summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet
diff options
context:
space:
mode:
authorLeif Johansson <leifj@sunet.se>2014-03-03 11:52:02 +0100
committerLeif Johansson <leifj@sunet.se>2014-03-03 11:52:02 +0100
commit8cb5ad3714fe14f909a285a4aed5d9add6518442 (patch)
treea939d507fe626ef62e45e7c1731bbd9e6adebc59 /global/overlay/etc/puppet
parent1f4f43ccacb14f29e3ae598a5da10dc0a15f1d37 (diff)
ssh and bastion for sunet
Diffstat (limited to 'global/overlay/etc/puppet')
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp70
1 files changed, 55 insertions, 15 deletions
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 4995e19..69ac954 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -21,14 +21,6 @@ node default {
}
-# edit and uncomment to manage ssh root keys in a simple way
-
-#class { 'cosmos::access':
-# keys => [
-# "ssh-rsa ..."
-# ]
-#}
-
# example config for the nameserver class which is matched in cosmos-rules.yaml
#class nameserver {
@@ -247,18 +239,66 @@ class sunet-dhcp-hosts {
class sunet {
- # Until we have proper Puppet managing of SSH
- #ufw::allow { 'allow-ssh-sunet':
- # port => '22',
- # proto => 'tcp'
- #}
-
- package { 'emacs23-nox':
+ package { ['openssh-server', 'emacs23-nox']:
ensure => 'installed'
+ } ->
+
+ ufw::allow { 'allow-ssh-sunet':
+ port => '22',
+ ip => 'any', # both IPv4 and IPv6
+ proto => 'tcp'
+ } ->
+ service { 'ssh':
+ ensure => 'running',
}
sunet::server { 'sunet_server': }
+ ssh_authorized_key {'leifj+neo':
+ name => 'leifj+neo@mnt.se',
+ ensure => present,
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+
+ ssh_authorized_key {'ft+505152DD':
+ name => 'fredrik+505152DD@thulin.net',
+ ensure => present,
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+
+ ssh_authorized_key {'ft+4030CCAD':
+ name => 'fredrik+4030CCAD@thulin.net',
+ ensure => present,
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+
+ ssh_authorized_key {'swold+neo':
+ name => 'swold+neo@sunet.se',
+ ensure => present,
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEH/7KWri49NdhCjXW8VEdDxFl3IfIFT6QjJ47TkhCZCPZdgFl8NLKUOBE1P4jrwB+f+G+ScQ9EYN2Mnf0VhjZ3twPq2S1fosu3jmA56qhQ2J6ZNG1SvVDkgT69HZ+yoxEzbkmWuhhlb7WWVzC3h1K5Rxs8Yr9GJzIpgqH5PzI73pMAS89MYOjkhqS8NOi4onB3llFnyFZeWDB+rXj8/Q6k1u2F9KN1fPxe3EiskaJPOkPn8dEe3pOAiu+FwWyinHxO9Z4gzf55XVE8oFd36LRpoJGr32vdScSPeCksrARluEHnkEHqg6cVLcDkKnHrPITuXKj54i/jYeYGetigEuV',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+
+ # OS hardening
+ if $::hostname =~ /^kvm.*/ {
+ class {'bastion':
+ fstab_fix_shm => false,
+ sysctl_net_hardening => false,
+ }
+ } else {
+ class {'bastion':
+ fstab_fix_shm => false,
+ fixperms_paranoia => true,
+ }
+ }
+
}
class sunet-cdr {