] # Sets the content of the source parameter for the public key file # Note public_key_source and public_key_content are mutually exclusive. # # [*public_key_content*] # Sets the content for the public key file. # Note public_key_source and public_key_content are mutually exclusive. # # [*private_key_source*] # Sets the content of the source parameter for the private key file # Note private_key_source and private_key_content are mutually exclusive. # # [*private_key_content*] # Sets the content for the private key file. # Note private_key_source and private_key_content are mutually exclusive. # # [*certificate_source*] # Sets the content of the source parameter for the host key certificate. # Note certificate_source and certificate_content are mutually exclusive. # # [*certificate_content*] # Sets the content for the host key certificate. # Note certificate_source and certificate_content are mutually exclusive. # define ssh::server::host_key ( $ensure = 'present', $public_key_source = '', $public_key_content = '', $private_key_source = '', $private_key_content = '', $certificate_source = '', $certificate_content = '', ) { # Ensure the ssh::server class is included in the manifest - include ::ssh::server + include ssh::server if $public_key_source == '' and $public_key_content == '' and $ensure == 'present' { fail('You must provide either public_key_source or public_key_content parameter') } if $private_key_source == '' and $private_key_content == '' and $ensure == 'present' { fail('You must provide either private_key_source or private_key_content parameter') } $manage_pub_key_content = $public_key_source ? { '' => $public_key_content, default => undef, } $manage_pub_key_source = $public_key_source ? { '' => undef, default => $public_key_source, } $manage_priv_key_content = $private_key_source ? { '' => $private_key_content, default => undef, } $manage_priv_key_source = $private_key_source ? { '' => undef, default => $private_key_source, } $manage_cert_content = $certificate_source ? { '' => $certificate_content, default => undef, } $manage_cert_source = $certificate_source ? { '' => undef, default => $certificate_source, } if $ensure == 'present' { file {"${name}_pub": ensure => $ensure, owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}.pub", + path => "${ssh::params::sshd_dir}/${name}.pub", source => $manage_pub_key_source, content => $manage_pub_key_content, notify => Class['ssh::server::service'], } file {"${name}_priv": ensure => $ensure, owner => 0, - group => $::ssh::params::host_priv_key_group, + group => $ssh::params::host_priv_key_group, mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", + path => "${ssh::params::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, show_diff => false, notify => Class['ssh::server::service'], } } else { file {"${name}_pub": ensure => $ensure, owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}.pub", + path => "${ssh::params::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], } file {"${name}_priv": ensure => $ensure, owner => 0, - group => $::ssh::params::host_priv_key_group, + group => $ssh::params::host_priv_key_group, mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", + path => "${ssh::params::sshd_dir}/${name}", show_diff => false, notify => Class['ssh::server::service'], } } if !empty($certificate_source) or !empty($certificate_content) { if $ensure == 'present' { file {"${name}_cert": ensure => $ensure, owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + path => "${ssh::params::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, content => $manage_cert_content, notify => Class['ssh::server::service'], } } else { file {"${name}_cert": ensure => $ensure, owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + path => "${ssh::params::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], } } } } diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index ba484b7..2ba34f5 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -1,20 +1,20 @@ # @summary # Add match_block to ssh server config (concat needed) # # @api private # define ssh::server::match_block ( Hash $options = {}, String $type = 'user', Integer $order = 50, ) { - if $::ssh::server::use_augeas { + if $ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') } else { concat::fragment { "match_block ${name}": target => $ssh::params::sshd_config, content => template("${module_name}/sshd_match_block.erb"), order => 200+$order, } } }