1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
# This manifest is managed using cosmos
Exec {
path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}
# include some of this stuff for additional features
include cosmos::tools
include cosmos::motd
include cosmos::ntp
include cosmos::rngtools
include cosmos::preseed
include ufw
include apt
include cosmos
# you need a default node
node default {
class { 'sshserver': }
class { 'mailclient':
domain => 'smtp.nordu.net'
}
class { 'sshkeys': }
}
class dockerhost {
apt::source {'docker_official':
location => 'https://get.docker.com/ubuntu',
release => 'docker',
repos => 'main',
key => 'A88D21E9',
include_src => false
}
package {'lxc-docker':
ensure => latest
}
class {'docker':
manage_package => false
}
}
class webserver {
ufw::allow { "allow-http":
ip => 'any',
port => 80
}
ufw::allow { "allow-https":
ip => 'any',
port => 443
}
}
class mailclient ($domain) {
cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain}
}
class sshserver {
include augeas
augeas { "sshd_config":
context => "/files/etc/ssh/sshd_config",
changes => [
"set PasswordAuthentication no",
"set X11Forwarding no",
"set LogLevel VERBOSE", # log pubkey used for root login
],
notify => Service['ssh'],
} ->
file_line {
'no_sftp_subsystem':
path => '/etc/ssh/sshd_config',
match => 'Subsystem sftp /usr/lib/openssh/sftp-server',
line => '#Subsystem sftp /usr/lib/openssh/sftp-server',
notify => Service['ssh'],
}
ufw::allow { "allow-sshd":
ip => 'any',
port => 22
}
}
class sshkeys {
ssh_authorized_key {'leifj+neo':
ensure => present,
name => 'leifj+neo@mnt.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'linus':
ensure => present,
name => 'linus@nordu.net',
key => 'AAAAB3NzaC1kc3MAAACBAOgwalVrauBiUm0cJtiehqiXCarmP3LzpOVe/2Lhip3VyGNkCc0tI3ZcwTOuVSNbNAtUPbRFsp2qzNf6yHzDetolb+8oAWoLrNTnyJn/P6objJJ82U8EY1HK27flFpst1NBHzr9UQAKs+r51cszGHDjhXi001+liN2+qiaXRHmppAAAAFQDqf3RIdYsjmEK2ju8jBkcvhkYHQQAAAIEAydJS3s3eRXDiW5ynnQUZONjBwnBIhT6NEznb9FD/6QlfIL3Ay9sbxSQG3MKaC5xfS1TvjZBOTikYn0VFgzR6bXYJtscbH7Hu53X3uwzAi87pgwoE7/Rctf+o9RgGl/a7a/t+POHFYuOY4kSTqK/loKTu/y9BW0PbrPZ+cwIw1k4AAACBALbgqfua4HCdcCKA4Wv0SZ+p1xApNDi9CF33KhMvQ1wrQBCKBU+maTzO9phNFp1PjXv/JxhmkdHLL2lTo3iXdFSbpkwpBb9p649Kbko3L1XEUPZFz5Flt5H8L+FTTNnF5rHfadshr50r4DXYoEyfZFPEitthaS5dlesfyn/aHSN+',
type => 'ssh-rsa',
user => 'root'
}
}
|