Puppet Class: archlinux_workstation::ssh

Defined in:
manifests/ssh.pp

Overview

Configure SSH server via saz/ssh and allow access only by your username.

Parameters:

  • allow_users (Variant[Undef, Array[String]]) (defaults to: undef)

    Usernames to allow to login via SSH. If left default (undef), $archlinux_workstation::username will be used. If $::virtual == 'virtualbox', vagrant will be appended to the list.

  • permit_root (Boolean) (defaults to: false)

    Whether or not to permit root login.

  • extra_options (Variant[Undef, Hash]) (defaults to: undef)

    extra configuration options to include in sshd_config.



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'manifests/ssh.pp', line 11

class archlinux_workstation::ssh (
  Variant[Undef, Array[String]] $allow_users   = undef,
  Boolean $permit_root                         = false,
  Variant[Undef, Hash] $extra_options          = undef,
){

  if ! defined(Class['archlinux_workstation']) {
    fail('You must include the base archlinux_workstation class before using any subclasses')
  }

  # variable access
  include archlinux_workstation

  if $allow_users {
    $tmp_users = $allow_users
  } else {
    $tmp_users = [$archlinux_workstation::username]
  }

  if $permit_root {
    $allow_root = 'yes'
    $tmp_users2 = $tmp_users + ['root']
  } else {
    $allow_root = 'no'
    $tmp_users2 = $tmp_users
  }

  # add 'vagrant' to allow users if on virtualbox
  if $::virtual == 'virtualbox' {
    notify {'adding vagrant to list of SSH allowed users, per $::virtual fact': }
    $real_allow_users = $tmp_users2 + ['vagrant']
  } else {
    $real_allow_users = $tmp_users2
  }

  $base_options = {
    'AcceptEnv'              => ['LANG', 'LC_*', 'DISPLAY'],
    'AllowUsers'             => $real_allow_users,
    'AuthorizedKeysFile'     => '.ssh/authorized_keys',
    'GSSAPIAuthentication'   => 'no',
    'KerberosAuthentication' => 'no',
    'PasswordAuthentication' => 'no',
    'PermitRootLogin'        => $allow_root,
    'Port'                   => [22],
    'PubkeyAuthentication'   => 'yes',
    'RSAAuthentication'      => 'yes',
    'SyslogFacility'         => 'AUTH',
    'UsePrivilegeSeparation' => 'sandbox', # "Default for new installations."
    'X11Forwarding'          => 'yes',
  }

  if $extra_options {
    validate_hash($extra_options)
    $final_options = merge($base_options, $extra_options)
  } else {
    $final_options = $base_options
  }

  # saz/ssh
  class { 'ssh::server':
    storeconfigs_enabled => false,
    options              => $final_options,
  }


}