## confdroid_ssh::params.pp
# Module name: confdroid_ssh
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class contains all class parameters for confdroid_ssh
# @param [Array] ssh_reqpackages packages to install
# @param [String] pkg_ensure version to install: 'present' or 'latest'
# @param [String] ssh_fw_rule whether set the fw rule to 
#   present or absent.
# @param [String] ssh_fw_port port to use for SSHD and in fw
# @param [String] ssh_fw_order order of firewall rule
# @param [String] ssh_source_range source range for firewall rule
# @param [Boolean] ssh_manage_config whether to manage the configuration
# @param [String] ssh_address_family AddressFamily setting for sshd_config
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile 
#   setting for sshd_config. Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. 
#   Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
#   Default is 'nobody' to use an unpriviledged user.
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
# @param [String] ssh_hostkey_type type of host key to use if 
#   ssh_use_specific_hostkey is true
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config. 
#   Default is 'default none'.
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
#   Default is 'AUTH'.
# @param [String] ssh_log_level LogLevel setting for sshd_config.
#   Default is 'INFO'.
# @param [String] ssh_password_authentication PasswordAuthentication setting 
#   for sshd_config. Default is 'no', which requires key-based authentication.
#   This is a recommended security setting, so passwords do not show up in logs, 
#   but can be set to 'yes' if password authentication is desired.
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting 
#   for sshd_config. Default is 'no', which is a recommended security setting 
#   and works  in connection with key-based authentication, but can be set 
#   to 'yes' if password authentication should be allowed and empty passwords 
#   should be allowed. Again, this should be used with caution if enabled.
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
#   Default is 'no', which is a recommended security setting together 
#   with password authentication, but can be set to 'yes' if 
#   keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
#   Default is 'no'. Kerberos authentication is not commonly used and 
#   requires a lot of other settings, so it is disabled by default, but can be 
#   set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
#   Default is 'no'. This setting is only relevant if Kerberos authentication is
#   enabled, and should be set to 'yes' if you want to allow local password
#   authentication as a fallback if Kerberos authentication fails, but can be
#   set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config. 
#   Default is 'no'. This setting is only relevant if Kerberos authentication 
#   is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
#   but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
#   Default is 'no'. This setting is only relevant if Kerberos authentication
#   is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
#   but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
#   Default is 'no'. This setting is only relevant if Kerberos authentication
#   is enabled, and should be set to 'yes' if you want to enable userok with 
#   Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
#   If true, the relevant Kerberos settings will be included in the sshd_config, 
#   otherwise they will be ignored. 
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
#   If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
#   will be disabled. GSSAPI authentication is not commonly used and requires
#   a lot of other settings, so it is disabled by default, but can be set to
#   true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
#   enabled, and should be set to 'yes' if you want to enable GSS authentication, 
#   but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
#   enabled, and should be set to 'yes' if you want to enable GSS credential 
#   cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
#   enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
#   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
#   commonly used for SSH authentication and can introduce security risks if 
#   not configured properly, so it is disabled by default. Thi setting is 
#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
#   should be set to 'yes' only if you want to use PAM for authentication 
#   together with those settings.
##############################################################################
class confdroid_ssh::params (

  Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
  String $pkg_ensure                        = 'present',

  # firewall settings
  String $ssh_fw_rule                       = 'present',
  String $ssh_fw_port                       = '22',
  String $ssh_fw_order                      = '50',
  String $ssh_source_range                  = '0.0.0.0/0',

  # sshd configuration 
  Boolean $ssh_manage_config                = true,
  String  $ssh_address_family               = 'any',
  String  $ssh_listen_address               = '0.0.0.0',
  String  $ssh_root_login                   = 'prohibit-password',
  String  $ssh_strict_modes                 = 'yes',
  String  $ssh_max_auth_tries               = '6',
  String  $ssh_max_sessions                 = '10',
  String  $ssh_pubkey_auth                  = 'yes',
  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
  String  $ssh_authorized_principals_file   = 'none',
  String  $ssh_authorized_keys_command      = 'none',
  String  $ssh_authorized_keys_command_user = 'nobody',
  Boolean $ssh_use_specific_hostkey         = false,
  String  $ssh_hostkey_type                 = 'rsa',
  String  $ssh_rekeylimit                   = 'default none',
  String  $ssh_syslog_facility              = 'AUTH',
  String  $ssh_log_level                    = 'INFO',
  String  $ssh_password_authentication      = 'no',
  String  $ssh_permit_empty_passwords       = 'no',
  String  $ssh_kbd_interactive_auth         = 'no',
  Boolean $ssh_use_kerberos                 = false,
  String  $ssh_kerberos_authentication      = 'yes',
  String  $ssh_kerberos_or_local_passwd     = 'yes',
  String  $ssh_kerberos_ticket_cleanup      = 'yes',
  String  $ssh_kerberos_get_afstoken        = 'no',
  String  $ssh_kerberos_use_kuserok         = 'yes',
  Boolean $ssh_use_gssapi                   = false,
  String  $ssh_gssapi_authentication        = 'yes',
  String  $ssh_gssapi_cleanup_credentials   = 'yes',
  String  $ssh_gssapi_key_exchange          = 'no',
  String  $ssh_gssapi_enablek5users         = 'no',
  String  $ssh_use_pam                      = 'no',

) {
# default facts
  $fqdn                     = $facts['networking']['fqdn']
  $hostname                 = $facts['networking']['hostname']
  $domain                   = $facts['networking']['domain']
  $os_name                  = $facts['os']['name']
  $os_release               = $facts['os']['release']['major']

  $sshd_user                = 'root'
  $ssh_etc_path             = '/etc/ssh'
  $sshd_service             = 'sshd'
  $sshd_config_path         = "${ssh_etc_path}/sshd_config"
  $sshd_custom_path         = "${ssh_etc_path}/sshd_config.d"
  $sshd_custom_conf         = "${sshd_custom_path}/10-custom.conf"
  $sshd_custom_erb          = 'confdroid_ssh/sshd_custom_conf.erb'
  $sshd_config_erb          = 'confdroid_ssh/sshd_config.erb'
  $sshd_root_login_file     = "${sshd_custom_path}/01-permitrootlogin.conf"

  # includes must be last
  include confdroid_ssh::main::config
}