From 50b667c8838935ee7757ba97f6f01b51a31743d7 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 11:35:15 +1000 Subject: [PATCH 1/9] refactor hostkeys to make it private - moved parameters from hostkeys to server - removed creation knownhosts from server class --- manifests/hostkeys.pp | 71 ++++++++++++------------------------------- manifests/server.pp | 41 ++++++++++++++++++++++--- 2 files changed, 56 insertions(+), 56 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 5839c1b8..a58591c7 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,74 +1,41 @@ # @summary -# This class manages hostkeys +# This class manages hostkeys. It is intended to be called from `ssh::server`, +# and directly accesses variables from there. # -# @param export_ipaddresses -# Whether ip addresses should be added as aliases -# -# @param storeconfigs_group -# Tag hostkeys with this group to allow segregation -# -# @param extra_aliases -# Additional aliases to set for host keys -# -# @param exclude_interfaces -# List of interfaces to exclude -# -# @param exclude_interfaces_re -# List of regular expressions to exclude interfaces -# -# @param exclude_ipaddresses -# List of ip addresses to exclude -# -# @param use_trusted_facts -# Whether to use trusted or normal facts -# -# @param tags -# Array of custom tags -# -class ssh::hostkeys ( - Boolean $export_ipaddresses = true, - Optional[String[1]] $storeconfigs_group = undef, - Array $extra_aliases = [], - Array $exclude_interfaces = [], - Array $exclude_interfaces_re = [], - Array $exclude_ipaddresses = [], - Boolean $use_trusted_facts = false, - Optional[Array[String[1]]] $tags = undef, -) { - if $use_trusted_facts { +class ssh::hostkeys { + + if $ssh::server::use_trusted_facts { $fqdn_real = $trusted['certname'] $hostname_real = $trusted['hostname'] } else { - # stick to legacy facts for older versions of facter + # stick to normal facts $fqdn_real = $facts['networking']['fqdn'] $hostname_real = $facts['networking']['hostname'] } - if $export_ipaddresses == true { - $ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re) - $ipaddresses_real = $ipaddresses - $exclude_ipaddresses - $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real]))) + if $ssh::server::export_ipaddresses { + $ipaddresses = ssh::ipaddresses($ssh::server::exclude_interfaces, $ssh::server::exclude_interfaces_re) + $ipaddresses_real = $ipaddresses - $ssh::server::exclude_ipaddresses + $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $ssh::server::extra_aliases, $ipaddresses_real]))) } else { - $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases]))) + $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $ssh::server::extra_aliases]))) } - $storeconfigs_groups = $storeconfigs_group ? { + $storeconfigs_groups = $ssh::server::storeconfigs_group ? { undef => [], - default => ['hostkey_all', "hostkey_${storeconfigs_group}"], + default => ['hostkey_all', "hostkey_${ssh::server::storeconfigs_group}"], } - $_tags = $tags ? { + $_tags = $ssh::server::tags ? { undef => $storeconfigs_groups, - default => $storeconfigs_groups + $tags, + default => $storeconfigs_groups + $ssh::server::tags, } ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { - # can be removed as soon as we drop support for puppet 4 - # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22 - if $key_type == 'ecdsa' { - $key_type_real = 'ecdsa-sha2-nistp256' - } else { - $key_type_real = $key_type + # adjustment for ecdsa using a diff file name from key type + $key_type_real = $key_type ? { + 'ecdsa' => 'ecdsa-sha2-nistp256', + default => $key_type, } if $key_type in $facts['ssh'] { diff --git a/manifests/server.pp b/manifests/server.pp index d598c1c1..aa7e2129 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,5 +1,5 @@ # @summary -# This class managed ssh server +# This class manages the ssh server and related resources, including host keys. # # @example Puppet usage # class { 'ssh::server': @@ -71,6 +71,30 @@ # @param server_package_name # Name of the server package to install # +# @param export_ipaddresses +# Whether IP addresses should be added as aliases for host keys +# +# @param storeconfigs_group +# Tag host keys with this group to allow segregation +# +# @param extra_aliases +# Additional aliases to set for host keys +# +# @param exclude_interfaces +# List of interfaces to exclude when collecting IPs for host keys +# +# @param exclude_interfaces_re +# List of regular expressions to exclude interfaces +# +# @param exclude_ipaddresses +# List of IP addresses to exclude from host key aliases +# +# @param use_trusted_facts +# Whether to use trusted facts instead of legacy facts +# +# @param tags +# Array of custom tags to apply to exported host keys +# class ssh::server ( String[1] $service_name, Stdlib::Absolutepath $sshd_config, @@ -93,7 +117,17 @@ Boolean $use_issue_net = false, Optional[Stdlib::Absolutepath] $sshd_environments_file = undef, Optional[String[1]] $server_package_name = undef, + # Host key management (used by ssh::hostkeys) + Boolean $export_ipaddresses = true, + Optional[String[1]] $storeconfigs_group = undef, + Array $extra_aliases = [], + Array $exclude_interfaces = [], + Array $exclude_interfaces_re = [], + Array $exclude_ipaddresses = [], + Boolean $use_trusted_facts = false, + Optional[Array[String[1]]] $tags = undef, ) { + if $use_augeas { $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config }) } else { @@ -105,10 +139,9 @@ contain ssh::server::service # Provide option to *not* use storeconfigs/puppetdb, which means not managing - # hostkeys and knownhosts - if ($storeconfigs_enabled) { + # hostkeys and knownhosts + if $storeconfigs_enabled { contain ssh::hostkeys - contain ssh::knownhosts Class['ssh::server::install'] -> Class['ssh::server::config'] From f2f38cbb4a86337af5fb7d9fd444d1d6d169d2a9 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 12:50:28 +1000 Subject: [PATCH 2/9] rm remaining ref to ssh::knownhosts; comment tweak --- manifests/server.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index aa7e2129..f58332f2 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -138,8 +138,7 @@ contain ssh::server::config contain ssh::server::service - # Provide option to *not* use storeconfigs/puppetdb, which means not managing - # hostkeys and knownhosts + # Provide option to *not* use storeconfigs/puppetdb, which means not exporting hostkeys if $storeconfigs_enabled { contain ssh::hostkeys @@ -147,7 +146,6 @@ -> Class['ssh::server::config'] ~> Class['ssh::server::service'] -> Class['ssh::hostkeys'] - -> Class['ssh::knownhosts'] } else { Class['ssh::server::install'] -> Class['ssh::server::config'] From 36aab28678ca70652c54f975b192514648496806 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 13:12:44 +1000 Subject: [PATCH 3/9] refactor ssh::client and ssh::knownhosts classes --- data/common.yaml | 1 - manifests/client.pp | 9 +++++++++ manifests/knownhosts.pp | 14 +++----------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 2c9556a4..d9957c53 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -25,7 +25,6 @@ ssh::server::host_priv_key_group: 0 ssh::validate_sshd_file : false ssh::collect_enabled : true # Collect sshkey resources ssh::server::issue_net : '/etc/issue.net' -ssh::knownhosts::collect_enabled : true ssh::server::default_options: ChallengeResponseAuthentication: 'no' diff --git a/manifests/client.pp b/manifests/client.pp index dd450646..3c5f10b3 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -35,6 +35,12 @@ # @param match_block # Add ssh match_block (with concat) # +# @param collect_enabled +# Enable collection +# +# @param storeconfigs_group +# Define the hostkeys group storage +# class ssh::client ( Stdlib::Absolutepath $ssh_config, Hash $default_options, @@ -45,6 +51,9 @@ Boolean $use_augeas = false, Array $options_absent = [], Hash $match_block = {}, + # for use with ssh::knownhosts + Boolean $collect_enabled = $ssh::knownhosts::collect_enabled, + Optional[String[1]] $storeconfigs_group = undef, ) { if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 3cd113e1..2cec3837 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -1,19 +1,11 @@ # @summary # This class manages knownhosts if collection is enabled. # -# @param collect_enabled -# Enable collection -# -# @param storeconfigs_group -# Define the hostkeys group storage -# class ssh::knownhosts ( - Boolean $collect_enabled = $ssh::knownhosts::collect_enabled, - Optional[String[1]] $storeconfigs_group = undef, ) { - if ($collect_enabled) { - if $storeconfigs_group { - Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> + if ($ssh::client::collect_enabled) { + if $ssh::client::storeconfigs_group { + Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> } else { Sshkey <<| |>> } From c04c7c65dd15353b1f2e0a07ffe6221bf37efeec Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 15:08:22 +1000 Subject: [PATCH 4/9] integrate knownhosts class into client class simplifying logic --- manifests/client.pp | 18 +++++++++--------- manifests/knownhosts.pp | 13 ------------- 2 files changed, 9 insertions(+), 22 deletions(-) delete mode 100644 manifests/knownhosts.pp diff --git a/manifests/client.pp b/manifests/client.pp index 3c5f10b3..8c90d9f8 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -39,20 +39,19 @@ # Enable collection # # @param storeconfigs_group -# Define the hostkeys group storage +# Define the hostkeys tag to filter with # class ssh::client ( Stdlib::Absolutepath $ssh_config, Hash $default_options, Optional[String[1]] $client_package_name = undef, String $ensure = present, - Boolean $storeconfigs_enabled = true, + Boolean $collect_enabled = true, + Boolean $storeconfigs_enabled = $collect_enabled, # should we transition away from this variable? Hash $options = {}, Boolean $use_augeas = false, Array $options_absent = [], Hash $match_block = {}, - # for use with ssh::knownhosts - Boolean $collect_enabled = $ssh::knownhosts::collect_enabled, Optional[String[1]] $storeconfigs_group = undef, ) { if $use_augeas { @@ -64,14 +63,15 @@ contain ssh::client::install contain ssh::client::config - # Provide option to *not* use storeconfigs/puppetdb, which means not managing - # hostkeys and knownhosts + # Provide option to *not* use storeconfigs/puppetdb, which means not collecting host keys into knownhosts if ($storeconfigs_enabled) { - contain ssh::knownhosts - Class['ssh::client::install'] -> Class['ssh::client::config'] - -> Class['ssh::knownhosts'] + -> if $storeconfigs_group { + Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> + } else { + Sshkey <<| |>> + } } else { Class['ssh::client::install'] -> Class['ssh::client::config'] diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp deleted file mode 100644 index 2cec3837..00000000 --- a/manifests/knownhosts.pp +++ /dev/null @@ -1,13 +0,0 @@ -# @summary -# This class manages knownhosts if collection is enabled. -# -class ssh::knownhosts ( -) { - if ($ssh::client::collect_enabled) { - if $ssh::client::storeconfigs_group { - Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> - } else { - Sshkey <<| |>> - } - } -} From c2813f72cea7515a4c99092f21a9f10c535cb8d5 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 15:16:45 +1000 Subject: [PATCH 5/9] use keyword to avoid undef $storeconfigs_group --- manifests/client.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 8c90d9f8..4c1f5310 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -52,7 +52,7 @@ Boolean $use_augeas = false, Array $options_absent = [], Hash $match_block = {}, - Optional[String[1]] $storeconfigs_group = undef, + String[1] $storeconfigs_group = 'none', # use a keyword ) { if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) @@ -67,7 +67,7 @@ if ($storeconfigs_enabled) { Class['ssh::client::install'] -> Class['ssh::client::config'] - -> if $storeconfigs_group { + -> if $storeconfigs_group != 'none' { Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> } else { Sshkey <<| |>> From 58026e5556f98f8b4d2ec25899e32a68d8931981 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 16:50:50 +1000 Subject: [PATCH 6/9] remove invalid chaining --- manifests/client.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index 4c1f5310..4282681a 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -67,7 +67,8 @@ if ($storeconfigs_enabled) { Class['ssh::client::install'] -> Class['ssh::client::config'] - -> if $storeconfigs_group != 'none' { + + if $storeconfigs_group != 'none' { Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> } else { Sshkey <<| |>> From 6988aa07fc5dc7997825130d66f36996a15fdda1 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Fri, 20 Jun 2025 17:38:43 +1000 Subject: [PATCH 7/9] undo change using storeconfigs_group keyword --- manifests/client.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 4282681a..03f412ab 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -52,7 +52,7 @@ Boolean $use_augeas = false, Array $options_absent = [], Hash $match_block = {}, - String[1] $storeconfigs_group = 'none', # use a keyword + Optional[String[1]] $storeconfigs_group = undef, ) { if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) @@ -68,7 +68,7 @@ Class['ssh::client::install'] -> Class['ssh::client::config'] - if $storeconfigs_group != 'none' { + if $storeconfigs_group { Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> } else { Sshkey <<| |>> From a541caf947bb5d7f28fec6577a04960f2da020c1 Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Sat, 21 Jun 2025 10:43:44 +1000 Subject: [PATCH 8/9] regenerate REFERENCE.md --- REFERENCE.md | 185 ++++++++++++++++++++++++--------------------------- 1 file changed, 86 insertions(+), 99 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index b51c3544..61748382 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,9 +10,9 @@ * [`ssh`](#ssh): This class manages ssh client and server * [`ssh::client`](#ssh--client): This class add ssh client management -* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys -* [`ssh::knownhosts`](#ssh--knownhosts): This class manages knownhosts if collection is enabled. -* [`ssh::server`](#ssh--server): This class managed ssh server +* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`, +and directly accesses variables from there. +* [`ssh::server`](#ssh--server): This class manages the ssh server and related resources, including host keys. #### Private Classes @@ -337,6 +337,8 @@ The following parameters are available in the `ssh::client` class: * [`options_absent`](#-ssh--client--options_absent) * [`default_options`](#-ssh--client--default_options) * [`match_block`](#-ssh--client--match_block) +* [`collect_enabled`](#-ssh--client--collect_enabled) +* [`storeconfigs_group`](#-ssh--client--storeconfigs_group) ##### `ssh_config` @@ -366,7 +368,7 @@ Data type: `Boolean` Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false -Default value: `true` +Default value: `$collect_enabled` ##### `options` @@ -406,117 +408,30 @@ Add ssh match_block (with concat) Default value: `{}` -### `ssh::hostkeys` - -This class manages hostkeys - -#### Parameters - -The following parameters are available in the `ssh::hostkeys` class: - -* [`export_ipaddresses`](#-ssh--hostkeys--export_ipaddresses) -* [`storeconfigs_group`](#-ssh--hostkeys--storeconfigs_group) -* [`extra_aliases`](#-ssh--hostkeys--extra_aliases) -* [`exclude_interfaces`](#-ssh--hostkeys--exclude_interfaces) -* [`exclude_interfaces_re`](#-ssh--hostkeys--exclude_interfaces_re) -* [`exclude_ipaddresses`](#-ssh--hostkeys--exclude_ipaddresses) -* [`use_trusted_facts`](#-ssh--hostkeys--use_trusted_facts) -* [`tags`](#-ssh--hostkeys--tags) - -##### `export_ipaddresses` +##### `collect_enabled` Data type: `Boolean` -Whether ip addresses should be added as aliases +Enable collection Default value: `true` -##### `storeconfigs_group` +##### `storeconfigs_group` Data type: `Optional[String[1]]` -Tag hostkeys with this group to allow segregation +Define the hostkeys tag to filter with Default value: `undef` -##### `extra_aliases` - -Data type: `Array` - -Additional aliases to set for host keys - -Default value: `[]` - -##### `exclude_interfaces` - -Data type: `Array` - -List of interfaces to exclude - -Default value: `[]` - -##### `exclude_interfaces_re` - -Data type: `Array` - -List of regular expressions to exclude interfaces - -Default value: `[]` - -##### `exclude_ipaddresses` - -Data type: `Array` - -List of ip addresses to exclude - -Default value: `[]` - -##### `use_trusted_facts` - -Data type: `Boolean` - -Whether to use trusted or normal facts - -Default value: `false` - -##### `tags` - -Data type: `Optional[Array[String[1]]]` - -Array of custom tags - -Default value: `undef` - -### `ssh::knownhosts` - -This class manages knownhosts if collection is enabled. - -#### Parameters - -The following parameters are available in the `ssh::knownhosts` class: - -* [`collect_enabled`](#-ssh--knownhosts--collect_enabled) -* [`storeconfigs_group`](#-ssh--knownhosts--storeconfigs_group) - -##### `collect_enabled` - -Data type: `Boolean` - -Enable collection - -Default value: `$ssh::knownhosts::collect_enabled` - -##### `storeconfigs_group` - -Data type: `Optional[String[1]]` - -Define the hostkeys group storage +### `ssh::hostkeys` -Default value: `undef` +This class manages hostkeys. It is intended to be called from `ssh::server`, +and directly accesses variables from there. ### `ssh::server` -This class managed ssh server +This class manages the ssh server and related resources, including host keys. #### Examples @@ -555,6 +470,14 @@ The following parameters are available in the `ssh::server` class: * [`use_issue_net`](#-ssh--server--use_issue_net) * [`sshd_environments_file`](#-ssh--server--sshd_environments_file) * [`server_package_name`](#-ssh--server--server_package_name) +* [`export_ipaddresses`](#-ssh--server--export_ipaddresses) +* [`storeconfigs_group`](#-ssh--server--storeconfigs_group) +* [`extra_aliases`](#-ssh--server--extra_aliases) +* [`exclude_interfaces`](#-ssh--server--exclude_interfaces) +* [`exclude_interfaces_re`](#-ssh--server--exclude_interfaces_re) +* [`exclude_ipaddresses`](#-ssh--server--exclude_ipaddresses) +* [`use_trusted_facts`](#-ssh--server--use_trusted_facts) +* [`tags`](#-ssh--server--tags) ##### `service_name` @@ -710,6 +633,70 @@ Name of the server package to install Default value: `undef` +##### `export_ipaddresses` + +Data type: `Boolean` + +Whether IP addresses should be added as aliases for host keys + +Default value: `true` + +##### `storeconfigs_group` + +Data type: `Optional[String[1]]` + +Tag host keys with this group to allow segregation + +Default value: `undef` + +##### `extra_aliases` + +Data type: `Array` + +Additional aliases to set for host keys + +Default value: `[]` + +##### `exclude_interfaces` + +Data type: `Array` + +List of interfaces to exclude when collecting IPs for host keys + +Default value: `[]` + +##### `exclude_interfaces_re` + +Data type: `Array` + +List of regular expressions to exclude interfaces + +Default value: `[]` + +##### `exclude_ipaddresses` + +Data type: `Array` + +List of IP addresses to exclude from host key aliases + +Default value: `[]` + +##### `use_trusted_facts` + +Data type: `Boolean` + +Whether to use trusted facts instead of legacy facts + +Default value: `false` + +##### `tags` + +Data type: `Optional[Array[String[1]]]` + +Array of custom tags to apply to exported host keys + +Default value: `undef` + ## Defined types ### `ssh::client::config::user` From d45bd5656b632f714b532fb597cf6027948eab6c Mon Sep 17 00:00:00 2001 From: Robert Stuart Date: Wed, 2 Jul 2025 23:03:39 +1000 Subject: [PATCH 9/9] #411 ssh::hostkeys updates --- REFERENCE.md | 92 +++++++++++++++++++++++++++++++++++++------ data/common.yaml | 1 - manifests/client.pp | 8 +--- manifests/hostkeys.pp | 59 ++++++++++++++++++++------- manifests/server.pp | 1 - 5 files changed, 126 insertions(+), 35 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 61748382..77c59382 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,8 +10,7 @@ * [`ssh`](#ssh): This class manages ssh client and server * [`ssh::client`](#ssh--client): This class add ssh client management -* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`, -and directly accesses variables from there. +* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`. * [`ssh::server`](#ssh--server): This class manages the ssh server and related resources, including host keys. #### Private Classes @@ -337,7 +336,6 @@ The following parameters are available in the `ssh::client` class: * [`options_absent`](#-ssh--client--options_absent) * [`default_options`](#-ssh--client--default_options) * [`match_block`](#-ssh--client--match_block) -* [`collect_enabled`](#-ssh--client--collect_enabled) * [`storeconfigs_group`](#-ssh--client--storeconfigs_group) ##### `ssh_config` @@ -368,7 +366,7 @@ Data type: `Boolean` Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false -Default value: `$collect_enabled` +Default value: `true` ##### `options` @@ -408,26 +406,94 @@ Add ssh match_block (with concat) Default value: `{}` -##### `collect_enabled` +##### `storeconfigs_group` + +Data type: `Optional[String[1]]` + +Define the hostkeys tag to filter with + +Default value: `undef` + +### `ssh::hostkeys` + +This class manages hostkeys. It is intended to be called from `ssh::server`. + +#### Parameters + +The following parameters are available in the `ssh::hostkeys` class: + +* [`export_ipaddresses`](#-ssh--hostkeys--export_ipaddresses) +* [`storeconfigs_group`](#-ssh--hostkeys--storeconfigs_group) +* [`extra_aliases`](#-ssh--hostkeys--extra_aliases) +* [`exclude_interfaces`](#-ssh--hostkeys--exclude_interfaces) +* [`exclude_interfaces_re`](#-ssh--hostkeys--exclude_interfaces_re) +* [`exclude_ipaddresses`](#-ssh--hostkeys--exclude_ipaddresses) +* [`use_trusted_facts`](#-ssh--hostkeys--use_trusted_facts) +* [`tags`](#-ssh--hostkeys--tags) + +##### `export_ipaddresses` Data type: `Boolean` -Enable collection +Whether ip addresses should be added as aliases -Default value: `true` +Default value: `$ssh::server::export_ipaddresses` -##### `storeconfigs_group` +##### `storeconfigs_group` Data type: `Optional[String[1]]` -Define the hostkeys tag to filter with +Tag hostkeys with this group to allow segregation -Default value: `undef` +Default value: `$ssh::server::storeconfigs_group` -### `ssh::hostkeys` +##### `extra_aliases` + +Data type: `Array` + +Additional aliases to set for host keys + +Default value: `$ssh::server::extra_aliases` + +##### `exclude_interfaces` + +Data type: `Array` + +List of interfaces to exclude + +Default value: `$ssh::server::exclude_interfaces` + +##### `exclude_interfaces_re` + +Data type: `Array` + +List of regular expressions to exclude interfaces + +Default value: `$ssh::server::exclude_interfaces_re` + +##### `exclude_ipaddresses` + +Data type: `Array` + +List of ip addresses to exclude + +Default value: `$ssh::server::exclude_ipaddresses` + +##### `use_trusted_facts` + +Data type: `Boolean` + +Whether to use trusted or normal facts + +Default value: `$ssh::server::use_trusted_facts` + +##### `tags` + +Data type: `Optional[Array[String[1]]]` + +Array of custom tags -This class manages hostkeys. It is intended to be called from `ssh::server`, -and directly accesses variables from there. +Default value: `$ssh::server::tags` ### `ssh::server` diff --git a/data/common.yaml b/data/common.yaml index d9957c53..fb168c64 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -23,7 +23,6 @@ ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' ssh::server::host_priv_key_group: 0 ssh::validate_sshd_file : false -ssh::collect_enabled : true # Collect sshkey resources ssh::server::issue_net : '/etc/issue.net' ssh::server::default_options: diff --git a/manifests/client.pp b/manifests/client.pp index 03f412ab..e29f9ce9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -35,9 +35,6 @@ # @param match_block # Add ssh match_block (with concat) # -# @param collect_enabled -# Enable collection -# # @param storeconfigs_group # Define the hostkeys tag to filter with # @@ -46,8 +43,7 @@ Hash $default_options, Optional[String[1]] $client_package_name = undef, String $ensure = present, - Boolean $collect_enabled = true, - Boolean $storeconfigs_enabled = $collect_enabled, # should we transition away from this variable? + Boolean $storeconfigs_enabled = true, Hash $options = {}, Boolean $use_augeas = false, Array $options_absent = [], @@ -69,7 +65,7 @@ -> Class['ssh::client::config'] if $storeconfigs_group { - Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>> + Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> } else { Sshkey <<| |>> } diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index a58591c7..cedef4c4 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,10 +1,41 @@ # @summary -# This class manages hostkeys. It is intended to be called from `ssh::server`, -# and directly accesses variables from there. +# This class manages hostkeys. It is intended to be called from `ssh::server`. # -class ssh::hostkeys { - - if $ssh::server::use_trusted_facts { +# @param export_ipaddresses +# Whether ip addresses should be added as aliases +# +# @param storeconfigs_group +# Tag hostkeys with this group to allow segregation +# +# @param extra_aliases +# Additional aliases to set for host keys +# +# @param exclude_interfaces +# List of interfaces to exclude +# +# @param exclude_interfaces_re +# List of regular expressions to exclude interfaces +# +# @param exclude_ipaddresses +# List of ip addresses to exclude +# +# @param use_trusted_facts +# Whether to use trusted or normal facts +# +# @param tags +# Array of custom tags +# +class ssh::hostkeys ( + Boolean $export_ipaddresses = $ssh::server::export_ipaddresses, + Optional[String[1]] $storeconfigs_group = $ssh::server::storeconfigs_group, + Array $extra_aliases = $ssh::server::extra_aliases, + Array $exclude_interfaces = $ssh::server::exclude_interfaces, + Array $exclude_interfaces_re = $ssh::server::exclude_interfaces_re, + Array $exclude_ipaddresses = $ssh::server::exclude_ipaddresses, + Boolean $use_trusted_facts = $ssh::server::use_trusted_facts, + Optional[Array[String[1]]] $tags = $ssh::server::tags, +) { + if $use_trusted_facts { $fqdn_real = $trusted['certname'] $hostname_real = $trusted['hostname'] } else { @@ -13,22 +44,22 @@ $hostname_real = $facts['networking']['hostname'] } - if $ssh::server::export_ipaddresses { - $ipaddresses = ssh::ipaddresses($ssh::server::exclude_interfaces, $ssh::server::exclude_interfaces_re) - $ipaddresses_real = $ipaddresses - $ssh::server::exclude_ipaddresses - $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $ssh::server::extra_aliases, $ipaddresses_real]))) + if $export_ipaddresses { + $ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re) + $ipaddresses_real = $ipaddresses - $exclude_ipaddresses + $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real]))) } else { - $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $ssh::server::extra_aliases]))) + $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases]))) } - $storeconfigs_groups = $ssh::server::storeconfigs_group ? { + $storeconfigs_groups = $storeconfigs_group ? { undef => [], - default => ['hostkey_all', "hostkey_${ssh::server::storeconfigs_group}"], + default => ['hostkey_all', "hostkey_${storeconfigs_group}"], } - $_tags = $ssh::server::tags ? { + $_tags = $tags ? { undef => $storeconfigs_groups, - default => $storeconfigs_groups + $ssh::server::tags, + default => $storeconfigs_groups + $tags, } ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { diff --git a/manifests/server.pp b/manifests/server.pp index f58332f2..afbf0c94 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -127,7 +127,6 @@ Boolean $use_trusted_facts = false, Optional[Array[String[1]]] $tags = undef, ) { - if $use_augeas { $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config }) } else {