Puppetfile

@@ -39,6 +39,7 @@ mod 'puppet-extlib', '7.0.0'
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
 mod 'saz-sudo', '8.0.0'
+mod 'saz-ssh', '12.1.0'
 mod 'ghoneycutt-timezone', '4.0.0'
 mod 'dalen-puppetdbquery', '3.0.1'
 mod 'markt-galera', '3.1.0'

hieradata/common.yaml

@@ -113,6 +113,7 @@ facts_path: '/opt/puppetlabs/facter/facts.d'
 
 hiera_classes:
   - timezone
+  - ssh::server
 
 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::use_ntp: 'region'
@@ -215,6 +216,34 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
+ssh::server::options:
+  Protocol: '2'
+  ListenAddress:
+    - '127.0.0.1'
+    - '%{facts.networking.ip}'
+  SyslogFacility: 'AUTHPRIV'
+  HostKey:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
+  AuthorizedKeysFile: .ssh/authorized_keys
+  PermitRootLogin: no
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  PubkeyAuthentication: yes
+  GSSAPIAuthentication: yes
+  GSSAPICleanupCredentials: yes
+  UsePAM: yes
+  X11Forwarding: no
+  PrintMotd: no
+  AcceptEnv:
+    - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+    - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+    - LC_IDENTIFICATION LC_ALL LANGUAGE
+    - XMODIFIERS
+  Subsystem: sftp /usr/libexec/openssh/sftp-server
+
 profiles::base::groups::local:
   admins:
     ensure: present