RobH has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/386752 )
Change subject: refactoring bastion into profiles ...................................................................... refactoring bastion into profiles this is going to be full of errors and mistakes since i haven't refactored into profiles before. this will eventually be tested on bast4002. Change-Id: I5139a2b129eabd8b0067d794490a3d3855867161 --- A modules/profile/manifests/bastionhost/base.pp A modules/profile/manifests/bastionhost/caching.pp A modules/profile/manifests/bastionhost/general.pp A modules/profile/manifests/bastionhost/primary.pp A modules/profile/manifests/bastionhost/twofa.pp 5 files changed, 64 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/52/386752/1 diff --git a/modules/profile/manifests/bastionhost/base.pp b/modules/profile/manifests/bastionhost/base.pp new file mode 100644 index 0000000..afdfe86 --- /dev/null +++ b/modules/profile/manifests/bastionhost/base.pp @@ -0,0 +1,21 @@ +# common settings for all bastion hosts +class profile::bastionhost::base { + + class{'::bastionhost'} + include ::standard + class{'::profile::backup::host'} + + backup::set {'home': } + + class{'::base::firewall'} + + + ferm::service { 'ssh': + desc => 'SSH open from everywhere, this is a bastion host', + prio => '01', + proto => 'tcp', + port => 'ssh', + } + + +} \ No newline at end of file diff --git a/modules/profile/manifests/bastionhost/caching.pp b/modules/profile/manifests/bastionhost/caching.pp new file mode 100644 index 0000000..05b778a --- /dev/null +++ b/modules/profile/manifests/bastionhost/caching.pp @@ -0,0 +1,6 @@ +class role::bastion::caching { + system::role { $name: } + class{'::profile::bastion::general'} + class{'::ipmi::mgmt'} + class{'::installserver::tftp'} + class{'::prometheus::ops'} diff --git a/modules/profile/manifests/bastionhost/general.pp b/modules/profile/manifests/bastionhost/general.pp new file mode 100644 index 0000000..7b7ee77 --- /dev/null +++ b/modules/profile/manifests/bastionhost/general.pp @@ -0,0 +1,11 @@ +# General use bastion host (All Users) +class profile::bastionhost::general { + system::role { 'bastionhost::general': + description => 'Bastion host for all shell users', + } + + class{'::profile::bastionhost::base'} + # Used by parsoid deployers + class{'::profile::scap::dsh'} + +} \ No newline at end of file diff --git a/modules/profile/manifests/bastionhost/primary.pp b/modules/profile/manifests/bastionhost/primary.pp new file mode 100644 index 0000000..f030619 --- /dev/null +++ b/modules/profile/manifests/bastionhost/primary.pp @@ -0,0 +1,4 @@ +class role::bastion::primary { + system::role { $name: } + class{'::profile::bastionhost::general'} +} \ No newline at end of file diff --git a/modules/profile/manifests/bastionhost/twofa.pp b/modules/profile/manifests/bastionhost/twofa.pp new file mode 100644 index 0000000..1102f22 --- /dev/null +++ b/modules/profile/manifests/bastionhost/twofa.pp @@ -0,0 +1,22 @@ +class profile::bastionhost::twofa { + system::role { 'bastionhost::twofa': + description => 'Bastion host using two factor authentication', + } + + class{'::profile::bastionhost::base'} + + include ::passwords::yubiauth + + require_package('libpam-yubico') + + $api_key = $passwords::yubiauth::api_key + + file { '/etc/pam.d/sshd': + ensure => present, + owner => 'root', + group => 'root', + mode => '0440', + content => template('profile/bastionhost/pam-sshd.erb'), + require => Package['openssh-server'], + } +} -- To view, visit https://gerrit.wikimedia.org/r/386752 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5139a2b129eabd8b0067d794490a3d3855867161 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: RobH <r...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits