2024-06-09 20:39:46 +10:00
2 changed files with 30 additions and 0 deletions
--- a/1
+++ b/1
@ -39,6 +39,7 @@ mod 'puppet-extlib', '7.0.0'
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
 mod 'saz-sudo', '8.0.0'
+mod 'saz-ssh', '12.1.0'
 mod 'ghoneycutt-timezone', '4.0.0'
 mod 'dalen-puppetdbquery', '3.0.1'
 mod 'markt-galera', '3.1.0'
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -113,6 +113,7 @@ facts_path: '/opt/puppetlabs/facter/facts.d'

 hiera_classes:
  - timezone
+  - ssh::server

 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::use_ntp: 'region'
@ -215,6 +216,34 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true

+ssh::server::options:
+  Protocol: '2'
+  ListenAddress:
+    - '127.0.0.1'
+    - '%{facts.networking.ip}'
+  SyslogFacility: 'AUTHPRIV'
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PermitRootLogin: no
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  PubkeyAuthentication: yes
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: yes
+  UsePAM: yes
+  X11Forwarding: no
+  PrintMotd: no
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: sftp /usr/libexec/openssh/sftp-server
+
 profiles::base::groups::local:
  admins:
    ensure: present