Skip to content

Instantly share code, notes, and snippets.

@robbat2

robbat2/HOSTNAME.yaml

Created January 9, 2015 05:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save robbat2/c15cd215d5e9840e4611 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save robbat2/c15cd215d5e9840e4611 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HOSTNAME.yaml
---
base::ssh::ssh_authorized_keys:
base::sshd::sshd_config:
Ciphers:
value:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
MACs:
value:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-ripemd160-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- hmac-ripemd160
- umac-128@openssh.com
KexAlgorithms:
value:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
Protocol:
value: 2
base::ssh::ssh_config:
'KexAlgorithms Global':
key: KexAlgorithms
host: '*'
value:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
'KexAlgorithms github.com':
key: KexAlgorithms
host: github.com
value:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group14-sha1
Ciphers:
host: '*'
value:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
MACs:
value:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-ripemd160-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-256
- hmac-ripemd160
- umac-128@openssh.com
Raw
ssh.pp
# partial implementation of https://stribika.github.io/2015/01/04/secure-secure-shell.html
# This needs https://github.com/hercules-team/augeasproviders_ssh
# Not the complete file, partial extract for @yesthattom
# per https://twitter.com/yesthattom/status/553332797814095872
class base::ssh(
$ssh_config = hiera_hash('base::ssh::ssh_config', {}),
$ssh_authorized_keys = hiera_hash('base::ssh::ssh_authorized_keys', {}),
) {
each($ssh_authorized_keys) |$user,$key_array| {
$defaults = {
ensure => present,
user => $user,
}
create_resources(ssh_authorized_key, $key_array, $defaults)
}
augeas { 'ssh_config':
incl => '/etc/ssh/ssh_config',
lens => 'Ssh.lns',
changes => [
# This syntax is only for Augeas >= 1.1.0,
# which is not available in Ubuntu 12.04
#'defnode hoststar Host[.="*"]',
#'set $hoststar ...',
'set Host[.="*"] "*"',
'set Host[.="*"]/HashKnownHosts no',
],
}
# all of this comes from Hiera
$ssh_config_default = {
ensure => present,
}
create_resources(ssh_config, $ssh_config, $ssh_config_default)
}
# vim: set ft=puppet si sts=2 et tw=80 sw=2:
Raw
sshd.pp
# partial implementation of https://stribika.github.io/2015/01/04/secure-secure-shell.html
# This needs https://github.com/hercules-team/augeasproviders_ssh
# Not the complete file, partial extract for @yesthattom
# per https://twitter.com/yesthattom/status/553332797814095872
# Still missing: HostKey and module changes
class base::sshd(
$sshd_config = hiera_hash('base::sshd::sshd_config', {}),
){
$pkg_ssh = $::osfamily ? {
/Debian/ => ['openssh-server'],
/RedHat/ => ['openssh-server'],
/Gentoo/ => ['openssh'],
default => ['openssh'],
}
$service_name_ssh = $::osfamily? {
'Debian' => 'ssh',
'Gentoo' => 'sshd',
default => 'sshd',
}
realize(Package[$pkg_ssh])
service { 'sshd':
ensure => running,
name => $service_name_ssh,
subscribe => Package[$pkg_ssh],
enable => true,
}
# all of this comes from Hiera
$sshd_config_default = {
ensure => present,
notify => Service['sshd'],
}
create_resources(sshd_config, $sshd_config, $sshd_config_default)
}
# vim: set ft=puppet si sts=2 et tw=80 sw=2:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment