Merge build 39 into master

Auto-merge for build 34

See merge request puppet/confdroid_ssh!34

.gitignore

@@ -2,4 +2,5 @@
 Gemfile.lock
 FileList
 .scannerwork
-.vscode
+.vscode
+.puppet-lint.rc

Jenkinsfile

@@ -0,0 +1,130 @@
+pipeline {
+    agent {
+      label 'puppet'
+    }
+
+    post {
+        always {
+            deleteDir() /* clean up our workspace */
+        }
+        success {
+            updateGitlabCommitStatus state: 'success'
+        }
+        failure {
+            updateGitlabCommitStatus state: 'failed'
+            step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
+        }
+    }
+
+    options {
+          gitLabConnection('gitlab.confdroid.com')
+    }
+
+    stages {
+
+      stage('pull master') {
+        steps {
+          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                git fetch origin
+              source_branch="${gitlabSourceBranch:-${BRANCH_NAME:-${GIT_LOCAL_BRANCH:-$GIT_BRANCH}}}"
+              source_branch="${source_branch#origin/}"
+              source_branch="${source_branch#refs/heads/}"
+              if [ -z "$source_branch" ]; then
+                source_branch="development"
+              fi
+              echo "Using source branch: $source_branch"
+              # Create an isolated build branch from the triggering branch revision.
+              git checkout -B jenkins-build-$BUILD_NUMBER "origin/$source_branch"
+                # Merge the current master into the build branch before validation.
+                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
+            '''
+        }
+      }
+    }
+
+      stage('puppet parser') {
+        steps {
+          sh '''for file in $(find . -iname \'*.pp\'); do
+            /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
+            done;'''
+          }
+        }
+
+      stage('check templates') {
+        steps{
+          sh '''for file in $(find . -iname \'*.erb\');
+            do erb -P -x -T "-" $file | ruby -c || exit 1;
+            done;'''
+        }
+      }
+
+      stage('puppet-lint') {
+        steps {
+          sh '''/usr/local/bin/puppet-lint . \\
+                --no-variable_scope-check \\
+                || { echo "Puppet lint failed"; exit 1; }
+            '''
+          }
+        }
+
+      stage('SonarScan') {
+         steps {
+            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
+              sh '''
+              /opt/sonar-scanner/bin/sonar-scanner \
+                -Dsonar.projectKey=confdroid_ssh \
+                -Dsonar.sources=. \
+                -Dsonar.host.url=https://sonarqube.confdroid.com \
+                -Dsonar.token=$SONAR_TOKEN
+                '''
+              }
+            }
+          }
+
+      stage('create Puppet documentation') {
+        steps {
+          sh '/opt/puppetlabs/bin/puppet strings'
+        }
+      }
+
+      stage('update repo') {
+        steps {
+          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
+                git fetch origin
+                git checkout -B master origin/master
+                git merge --no-ff jenkins-build-$BUILD_NUMBER -m "Merge build $BUILD_NUMBER into master"
+                git push origin master
+            '''
+        }
+      }
+    }
+      stage('Mirror to Gitea') {
+        steps {
+          withCredentials([usernamePassword(
+            credentialsId: 'Jenkins-gitea',
+            usernameVariable: 'GITEA_USER',
+            passwordVariable: 'GITEA_TOKEN')]) {
+            script {
+                sh '''
+                  git fetch origin
+                  git checkout master
+                  git reset --hard origin/master
+                  git remote get-url master >/dev/null 2>&1 \
+                    && git remote set-url master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git \
+                    || git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
+                  git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
+                  push --force master refs/heads/master:refs/heads/master
+                  '''
+          }
+        }
+      }
+    }
+  }
+}

README.md

@@ -7,6 +7,7 @@
   - [Synopsis](#synopsis)
   - [WARNING](#warning)
   - [Features](#features)
+  - [Adding custom configurations](#adding-custom-configurations)
   - [Support](#support)
   - [Parameter Inheritance](#parameter-inheritance)
   - [Module Deployment](#module-deployment)
@@ -25,11 +26,34 @@
 ## Features
 
 - install required binaries
-- manage local custom configuration based on parameters, overriding the defaults
-- manage selinux rules
+- manage required files and directories including selinux context
 - manage service
 - (optional) manage firewall
-  
+
+## Adding custom configurations
+
+Custom configuration files live in  `/etc/ssh/sshd_config.d/`. IN order to create a custom config file, add a stanza like this in your control repo:
+
+```puppet
+confdroid_ssh::custom::custom_config { '30-my-custom-rule':
+  config_name    => '30-custom-rule',
+  config_content => ['PasswordAuthentication no'],
+}
+```
+
+This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:
+
+```puppet
+###############################################################################
+##### DO NOT EDIT THIS FILE MANUALLY                                          #
+##### This file is managed by Puppet. Any changes to this file will be        #
+##### overwritten. Update the Puppet define input instead.                    #
+###############################################################################
+PasswordAuthentication no
+```
+
+Note that the value for config_content **has to be an array**, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.
+
 ## Support
 
 - Rocky 9 (Any RHEL 9 based OS should work but has not been tested)
@@ -41,7 +65,7 @@ All parameters are listed in `params.pp` and inherited from there.  Variable par
 
 ## Module Deployment
 
-ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
+Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
 
 ## Tests
 

doc/_index.html

@@ -122,6 +122,30 @@
 
 
 
+<h2>Defined Type Listing A-Z</h2>
+
+  
+<table>
+  <tr>
+    <td valign='top' width="33%">
+  
+    
+      <ul id="alpha_C" class="alpha">
+        <li class="letter">C</li>
+          <ul>
+    
+            <li>
+      <span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
+      
+            </li>
+    
+      </ul>
+    </ul>
+  
+    </td>
+  </tr>
+</table>
+
 
 
 

doc/file.README.html

@@ -70,6 +70,8 @@
 </li><li>
 <p><a href="#features">Features</a></p>
 </li><li>
+<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
+</li><li>
 <p><a href="#support">Support</a></p>
 </li><li>
 <p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -97,15 +99,35 @@
 <ul><li>
 <p>install required binaries</p>
 </li><li>
-<p>manage local custom configuration based on parameters, overriding the defaults</p>
-</li><li>
-<p>manage selinux rules</p>
+<p>manage required files and directories including selinux context</p>
 </li><li>
 <p>manage service</p>
 </li><li>
 <p>(optional) manage firewall</p>
 </li></ul>
 
+<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
+
+<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
+
+<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
+  config_name    =&gt; &#39;30-custom-rule&#39;,
+  config_content =&gt; [&#39;PasswordAuthentication no&#39;],
+}
+</code></pre>
+
+<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
+
+<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
+</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY                                          #
+</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be        #
+</span><span class='comment'>##### overwritten. Update the Puppet define input instead.                    #
+</span><span class='comment'>###############################################################################
+</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
+</code></pre>
+
+<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
+
 <h2 id="label-Support">Support</h2>
 <ul><li>
 <p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -119,7 +141,7 @@
 
 <h2 id="label-Module+Deployment">Module Deployment</h2>
 
-<p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
+<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
 
 <h2 id="label-Tests">Tests</h2>
 <ul><li>

doc/index.html

@@ -70,6 +70,8 @@
 </li><li>
 <p><a href="#features">Features</a></p>
 </li><li>
+<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
+</li><li>
 <p><a href="#support">Support</a></p>
 </li><li>
 <p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -97,15 +99,35 @@
 <ul><li>
 <p>install required binaries</p>
 </li><li>
-<p>manage local custom configuration based on parameters, overriding the defaults</p>
-</li><li>
-<p>manage selinux rules</p>
+<p>manage required files and directories including selinux context</p>
 </li><li>
 <p>manage service</p>
 </li><li>
 <p>(optional) manage firewall</p>
 </li></ul>
 
+<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
+
+<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
+
+<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
+  config_name    =&gt; &#39;30-custom-rule&#39;,
+  config_content =&gt; [&#39;PasswordAuthentication no&#39;],
+}
+</code></pre>
+
+<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
+
+<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
+</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY                                          #
+</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be        #
+</span><span class='comment'>##### overwritten. Update the Puppet define input instead.                    #
+</span><span class='comment'>###############################################################################
+</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
+</code></pre>
+
+<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
+
 <h2 id="label-Support">Support</h2>
 <ul><li>
 <p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -119,7 +141,7 @@
 
 <h2 id="label-Module+Deployment">Module Deployment</h2>
 
-<p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
+<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
 
 <h2 id="label-Tests">Tests</h2>
 <ul><li>

doc/puppet_class_list.html

@@ -28,6 +28,10 @@
               Puppet Classes
             </a></span>
           
+            <span><a target="_self" href="puppet_defined_type_list.html">
+              Defined Types
+            </a></span>
+          
         </div>
 
         <div id="search">Search: <input type="text" /></div>

doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html

@@ -141,7 +141,7 @@ class confdroid_ssh::main::dirs (
     path     => $ssh_etc_path,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,
@@ -152,7 +152,7 @@ class confdroid_ssh::main::dirs (
     ensure   => directory,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,

doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Afiles.html

@@ -118,30 +118,7 @@
 20
 21
 22
-23
-24
-25
-26
-27
-28
-29
-30
-31
-32
-33
-34
-35
-36
-37
-38
-39
-40
-41
-42
-43
-44
-45
-46</pre>
+23</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -163,29 +140,6 @@ class confdroid_ssh::main::files (
     content  =&gt; template($sshd_config_erb),
     notify   =&gt; Service[$sshd_service],
   }
-
-  if $ssh_manage_config {
-    file { $sshd_custom_conf:
-      ensure   =&gt; file,
-      path     =&gt; $sshd_custom_conf,
-      owner    =&gt; $sshd_user,
-      group    =&gt; $sshd_user,
-      mode     =&gt; &#39;0640&#39;,
-      selrange =&gt; s0,
-      selrole  =&gt; object_r,
-      seltype  =&gt; etc_t,
-      seluser  =&gt; system_u,
-      content  =&gt; template($sshd_custom_erb),
-      notify   =&gt; Service[$sshd_service],
-    }
-    # we want the default root login setting to be managed by the custom conf, 
-    # so we remove the default file if it exists
-    file { $sshd_root_login_file:
-      ensure =&gt; absent,
-      path   =&gt; $sshd_root_login_file,
-      notify =&gt; Service[$sshd_service],
-    }
-  }
 }</pre>
       </td>
     </tr>

doc/puppet_classes/confdroid_ssh_3A_3Aparams.html

@@ -214,312 +214,6 @@
         —
         <div class='inline'>
 <p>source range for firewall rule</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_manage_config</span>
-      
-      
-        <span class='type'>(<tt>Boolean</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>true</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>whether to manage the configuration</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_address_family</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;any&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>AddressFamily setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_listen_address</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;0.0.0.0&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>ListenAddress setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_root_login</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;prohibit-password&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>PermitRootLogin setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_strict_modes</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>StrictModes setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_max_auth_tries</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;6&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>MaxAuthTries setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_max_sessions</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;10&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>MaxSessions setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_pubkey_auth</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>PubkeyAuthentication setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_auth_key_files</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;.ssh/authorized_keys&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>AuthorizedKeysFile setting for sshd_config</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_authorized_principals_file</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>AuthorizedPrincipalsFile setting for sshd_config. Default is ‘none’ to disable this setting.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_authorized_keys_command</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>AuthorizedKeysCommand setting for sshd_config. Default is ‘none’ to disable this setting.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_authorized_keys_command_user</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;nobody&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>AuthorizedKeysCommandUser setting for sshd_config. Default is ‘nobody’ to use an unpriviledged user.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_use_specific_hostkey</span>
-      
-      
-        <span class='type'>(<tt>Boolean</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>false</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>whether to use a specific host key</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_hostkey_type</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;rsa&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>type of host key to use if ssh_use_specific_hostkey is true</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_rekeylimit</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;default none&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>RekeyLimit setting for sshd_config. Default is ‘default none’.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_syslog_facility</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;AUTH&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>SyslogFacility setting for sshd_config. Default is ‘AUTH’.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ssh_log_level</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;INFO&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>LogLevel setting for sshd_config. Default is ‘INFO’.</p>
 </div>
       
     </li>
@@ -535,60 +229,39 @@
         <pre class="lines">
 
 
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
 37
 38
 39
 40
 41
-42
-43
-44
-45
-46
-47
-48
-49
-50
-51
-52
-53
-54
-55
-56
-57
-58
-59
-60
-61
-62
-63
-64
-65
-66
-67
-68
-69
-70
-71
-72
-73
-74
-75
-76
-77
-78
-79
-80
-81
-82
-83
-84
-85
-86
-87</pre>
+42</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 37</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 13</span>
 
 class confdroid_ssh::params (
 
@@ -601,25 +274,6 @@ class confdroid_ssh::params (
   String $ssh_fw_order                      = &#39;50&#39;,
   String $ssh_source_range                  = &#39;0.0.0.0/0&#39;,
 
-  # sshd configuration 
-  Boolean $ssh_manage_config                = true,
-  String  $ssh_address_family               = &#39;any&#39;,
-  String  $ssh_listen_address               = &#39;0.0.0.0&#39;,
-  String  $ssh_root_login                   = &#39;prohibit-password&#39;,
-  String  $ssh_strict_modes                 = &#39;yes&#39;,
-  String  $ssh_max_auth_tries               = &#39;6&#39;,
-  String  $ssh_max_sessions                 = &#39;10&#39;,
-  String  $ssh_pubkey_auth                  = &#39;yes&#39;,
-  String  $ssh_auth_key_files               = &#39;.ssh/authorized_keys&#39;,
-  String  $ssh_authorized_principals_file   = &#39;none&#39;,
-  String  $ssh_authorized_keys_command      = &#39;none&#39;,
-  String  $ssh_authorized_keys_command_user = &#39;nobody&#39;,
-  Boolean $ssh_use_specific_hostkey         = false,
-  String  $ssh_hostkey_type                 = &#39;rsa&#39;,
-  String  $ssh_rekeylimit                   = &#39;default none&#39;,
-  String  $ssh_syslog_facility              = &#39;AUTH&#39;,
-  String  $ssh_log_level                    = &#39;INFO&#39;
-
 ) {
 # default facts
   $fqdn                     = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
@@ -633,8 +287,6 @@ class confdroid_ssh::params (
   $sshd_service             = &#39;sshd&#39;
   $sshd_config_path         = &quot;${ssh_etc_path}/sshd_config&quot;
   $sshd_custom_path         = &quot;${ssh_etc_path}/sshd_config.d&quot;
-  $sshd_custom_conf         = &quot;${sshd_custom_path}/10-custom.conf&quot;
-  $sshd_custom_erb          = &#39;confdroid_ssh/sshd_custom_conf.erb&#39;
   $sshd_config_erb          = &#39;confdroid_ssh/sshd_config.erb&#39;
   $sshd_root_login_file     = &quot;${sshd_custom_path}/01-permitrootlogin.conf&quot;
 

doc/puppet_defined_type_list.html

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta charset="utf-8" />
+    
+      <link rel="stylesheet" href="css/full_list.css" type="text/css" media="screen" />
+    
+      <link rel="stylesheet" href="css/common.css" type="text/css" media="screen" />
+    
+
+    
+      <script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
+    
+      <script type="text/javascript" charset="utf-8" src="js/full_list.js"></script>
+    
+
+    <title>Defined Type List</title>
+    <base id="base_target" target="_parent" />
+  </head>
+  <body>
+    <div id="content">
+      <div class="fixed_header">
+        <h1 id="full_list_header">Defined Type List</h1>
+        <div id="full_list_nav">
+          
+            <span><a target="_self" href="puppet_class_list.html">
+              Puppet Classes
+            </a></span>
+          
+            <span><a target="_self" href="puppet_defined_type_list.html">
+              Defined Types
+            </a></span>
+          
+        </div>
+
+        <div id="search">Search: <input type="text" /></div>
+      </div>
+
+      <ul id="full_list" class="puppet_defined_type">
+        
+
+    <li id="object_puppet_defined_types::confdroid_ssh::custom::custom_config" class="odd">
+      <div class="item">
+        <span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
+      </div>
+    </li>
+    
+
+
+      </ul>
+    </div>
+  </body>
+</html>

doc/puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html

@@ -0,0 +1,209 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>
+  Defined Type: confdroid_ssh::custom::custom_config
+  
+    &mdash; Documentation by YARD 0.9.36
+  
+</title>
+
+  <link rel="stylesheet" href="../css/style.css" type="text/css" />
+
+  <link rel="stylesheet" href="../css/common.css" type="text/css" />
+
+<script type="text/javascript">
+  pathId = "puppet_defined_types::confdroid_ssh::custom::custom_config";
+  relpath = '../';
+</script>
+
+
+  <script type="text/javascript" charset="utf-8" src="../js/jquery.js"></script>
+
+  <script type="text/javascript" charset="utf-8" src="../js/app.js"></script>
+
+
+  </head>
+  <body>
+    <div class="nav_wrap">
+      <iframe id="nav" src="../puppet_defined_type_list.html?1"></iframe>
+      <div id="resizer"></div>
+    </div>
+
+    <div id="main" tabindex="-1">
+      <div id="header">
+        <div id="menu">
+  
+    <a href="../_index.html">Index (c)</a> &raquo;
+    <span class='title'><span class='object_link'>Defined Types</span></span>
+     &raquo; 
+    <span class="title">confdroid_ssh::custom::custom_config</span>
+  
+</div>
+
+        <div id="search">
+  
+    <a class="full_list_link" id="puppet_class_list_link"
+        href="../puppet_class_list.html">
+
+        <svg width="24" height="24">
+          <rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
+          <rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
+          <rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
+        </svg>
+    </a>
+  
+</div>
+        <div class="clear"></div>
+      </div>
+
+      <div id="content"><h1>Defined Type: confdroid_ssh::custom::custom_config</h1>
+<div class="box_info">
+  <dl>
+    <dt>Defined in:</dt>
+    <dd>
+      manifests/custom/custom_config.pp
+    </dd>
+  </dl>
+</div>
+
+  <h2>Summary</h2>
+  Class manages custom configurations for SSH
+
+<h2>Overview</h2>
+<div class="docstring">
+  <div class="discussion">
+    
+<p>confdroid_ssh::custom::custom_config.pp Module name: confdroid_ssh Author: 12ww1160 (12ww1160@confdroid.com)  } this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content:  PasswordAuthentication no and notify the sshd service to reload the configuration</p>
+
+  </div>
+</div>
+
+
+
+<div class="tags">
+  
+  <div class="examples">
+    <p class="tag_title">Examples:</p>
+    
+      
+      <pre class="example code"><code>confdroid_ssh::custom::custom_config { &#39;50-test&#39;:
+ config_name    =&gt; &#39;50-test&#39;,
+ config_content =&gt; [&#39;PasswordAuthentication no&#39;],</code></pre>
+    
+  </div>
+<p class="tag_title">Parameters:</p>
+<ul class="param">
+  
+    <li>
+      
+        <span class='name'>config_name</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>name of the custom configuration file (without .conf extension)</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>config_content</span>
+      
+      
+        <span class='type'>(<tt>Array[String]</tt>)</span>
+      
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>array of configuration lines to include in the custom config</p>
+</div>
+      
+    </li>
+  
+</ul>
+
+
+
+</div><div class="method_details_list">
+  <table class="source_code">
+    <tr>
+      <td>
+        <pre class="lines">
+
+
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41</pre>
+      </td>
+      <td>
+        <pre class="code"><span class="info file"># File 'manifests/custom/custom_config.pp', line 17</span>
+
+define confdroid_ssh::custom::custom_config (
+
+  String $config_name,
+  Array[String] $config_content,
+
+) {
+  $sshd_custom_path  = $confdroid_ssh::params::sshd_custom_path
+  $sshd_service      = $confdroid_ssh::params::sshd_service
+  $custom_config_erb = &#39;confdroid_ssh/custom_config.erb&#39;
+  $config_basename   = regsubst($config_name, &#39;\\.conf$&#39;, &#39;&#39;)
+  $config_file       = &quot;${config_name}.conf&quot;
+
+  file { &quot;${sshd_custom_path}/${config_file}&quot;:
+    ensure   =&gt; file,
+    owner    =&gt; &#39;root&#39;,
+    group    =&gt; &#39;root&#39;,
+    mode     =&gt; &#39;0600&#39;,
+    selrange =&gt; s0,
+    selrole  =&gt; object_r,
+    seltype  =&gt; etc_t,
+    seluser  =&gt; system_u,
+    content  =&gt; template($custom_config_erb),
+    notify   =&gt; Service[$sshd_service],
+  }
+}</pre>
+      </td>
+    </tr>
+  </table>
+</div>
+</div>
+
+      <div id="footer">
+     Generated by <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>.
+</div>
+
+    </div>
+  </body>
+</html>

manifests/custom/custom_config.pp

@@ -0,0 +1,41 @@
+## confdroid_ssh::custom::custom_config.pp
+# Module name: confdroid_ssh
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages custom configurations for SSH
+# @param [String] config_name name of the custom configuration file 
+#   (without .conf extension)
+# @param [Array[String]] config_content array of configuration lines to 
+#   include in the custom config
+# @example
+#   confdroid_ssh::custom::custom_config { '50-test':
+#    config_name    => '50-test',
+#    config_content => ['PasswordAuthentication no'],
+#  }
+# this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content:
+#   PasswordAuthentication no and notify the sshd service to reload the configuration
+##############################################################################
+define confdroid_ssh::custom::custom_config (
+
+  String $config_name,
+  Array[String] $config_content,
+
+) {
+  $sshd_custom_path  = $confdroid_ssh::params::sshd_custom_path
+  $sshd_service      = $confdroid_ssh::params::sshd_service
+  $custom_config_erb = 'confdroid_ssh/custom_config.erb'
+  $config_basename   = regsubst($config_name, '\\.conf$', '')
+  $config_file       = "${config_name}.conf"
+
+  file { "${sshd_custom_path}/${config_file}":
+    ensure   => file,
+    owner    => 'root',
+    group    => 'root',
+    mode     => '0600',
+    selrange => s0,
+    selrole  => object_r,
+    seltype  => etc_t,
+    seluser  => system_u,
+    content  => template($custom_config_erb),
+    notify   => Service[$sshd_service],
+  }
+}

manifests/main/dirs.pp

@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
     path     => $ssh_etc_path,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
     ensure   => directory,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,

manifests/main/files.pp

@@ -20,27 +20,4 @@ class confdroid_ssh::main::files (
     content  => template($sshd_config_erb),
     notify   => Service[$sshd_service],
   }
-
-  if $ssh_manage_config {
-    file { $sshd_custom_conf:
-      ensure   => file,
-      path     => $sshd_custom_conf,
-      owner    => $sshd_user,
-      group    => $sshd_user,
-      mode     => '0640',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => etc_t,
-      seluser  => system_u,
-      content  => template($sshd_custom_erb),
-      notify   => Service[$sshd_service],
-    }
-    # we want the default root login setting to be managed by the custom conf, 
-    # so we remove the default file if it exists
-    file { $sshd_root_login_file:
-      ensure => absent,
-      path   => $sshd_root_login_file,
-      notify => Service[$sshd_service],
-    }
-  }
 }

manifests/params.pp

@@ -9,31 +9,7 @@
 # @param [String] ssh_fw_port port to use for SSHD and in fw
 # @param [String] ssh_fw_order order of firewall rule
 # @param [String] ssh_source_range source range for firewall rule
-# @param [Boolean] ssh_manage_config whether to manage the configuration
-# @param [String] ssh_address_family AddressFamily setting for sshd_config
-# @param [String] ssh_listen_address ListenAddress setting for sshd_config
-# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
-# @param [String] ssh_strict_modes StrictModes setting for sshd_config
-# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
-# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
-# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
-# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
-# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile 
-#   setting for sshd_config. Default is 'none' to disable this setting.
-# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. 
-#   Default is 'none' to disable this setting.
-# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
-#   Default is 'nobody' to use an unpriviledged user.
-# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
-# @param [String] ssh_hostkey_type type of host key to use if 
-#   ssh_use_specific_hostkey is true
-# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config. 
-#   Default is 'default none'.
-# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
-#   Default is 'AUTH'.
-# @param [String] ssh_log_level LogLevel setting for sshd_config.
-#   Default is 'INFO'.
-##############################################################################
+###############################################################################
 class confdroid_ssh::params (
 
   Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
@@ -45,25 +21,6 @@ class confdroid_ssh::params (
   String $ssh_fw_order                      = '50',
   String $ssh_source_range                  = '0.0.0.0/0',
 
-  # sshd configuration 
-  Boolean $ssh_manage_config                = true,
-  String  $ssh_address_family               = 'any',
-  String  $ssh_listen_address               = '0.0.0.0',
-  String  $ssh_root_login                   = 'prohibit-password',
-  String  $ssh_strict_modes                 = 'yes',
-  String  $ssh_max_auth_tries               = '6',
-  String  $ssh_max_sessions                 = '10',
-  String  $ssh_pubkey_auth                  = 'yes',
-  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
-  String  $ssh_authorized_principals_file   = 'none',
-  String  $ssh_authorized_keys_command      = 'none',
-  String  $ssh_authorized_keys_command_user = 'nobody',
-  Boolean $ssh_use_specific_hostkey         = false,
-  String  $ssh_hostkey_type                 = 'rsa',
-  String  $ssh_rekeylimit                   = 'default none',
-  String  $ssh_syslog_facility              = 'AUTH',
-  String  $ssh_log_level                    = 'INFO'
-
 ) {
 # default facts
   $fqdn                     = $facts['networking']['fqdn']
@@ -77,8 +34,6 @@ class confdroid_ssh::params (
   $sshd_service             = 'sshd'
   $sshd_config_path         = "${ssh_etc_path}/sshd_config"
   $sshd_custom_path         = "${ssh_etc_path}/sshd_config.d"
-  $sshd_custom_conf         = "${sshd_custom_path}/10-custom.conf"
-  $sshd_custom_erb          = 'confdroid_ssh/sshd_custom_conf.erb'
   $sshd_config_erb          = 'confdroid_ssh/sshd_config.erb'
   $sshd_root_login_file     = "${sshd_custom_path}/01-permitrootlogin.conf"
 

templates/custom_config.erb

@@ -0,0 +1,8 @@
+###############################################################################
+##### DO NOT EDIT THIS FILE MANUALLY                                          #
+##### This file is managed by Puppet. Any changes to this file will be        #
+##### overwritten. Update the Puppet define input instead.                    #
+###############################################################################
+<% @config_content.each do |config_line| -%>
+<%= config_line %>
+<% end -%>

templates/sshd_custom_conf.erb

@@ -1,31 +0,0 @@
-###############################################################################    
-##### DO NOT EDIT THIS FILE MANUALLY                                          #
-##### This file is managed by Puppet. Any changes to this file will be        #
-##### overwritten. The file is built via parameters, so any changes should    #
-##### be made in the Puppet manifest parameters.                              #
-###############################################################################
-
-Port <%= @ssh_fw_port %>
-AddressFamily <%= @ssh_address_family %>
-ListenAddress <%= @ssh_listen_address %> 
-
-PubkeyAuthentication <%= @ssh_pubkey_auth %>
-AuthorizedKeysFile	<%= @ssh_auth_key_files %>
-
-AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
-AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
-AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
-
-<% if @ssh_use_specific_hostkey -%>
-HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
-<% end -%>
-
-RekeyLimit <%= @ssh_rekeylimit %>
-
-SyslogFacility <%= @ssh_syslog_facility %>
-LogLevel <%= @ssh_log_level %>
-
-PermitRootLogin <%= @ssh_root_login %>
-StrictModes <%= @ssh_strict_modes %>
-MaxAuthTries <%= @ssh_max_auth_tries %>
-MaxSessions <%= @ssh_max_sessions %>