Puppet Class: gitlab::ssh

Defined in:
modules/gitlab/manifests/ssh.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ssh_listen_addresses (Array[Stdlib::IP::Address]) (defaults to: ['127.0.0.1', '::1'])

    the addresses to listen on

  • ssh_port

    the port to listen on

  • ensure (Wmflib::Ensure) (defaults to: 'present')
  • listen_port (Stdlib::Port) (defaults to: 22)
  • base_dir (Stdlib::Unixpath) (defaults to: '/etc/ssh-gitlab')
  • syslog_facility (String) (defaults to: 'AUTH')
  • syslog_level (String) (defaults to: 'VERBOSE')
  • login_grace_time (Integer[1]) (defaults to: 60)
  • max_start_ups (String) (defaults to: '10:30:60')
  • max_sessions (Integer[1]) (defaults to: 10)
  • max_auth_tries (Integer[1]) (defaults to: 3)
  • accept_env (Array[String]) (defaults to: ['LANG', 'LC_*'])
  • host_key_algos (Array[String]) (defaults to: ['ecdsa', 'ed25519', 'rsa'])
  • kex_algorithms (Array[String]) (defaults to: ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'])
  • sshd_options (Array[String]) (defaults to: [])
  • ciphers (Array[String]) (defaults to: [ 'chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr' ])
  • macs (Array[String]) (defaults to: [ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256', 'umac-128@openssh.com' ])


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# File 'modules/gitlab/manifests/ssh.pp', line 5

class gitlab::ssh (
    Wmflib::Ensure             $ensure               = 'present',
    Array[Stdlib::IP::Address] $ssh_listen_addresses = ['127.0.0.1', '::1'],
    Stdlib::Port               $listen_port          = 22,
    Stdlib::Unixpath           $base_dir             = '/etc/ssh-gitlab',
    String                     $syslog_facility      = 'AUTH',
    String                     $syslog_level         = 'VERBOSE',
    Integer[1]                 $login_grace_time     = 60,
    String                     $max_start_ups        = '10:30:60',
    Integer[1]                 $max_sessions         = 10,
    Integer[1]                 $max_auth_tries       = 3,
    Array[String]              $accept_env           = ['LANG', 'LC_*'],
    Array[String]              $host_key_algos       = ['ecdsa', 'ed25519', 'rsa'],
    Array[String]              $kex_algorithms       = ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'],
    Array[String]              $sshd_options         = [],
    Array[String]              $ciphers              = [
        'chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com',
        'aes256-ctr', 'aes192-ctr', 'aes128-ctr'
    ],
    Array[String]              $macs                 = [
        'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com',
        'hmac-sha2-512', 'hmac-sha2-256', 'umac-128@openssh.com'
    ],
) {
    $config_file = "${base_dir}/sshd_gitlab"

    if $ensure == 'present' {
        wmflib::dir::mkdir_p($base_dir)
        $host_key_algos.each |$algo| {
            $host_key_file = "${base_dir}/ssh_host_${algo}_key"
            exec {"generate gitlab ssh host key(${algo})":
                command => "/usr/bin/ssh-keygen -q -N '' -t ${algo} -f ${host_key_file}",
                creates => $host_key_file,
                require => File[$base_dir],
            }
        }
    } else {
        file { $base_dir:
            ensure  => absent,
            recurse => true,
            force   => true,
        }
    }

    file { "${base_dir}/moduli":
        ensure => stdlib::ensure($ensure, 'file'),
        owner  => root,
        group  => root,
        mode   => '0444',
        source => 'file:///etc/ssh/moduli',
    }
    file { $config_file:
        ensure       => $ensure,
        owner        => root,
        group        => root,
        mode         => '0440',
        content      => template('gitlab/sshd_config.erb'),
        validate_cmd => '/usr/sbin/sshd -t -f %',
        notify       => Service['ssh-gitlab'],
    }

    systemd::service{ 'ssh-gitlab':
        ensure         => $ensure,
        content        => template('gitlab/sshd.service.erb'),
        service_params => {'restart' => 'systemctl reload sshd-gitlab'},
    }

    profile::auto_restarts::service { 'ssh-gitlab': }
}