From 8cb5ad3714fe14f909a285a4aed5d9add6518442 Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Mon, 3 Mar 2014 11:52:02 +0100 Subject: ssh and bastion for sunet --- global/overlay/etc/puppet/manifests/cosmos-site.pp | 70 +++++++++++++++++----- 1 file changed, 55 insertions(+), 15 deletions(-) (limited to 'global/overlay/etc/puppet') diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index 4995e19..69ac954 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -21,14 +21,6 @@ node default { } -# edit and uncomment to manage ssh root keys in a simple way - -#class { 'cosmos::access': -# keys => [ -# "ssh-rsa ..." -# ] -#} - # example config for the nameserver class which is matched in cosmos-rules.yaml #class nameserver { @@ -247,18 +239,66 @@ class sunet-dhcp-hosts { class sunet { - # Until we have proper Puppet managing of SSH - #ufw::allow { 'allow-ssh-sunet': - # port => '22', - # proto => 'tcp' - #} - - package { 'emacs23-nox': + package { ['openssh-server', 'emacs23-nox']: ensure => 'installed' + } -> + + ufw::allow { 'allow-ssh-sunet': + port => '22', + ip => 'any', # both IPv4 and IPv6 + proto => 'tcp' + } -> + service { 'ssh': + ensure => 'running', } sunet::server { 'sunet_server': } + ssh_authorized_key {'leifj+neo': + name => 'leifj+neo@mnt.se', + ensure => present, + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'ft+505152DD': + name => 'fredrik+505152DD@thulin.net', + ensure => present, + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'ft+4030CCAD': + name => 'fredrik+4030CCAD@thulin.net', + ensure => present, + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'swold+neo': + name => 'swold+neo@sunet.se', + ensure => present, + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEH/7KWri49NdhCjXW8VEdDxFl3IfIFT6QjJ47TkhCZCPZdgFl8NLKUOBE1P4jrwB+f+G+ScQ9EYN2Mnf0VhjZ3twPq2S1fosu3jmA56qhQ2J6ZNG1SvVDkgT69HZ+yoxEzbkmWuhhlb7WWVzC3h1K5Rxs8Yr9GJzIpgqH5PzI73pMAS89MYOjkhqS8NOi4onB3llFnyFZeWDB+rXj8/Q6k1u2F9KN1fPxe3EiskaJPOkPn8dEe3pOAiu+FwWyinHxO9Z4gzf55XVE8oFd36LRpoJGr32vdScSPeCksrARluEHnkEHqg6cVLcDkKnHrPITuXKj54i/jYeYGetigEuV', + type => 'ssh-rsa', + user => 'root' + } + + # OS hardening + if $::hostname =~ /^kvm.*/ { + class {'bastion': + fstab_fix_shm => false, + sysctl_net_hardening => false, + } + } else { + class {'bastion': + fstab_fix_shm => false, + fixperms_paranoia => true, + } + } + } class sunet-cdr { -- cgit v1.1