unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: manage ssh known hosts

Browse Source 
- disable use of stored configs for ssh-known-hosts
- manage the /etc/ssh/ssh_known_hosts content
This commit is contained in:
Ben Vincent 2024-06-09 19:40:44 +10:00
parent 777fe1aef6
commit 52b06dcd8e
4 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hieradata/common.yaml
View File

@ -216,6 +216,7 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true prometheus::node_exporter::export_scrape_job: true
prometheus::systemd_exporter::export_scrape_job: true prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
ssh::server::options: ssh::server::options:
Protocol: '2' Protocol: '2'
ListenAddress: ListenAddress:
@ -244,6 +245,9 @@ ssh::server::options:
- XMODIFIERS - XMODIFIERS
Subsystem: sftp /usr/libexec/openssh/sftp-server Subsystem: sftp /usr/libexec/openssh/sftp-server
profiles::ssh::knownhosts::lines:
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
profiles::base::groups::local: profiles::base::groups::local:
admins: admins:
ensure: present ensure: present

1
site/profiles/manifests/base.pp
View File

@ -33,6 +33,7 @@ class profiles::base (
include profiles::dns::base include profiles::dns::base
include profiles::pki::vault include profiles::pki::vault
include profiles::ssh::sign include profiles::ssh::sign
include profiles::ssh::knownhosts
include profiles::cloudinit::init include profiles::cloudinit::init
include profiles::metrics::default include profiles::metrics::default
include profiles::helpers::node_lookup include profiles::helpers::node_lookup

12
site/profiles/manifests/ssh/knownhosts.pp Normal file
View File

@ -0,0 +1,12 @@
# manage known hosts
class profiles::ssh::knownhosts (
Array $lines = [],
) {
file {'/etc/ssh/ssh_known_hosts':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/ssh/ssh_known_hosts.erb'),
}
}

4
site/profiles/templates/ssh/ssh_known_hosts.erb Normal file
View File

@ -0,0 +1,4 @@
# this file is managed by puppet
<% @lines.each do |line| -%>
<%= line %>
<% end -%>