1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
define sunet::server() {
# Set up encrypted swap
sunet::encrypted_swap { 'sunet_encrypted_swap': }
# Add prerequisites for ethernet bonding, if physical server
sunet::ethernet_bonding { 'sunet_ethernet_bonding': }
# Removed until SWAMID hosts can have their ufw module updated / ft
# # Ignore IPv6 multicast
# ufw::deny { 'ignore_v6_multicast':
# ip => 'ff02::1',
# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :(
# }
# # Ignore IPv6 multicast PIM router talk
# ufw::deny { 'ignore_v6_multicast_PIM':
# ip => 'ff02::d',
# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :(
# }
include augeas
augeas { "sshd_config":
context => "/files/etc/ssh/sshd_config",
changes => [
"set PasswordAuthentication no",
"set X11Forwarding no",
"set LogLevel VERBOSE", # log pubkey used for root login
],
notify => Service['ssh'],
} ->
file_line {
'no_sftp_subsystem':
path => '/etc/ssh/sshd_config',
match => 'Subsystem sftp /usr/lib/openssh/sftp-server',
line => '#Subsystem sftp /usr/lib/openssh/sftp-server',
notify => Service['ssh'],
}
}
|
