antonizoon · October 16, 2017 18:16
diff --git a/init.pp b/init.pp
 # The absolute minimum that any new server set up needs.

 # make sure that any sensitive (password hashes) and non code data is in hiera.

 # SSH authorized_keys function to authorized multiple SSH keys
 # https://serverfault.com/a/316292
 define authorized_keys ($sshkeys, $ensure = "present", $home = '') {
 	# This line allows default homedir based on $title variable.
 	# If $home is empty, the default is used.
 	$homedir = $home ? {'' => "/home/${title}", default => $home}
 	file {
 		"${homedir}/.ssh":
 			ensure  => "directory",
 			owner   => $title,
 			group   => $title,
 			mode    => 700,
 			require => User[$title];
 		"${homedir}/.ssh/authorized_keys":
 			ensure  => $ensure,
 			owner   => $ensure ? {'present' => $title, default => undef },
 			group   => $ensure ? {'present' => $title, default => undef },
 			mode    => 600,
 			require => File["${homedir}/.ssh"],
 			content => template("authorized_keys.erb");
 	}
 }

 class user {
 	# create user: antonizoon
 	user { 'antonizoon':
 		ensure     => present,
 		uid        => '1000',
 		gid        => '1000',
 		shell      => '/bin/bash',
 		home       => '/home/antonizoon',
 		managehome => true,
 	}

 	authorized_keys {'antonizoon':
 		sshkeys => [
 			'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBMaNSneJ8o9Y2wpFD9vTPGqwDQ3YzqRJR7Bmdip7BKrvgWBiRJAp+Bv5T0boNfHbvUtMgr0c9hxNdr5zv2PFqiZVHxxZjZI91WMvsqkkb5Llz0Q4yhIqD9B+VvTXjiwAsmGUj7hRJw4+xwzDMOEMKDyKmTBc9EN2nZsAFOri4ihDW22cPRoTG/a22wNxHTaLGLSMbysAhrJIubzwIA+wLnregwl/He3rhxBBZc1H/1bBAp6M/U1sZn8/pX4j6ng8yZQZq7SM4syOUrl3rHePxqjBVTwvtjzSZnpsMrPj2gjdBgcfnlf2P1nMRUQaTHKrgaD1IHkfCjIbZOA2otR/A3vnQbxm0VF/Z0cTkAeue1vRiLo0GQZlYCVIrpeEi3ZGNpgLltphH4wZ+8Kj6EBsueR7ocih63htLSyQt1tkwxZ4pjcKSRZnI8eHx1Ok/eEDAYwfklwXu9ZXDtyB209WXq/Ijp1IZiuWPp+UGCtw/CLpF27WZ9KYmaOHaG9BBVXFyi1qPVh3K5V0idUjWyIA3Wj5HgX0ZGg+5UmTj5cjJLTgbraU4f/hb2WyEvUMrpcERqW6Q3Ewuqu+H9KJGgmS51bLQySZkpLCe0Eu3/iJnvC24wSwPnpxvOFRBdmqfogDa7jX49eRLSVj+licsbDzAhdYe9xUZai4lnAM21cAJZw== emergency SSH key 20170823',
 			'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcTs9x0XQdgpQQ3HshXX42cJDUOoY4bYaxmKvHRLbupU7LU0n+r6L0FKMFf/7ZhvqMlYZMjS+GAhzsixJRmcmQyCZI8gwVzLtGvK7RoZJIj4F/XsN1WVkIUTHXPfJColns3+4eRD2s2Pyq7xchjqrWPkeGb2sh9wjiNQwcRUCWhyMF6yRdq/52vZAG4ojzC4bpUmmeLGMwZ7pdJYUIMh4LglRbWqD28/6S34ljToNYnVjGIDtbW4TY+9MmHtRjhdRx4Gt1j3SQI3P7CfaRFtX/8KkIHxJ45K7YBAQMQ5FrhvzOp2DugO8knP0gw0r/pP0oaWopHcEwmLXMcll1YaWf cardno:000600090001',
 			'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Xi2yQs9SHhRxSKgyxLKl3qMzBJvPUTIJdxQrje9+JD2/4vkr5PC+x0r4e+XsJ/5gMlzBL11JNQITxzZDpNWeMGfyAkOcJvHQ6saPwVYHPwRnkxSfzAGOQA7E6rpP8GFakWE2Z0KFb8euXLbst40Bd2zCIIBiCb/bTOzUlwo3phcsMGp9TaB8jCA/EDW7czrok8bVi8PYatCQVZpM2TJ8/pJON3d+S2B0ggEZA0MlZnzHVUlI/rgkaoXYLC3UZHGhxgSlnA30FLqLwTVY7J355zOqwdiQKvQZbvOye1SSC7k3Ci1BRhqzJ+x9izkHrUUM6U/ctSqn1Q3bGo2Ee/yR1Cwyviy3RXQZauDBzWJCQ0iDGFyi33R0lgSRefVOmIZrjSkmOeS8UP1gHK6XxwesTgz2oBq7oIveu7aWd5T7e/0lfUbeTNJ+14uNqQjjoQ3iheQs7m7UlqzIybarwAkkgZwoA7VT+7btRlNsXw8+j1Lqu9y/WHurlaCzqOzX9wP/7REckyNaaFSLAG/2m6UAS4KZlr5C83tc/7OEYmxFCNjVFteRBwZh4g2Ig9whZ+514sSPdmBxvg1Gy1g/I5ncjW0bCXjjn9/J7M1mW4iBuFpD46KfQ7F8W7fNt9q4QmXzo22nbk6enh9XhQCZdjn/OAkFCINm6lTyUsowPqdfAw== blackberry-20170818',
 		],
 	}
 }

 # consider using puppet ssh to install and configure
 # https://github.com/saz/puppet-ssh

 # install and enable SSH server
 package { 'openssh-server' : # Package Name
 	ensure => installed, # Install the package
 } # Order of the execution, service will be started after the installation

 service {'sshd': # Name of the service
 	ensure => running, # Start the apache service
 	enable => true, # Start on system boot
 }

 # change SSH port 22 to 43028
 # disable password authentication and root login
 include ssh::server
 class { 'ssh::server':
 	storeconfigs_enabled => false,
 #	options => {
 #	'Match User www-data' => {
 #		'ChrootDirectory' => '%h',
 #		'ForceCommand' => 'internal-sftp',
 #		'PasswordAuthentication' => 'yes',
 #		'AllowTcpForwarding' => 'no',
 #		'X11Forwarding' => 'no',
 #	},
 	'PasswordAuthentication' => 'no',
 	'PermitRootLogin'        => 'no',
 	'X11Forwarding'          => 'no',
 	'Port'                   => 43028,
 	},
 }

 # install some usability related packages
 package { 'epel-release' :
 	ensure => installed,
 }
 package { 'byobu' :
 	ensure => installed,
 }
 package { 'python34' :
 	ensure => installed,
 }
	# The absolute minimum that any new server set up needs.

	# make sure that any sensitive (password hashes) and non code data is in hiera.

	# SSH authorized_keys function to authorized multiple SSH keys
	# https://serverfault.com/a/316292
	define authorized_keys ($sshkeys, $ensure = "present", $home = '') {
	# This line allows default homedir based on $title variable.
	# If $home is empty, the default is used.
	$homedir = $home ? {'' => "/home/${title}", default => $home}
	file {
	"${homedir}/.ssh":
	ensure => "directory",
	owner => $title,
	group => $title,
	mode => 700,
	require => User[$title];
	"${homedir}/.ssh/authorized_keys":
	ensure => $ensure,
	owner => $ensure ? {'present' => $title, default => undef },
	group => $ensure ? {'present' => $title, default => undef },
	mode => 600,
	require => File["${homedir}/.ssh"],
	content => template("authorized_keys.erb");
	}
	}

	class user {
	# create user: antonizoon
	user { 'antonizoon':
	ensure => present,
	uid => '1000',
	gid => '1000',
	shell => '/bin/bash',
	home => '/home/antonizoon',
	managehome => true,
	}

	authorized_keys {'antonizoon':
	sshkeys => [
	'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBMaNSneJ8o9Y2wpFD9vTPGqwDQ3YzqRJR7Bmdip7BKrvgWBiRJAp+Bv5T0boNfHbvUtMgr0c9hxNdr5zv2PFqiZVHxxZjZI91WMvsqkkb5Llz0Q4yhIqD9B+VvTXjiwAsmGUj7hRJw4+xwzDMOEMKDyKmTBc9EN2nZsAFOri4ihDW22cPRoTG/a22wNxHTaLGLSMbysAhrJIubzwIA+wLnregwl/He3rhxBBZc1H/1bBAp6M/U1sZn8/pX4j6ng8yZQZq7SM4syOUrl3rHePxqjBVTwvtjzSZnpsMrPj2gjdBgcfnlf2P1nMRUQaTHKrgaD1IHkfCjIbZOA2otR/A3vnQbxm0VF/Z0cTkAeue1vRiLo0GQZlYCVIrpeEi3ZGNpgLltphH4wZ+8Kj6EBsueR7ocih63htLSyQt1tkwxZ4pjcKSRZnI8eHx1Ok/eEDAYwfklwXu9ZXDtyB209WXq/Ijp1IZiuWPp+UGCtw/CLpF27WZ9KYmaOHaG9BBVXFyi1qPVh3K5V0idUjWyIA3Wj5HgX0ZGg+5UmTj5cjJLTgbraU4f/hb2WyEvUMrpcERqW6Q3Ewuqu+H9KJGgmS51bLQySZkpLCe0Eu3/iJnvC24wSwPnpxvOFRBdmqfogDa7jX49eRLSVj+licsbDzAhdYe9xUZai4lnAM21cAJZw== emergency SSH key 20170823',
	'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcTs9x0XQdgpQQ3HshXX42cJDUOoY4bYaxmKvHRLbupU7LU0n+r6L0FKMFf/7ZhvqMlYZMjS+GAhzsixJRmcmQyCZI8gwVzLtGvK7RoZJIj4F/XsN1WVkIUTHXPfJColns3+4eRD2s2Pyq7xchjqrWPkeGb2sh9wjiNQwcRUCWhyMF6yRdq/52vZAG4ojzC4bpUmmeLGMwZ7pdJYUIMh4LglRbWqD28/6S34ljToNYnVjGIDtbW4TY+9MmHtRjhdRx4Gt1j3SQI3P7CfaRFtX/8KkIHxJ45K7YBAQMQ5FrhvzOp2DugO8knP0gw0r/pP0oaWopHcEwmLXMcll1YaWf cardno:000600090001',
	'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Xi2yQs9SHhRxSKgyxLKl3qMzBJvPUTIJdxQrje9+JD2/4vkr5PC+x0r4e+XsJ/5gMlzBL11JNQITxzZDpNWeMGfyAkOcJvHQ6saPwVYHPwRnkxSfzAGOQA7E6rpP8GFakWE2Z0KFb8euXLbst40Bd2zCIIBiCb/bTOzUlwo3phcsMGp9TaB8jCA/EDW7czrok8bVi8PYatCQVZpM2TJ8/pJON3d+S2B0ggEZA0MlZnzHVUlI/rgkaoXYLC3UZHGhxgSlnA30FLqLwTVY7J355zOqwdiQKvQZbvOye1SSC7k3Ci1BRhqzJ+x9izkHrUUM6U/ctSqn1Q3bGo2Ee/yR1Cwyviy3RXQZauDBzWJCQ0iDGFyi33R0lgSRefVOmIZrjSkmOeS8UP1gHK6XxwesTgz2oBq7oIveu7aWd5T7e/0lfUbeTNJ+14uNqQjjoQ3iheQs7m7UlqzIybarwAkkgZwoA7VT+7btRlNsXw8+j1Lqu9y/WHurlaCzqOzX9wP/7REckyNaaFSLAG/2m6UAS4KZlr5C83tc/7OEYmxFCNjVFteRBwZh4g2Ig9whZ+514sSPdmBxvg1Gy1g/I5ncjW0bCXjjn9/J7M1mW4iBuFpD46KfQ7F8W7fNt9q4QmXzo22nbk6enh9XhQCZdjn/OAkFCINm6lTyUsowPqdfAw== blackberry-20170818',
	],
	}
	}

	# consider using puppet ssh to install and configure
	# https://github.com/saz/puppet-ssh

	# install and enable SSH server
	package { 'openssh-server' : # Package Name
	ensure => installed, # Install the package
	} # Order of the execution, service will be started after the installation

	service {'sshd': # Name of the service
	ensure => running, # Start the apache service
	enable => true, # Start on system boot
	}

	# change SSH port 22 to 43028
	# disable password authentication and root login
	include ssh::server
	class { 'ssh::server':
	storeconfigs_enabled => false,
	# options => {
	# 'Match User www-data' => {
	# 'ChrootDirectory' => '%h',
	# 'ForceCommand' => 'internal-sftp',
	# 'PasswordAuthentication' => 'yes',
	# 'AllowTcpForwarding' => 'no',
	# 'X11Forwarding' => 'no',
	# },
	'PasswordAuthentication' => 'no',
	'PermitRootLogin' => 'no',
	'X11Forwarding' => 'no',
	'Port' => 43028,
	},
	}

	# install some usability related packages
	package { 'epel-release' :
	ensure => installed,
	}
	package { 'byobu' :
	ensure => installed,
	}
	package { 'python34' :
	ensure => installed,
	}