From 777fe1aef619f573c93fdadb01fe00ed4b96ab78 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 2 Jun 2024 13:07:19 +1000
Subject: [PATCH] feat: manage ssh server

- add ssh module
- include the ssh::server class
- manage sshd settings
---
 Puppetfile            |  1 +
 hieradata/common.yaml | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/Puppetfile b/Puppetfile
index f29fb47..af166ab 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -39,6 +39,7 @@ mod 'puppet-extlib', '7.0.0'
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
 mod 'saz-sudo', '8.0.0'
+mod 'saz-ssh', '12.1.0'
 mod 'ghoneycutt-timezone', '4.0.0'
 mod 'dalen-puppetdbquery', '3.0.1'
 mod 'markt-galera', '3.1.0'
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index eda0ea1..20315bf 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -113,6 +113,7 @@ facts_path: '/opt/puppetlabs/facter/facts.d'
 
 hiera_classes:
   - timezone
+  - ssh::server
 
 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::use_ntp: 'region'
@@ -215,6 +216,34 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
+ssh::server::options:
+  Protocol: '2'
+  ListenAddress:
+    - '127.0.0.1'
+    - '%{facts.networking.ip}'
+  SyslogFacility: 'AUTHPRIV'
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PermitRootLogin: no
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  PubkeyAuthentication: yes
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: yes
+  UsePAM: yes
+  X11Forwarding: no
+  PrintMotd: no
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: sftp /usr/libexec/openssh/sftp-server
+
 profiles::base::groups::local:
   admins:
     ensure: present