diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index ff0a9cd..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,129 +0,0 @@ -pipeline { - agent { - label 'puppet' - } - - post { - always { - deleteDir() /* clean up our workspace */ - } - success { - updateGitlabCommitStatus state: 'success' - } - failure { - updateGitlabCommitStatus state: 'failed' - step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true]) - } - } - - options { - gitLabConnection('gitlab.confdroid.com') - } - - stages { - - stage('pull master') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - # Ensure we're on the development branch (triggered by push) - git checkout development - # Create jenkins branch from development - git checkout -b jenkins-build-$BUILD_NUMBER - # Optionally merge master into jenkins to ensure compatibility - git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; } - ''' - } - } - } - - stage('puppet parser') { - steps { - sh '''for file in $(find . -iname \'*.pp\'); do - /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1; - done;''' - } - } - - stage('check templates') { - steps{ - sh '''for file in $(find . -iname \'*.erb\'); - do erb -P -x -T "-" $file | ruby -c || exit 1; - done;''' - } - } - - stage('puppet-lint') { - steps { - sh '''/usr/local/bin/puppet-lint . \\ - --no-variable_scope-check \\ - || { echo "Puppet lint failed"; exit 1; } - ''' - } - } - - stage('SonarScan') { - steps { - withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) { - sh ''' - /opt/sonar-scanner/bin/sonar-scanner \ - -Dsonar.projectKey=confdroid_ssh \ - -Dsonar.sources=. \ - -Dsonar.host.url=https://sonarqube.confdroid.com \ - -Dsonar.token=$SONAR_TOKEN - ''' - } - } - } - - stage('create Puppet documentation') { - steps { - sh '/opt/puppetlabs/bin/puppet strings' - } - } - - stage('update repo') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit" - git push -o merge_request.create \ - -o merge_request.target=master \ - -o merge_request.title="Auto-merge for build $BUILD_NUMBER" \ - -o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \ - -o merge_request.merge_when_pipeline_succeeds=true \ - origin jenkins-build-$BUILD_NUMBER - ''' - } - } - } - stage('Mirror to Gitea') { - steps { - withCredentials([usernamePassword( - credentialsId: 'Jenkins-gitea', - usernameVariable: 'GITEA_USER', - passwordVariable: 'GITEA_TOKEN')]) { - script { - // Checkout from GitLab (already done implicitly) - sh ''' - git checkout master - git pull origin master - git branch -D development - git branch -D jenkins-build-$BUILD_NUMBER - git rm -f Jenkinsfile - git rm -r --cached .vscode || echo "No .vscode to remove from git" - git commit --amend --no-edit --allow-empty - git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git - git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \ - push master --mirror - ''' - } - } - } - } - } -} \ No newline at end of file diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html index b92d607..ea0d346 100644 --- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html +++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html @@ -340,6 +340,132 @@ —

MaxSessions setting for sshd_config

+
+ + + +
  • + + ssh_pubkey_auth + + + (String) + + + (defaults to: 'yes') + + + — +
    +

    PubkeyAuthentication setting for sshd_config

    +
    + +
    • + +
  • + + ssh_auth_key_files + + + (String) + + + (defaults to: '.ssh/authorized_keys') + + + — +
    +

    AuthorizedKeysFile setting for sshd_config

    +
    + +
    • + +
  • + + ssh_authorized_principals_file + + + (String) + + + (defaults to: 'none') + + + — +
    +

    AuthorizedPrincipalsFile setting for sshd_config. Default is ‘none’ to disable this setting.

    +
    + +
    • + +
  • + + ssh_authorized_keys_command + + + (String) + + + (defaults to: 'none') + + + — +
    +

    AuthorizedKeysCommand setting for sshd_config. Default is ‘none’ to disable this setting.

    +
    + +
    • + +
  • + + ssh_authorized_keys_command_user + + + (String) + + + (defaults to: 'nobody') + + + — +
    +

    AuthorizedKeysCommandUser setting for sshd_config. Default is ‘nobody’ to use an unpriviledged user.

    +
    + +
    • + +
  • + + ssh_use_specific_hostkey + + + (Boolean) + + + (defaults to: false) + + + — +
    +

    whether to use a specific host key

    +
    + +
    • + +
  • + + ssh_hostkey_type + + + (String) + + + (defaults to: 'rsa') + + + — +
    +

    type of host key to use if ssh_use_specific_hostkey is true

    • @@ -355,17 +481,6 @@ 
     
 
-20
-21
-22
-23
-24
-25
-26
-27
-28
-29
-30
 31
 32
 33
@@ -395,30 +510,55 @@
 57
 58
 59
-60
    +60 +61 +62 +63 +64 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75 +76 +77 +78 - 
    # File 'manifests/params.pp', line 20
+        
    # File 'manifests/params.pp', line 31
 
 class confdroid_ssh::params (
 
-  Array $ssh_reqpackages      = ['openssh','openssh-clients','openssh-server'],
-  String $pkg_ensure          = 'present',
+  Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
+  String $pkg_ensure                        = 'present',
 
   # firewall settings
-  String $ssh_fw_rule         = 'present',
-  String $ssh_fw_port         = '22',
-  String $ssh_fw_order        = '50',
-  String $ssh_source_range    = '0.0.0.0/0',
+  String $ssh_fw_rule                       = 'present',
+  String $ssh_fw_port                       = '22',
+  String $ssh_fw_order                      = '50',
+  String $ssh_source_range                  = '0.0.0.0/0',
 
-  # main configuration 
-  Boolean $ssh_manage_config  = true,
-  String  $ssh_address_family = 'any',
-  String  $ssh_listen_address = '0.0.0.0',
-  String  $ssh_root_login     = 'prohibit-password',
-  String  $ssh_strict_modes   = 'yes',
-  String  $ssh_max_auth_tries = '6',
-  String  $ssh_max_sessions    = '10',
+  # sshd configuration 
+  Boolean $ssh_manage_config                = true,
+  String  $ssh_address_family               = 'any',
+  String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_root_login                   = 'prohibit-password',
+  String  $ssh_strict_modes                 = 'yes',
+  String  $ssh_max_auth_tries               = '6',
+  String  $ssh_max_sessions                 = '10',
+  String  $ssh_pubkey_auth                  = 'yes',
+  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
+  String  $ssh_authorized_principals_file   = 'none',
+  String  $ssh_authorized_keys_command      = 'none',
+  String  $ssh_authorized_keys_command_user = 'nobody',
+  Boolean $ssh_use_specific_hostkey         = false,
+  String  $ssh_hostkey_type                 = 'rsa',
 
 ) {
 # default facts
diff --git a/manifests/params.pp b/manifests/params.pp
index 456bd7d..9b29811 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -16,26 +16,44 @@
 # @param [String] ssh_strict_modes StrictModes setting for sshd_config
 # @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
 # @param [String] ssh_max_sessions MaxSessions setting for sshd_config
+# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
+# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
+# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile 
+#   setting for sshd_config. Default is 'none' to disable this setting.
+# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. 
+#   Default is 'none' to disable this setting.
+# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
+#   Default is 'nobody' to use an unpriviledged user.
+# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
+# @param [String] ssh_hostkey_type type of host key to use if 
+#   ssh_use_specific_hostkey is true
 ##############################################################################
 class confdroid_ssh::params (
 
-  Array $ssh_reqpackages      = ['openssh','openssh-clients','openssh-server'],
-  String $pkg_ensure          = 'present',
+  Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
+  String $pkg_ensure                        = 'present',
 
   # firewall settings
-  String $ssh_fw_rule         = 'present',
-  String $ssh_fw_port         = '22',
-  String $ssh_fw_order        = '50',
-  String $ssh_source_range    = '0.0.0.0/0',
+  String $ssh_fw_rule                       = 'present',
+  String $ssh_fw_port                       = '22',
+  String $ssh_fw_order                      = '50',
+  String $ssh_source_range                  = '0.0.0.0/0',
 
-  # main configuration 
-  Boolean $ssh_manage_config  = true,
-  String  $ssh_address_family = 'any',
-  String  $ssh_listen_address = '0.0.0.0',
-  String  $ssh_root_login     = 'prohibit-password',
-  String  $ssh_strict_modes   = 'yes',
-  String  $ssh_max_auth_tries = '6',
-  String  $ssh_max_sessions    = '10',
+  # sshd configuration 
+  Boolean $ssh_manage_config                = true,
+  String  $ssh_address_family               = 'any',
+  String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_root_login                   = 'prohibit-password',
+  String  $ssh_strict_modes                 = 'yes',
+  String  $ssh_max_auth_tries               = '6',
+  String  $ssh_max_sessions                 = '10',
+  String  $ssh_pubkey_auth                  = 'yes',
+  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
+  String  $ssh_authorized_principals_file   = 'none',
+  String  $ssh_authorized_keys_command      = 'none',
+  String  $ssh_authorized_keys_command_user = 'nobody',
+  Boolean $ssh_use_specific_hostkey         = false,
+  String  $ssh_hostkey_type                 = 'rsa',
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 496026b..60c43bf 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -12,4 +12,15 @@ ListenAddress <%= @ssh_listen_address %>
 PermitRootLogin <%= @ssh_root_login %>
 StrictModes <%= @ssh_strict_modes %>
 MaxAuthTries <%= @ssh_max_auth_tries %>
-MaxSessions <%= @ssh_max_sessions %>
\ No newline at end of file
+MaxSessions <%= @ssh_max_sessions %>
+
+PubkeyAuthentication <%= @ssh_pubkey_auth %>
+AuthorizedKeysFile	<%= @ssh_auth_key_files %>
+
+AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
+AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
+AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
+
+<% if @ssh_use_specific_hostkey -%>
+HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
+<% end -%>
\ No newline at end of file