Merge branch 'master' of git.nordu.net:sunet-ops

1 files changed, 31 insertions, 0 deletions

diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
index 9215c8f..875dc69 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
@@ -6,4 +6,35 @@ define sunet::server() {
   # Add prerequisites for ethernet bonding, if physical server
   sunet::ethernet_bonding { 'sunet_ethernet_bonding': }
 
+# Removed until SWAMID hosts can have their ufw module updated  / ft
+#  # Ignore IPv6 multicast
+#  ufw::deny { 'ignore_v6_multicast':
+#    ip    => 'ff02::1',
+#    proto => 'any'  # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :(
+#  }
+
+#  # Ignore IPv6 multicast PIM router talk
+#  ufw::deny { 'ignore_v6_multicast_PIM':
+#    ip    => 'ff02::d',
+#    proto => 'any'  # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :(
+#  }
+
+  include augeas
+  augeas { "sshd_config":
+    context => "/files/etc/ssh/sshd_config",
+    changes => [
+      "set PasswordAuthentication no",
+      "set X11Forwarding no",
+      "set LogLevel VERBOSE",  # log pubkey used for root login
+    ],
+    notify => Service['ssh'],
+  } ->
+    file_line {
+      'no_sftp_subsystem':
+        path        => '/etc/ssh/sshd_config',
+        match       => 'Subsystem sftp /usr/lib/openssh/sftp-server',
+        line        => '#Subsystem sftp /usr/lib/openssh/sftp-server',
+    notify => Service['ssh'],
+  }
+
 }