RobH has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/386752 )
Change subject: refactoring bastion into profiles
......................................................................
refactoring bastion into profiles
this is going to be full of errors and mistakes since i haven't
refactored into profiles before. this will eventually be tested on
bast4002.
Change-Id: I5139a2b129eabd8b0067d794490a3d3855867161
---
A modules/profile/manifests/bastionhost/base.pp
A modules/profile/manifests/bastionhost/caching.pp
A modules/profile/manifests/bastionhost/general.pp
A modules/profile/manifests/bastionhost/primary.pp
A modules/profile/manifests/bastionhost/twofa.pp
5 files changed, 64 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/52/386752/1
diff --git a/modules/profile/manifests/bastionhost/base.pp
b/modules/profile/manifests/bastionhost/base.pp
new file mode 100644
index 0000000..afdfe86
--- /dev/null
+++ b/modules/profile/manifests/bastionhost/base.pp
@@ -0,0 +1,21 @@
+# common settings for all bastion hosts
+class profile::bastionhost::base {
+
+ class{'::bastionhost'}
+ include ::standard
+ class{'::profile::backup::host'}
+
+ backup::set {'home': }
+
+ class{'::base::firewall'}
+
+
+ ferm::service { 'ssh':
+ desc => 'SSH open from everywhere, this is a bastion host',
+ prio => '01',
+ proto => 'tcp',
+ port => 'ssh',
+ }
+
+
+}
\ No newline at end of file
diff --git a/modules/profile/manifests/bastionhost/caching.pp
b/modules/profile/manifests/bastionhost/caching.pp
new file mode 100644
index 0000000..05b778a
--- /dev/null
+++ b/modules/profile/manifests/bastionhost/caching.pp
@@ -0,0 +1,6 @@
+class role::bastion::caching {
+ system::role { $name: }
+ class{'::profile::bastion::general'}
+ class{'::ipmi::mgmt'}
+ class{'::installserver::tftp'}
+ class{'::prometheus::ops'}
diff --git a/modules/profile/manifests/bastionhost/general.pp
b/modules/profile/manifests/bastionhost/general.pp
new file mode 100644
index 0000000..7b7ee77
--- /dev/null
+++ b/modules/profile/manifests/bastionhost/general.pp
@@ -0,0 +1,11 @@
+# General use bastion host (All Users)
+class profile::bastionhost::general {
+ system::role { 'bastionhost::general':
+ description => 'Bastion host for all shell users',
+ }
+
+ class{'::profile::bastionhost::base'}
+ # Used by parsoid deployers
+ class{'::profile::scap::dsh'}
+
+}
\ No newline at end of file
diff --git a/modules/profile/manifests/bastionhost/primary.pp
b/modules/profile/manifests/bastionhost/primary.pp
new file mode 100644
index 0000000..f030619
--- /dev/null
+++ b/modules/profile/manifests/bastionhost/primary.pp
@@ -0,0 +1,4 @@
+class role::bastion::primary {
+ system::role { $name: }
+ class{'::profile::bastionhost::general'}
+}
\ No newline at end of file
diff --git a/modules/profile/manifests/bastionhost/twofa.pp
b/modules/profile/manifests/bastionhost/twofa.pp
new file mode 100644
index 0000000..1102f22
--- /dev/null
+++ b/modules/profile/manifests/bastionhost/twofa.pp
@@ -0,0 +1,22 @@
+class profile::bastionhost::twofa {
+ system::role { 'bastionhost::twofa':
+ description => 'Bastion host using two factor authentication',
+ }
+
+ class{'::profile::bastionhost::base'}
+
+ include ::passwords::yubiauth
+
+ require_package('libpam-yubico')
+
+ $api_key = $passwords::yubiauth::api_key
+
+ file { '/etc/pam.d/sshd':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0440',
+ content => template('profile/bastionhost/pam-sshd.erb'),
+ require => Package['openssh-server'],
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/386752
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5139a2b129eabd8b0067d794490a3d3855867161
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: RobH <r...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
