8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# File 'modules/profile/manifests/base/cuminunpriv.pp', line 8
class profile::base::cuminunpriv(
Array[Stdlib::IP::Address] $unpriv_cumin_masters = lookup('unpriv_cumin_masters', {default_value => []}),
) {
include profile::kerberos::client
if !defined(File['/etc/security/keytabs/host']) {
file { '/etc/security/keytabs/host':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0550',
require => File['/etc/security/keytabs']
}
}
file { '/etc/security/keytabs/host/host.keytab':
ensure => 'present',
owner => 'root',
group => 'root',
mode => '0440',
content => wmflib::secret("kerberos/keytabs/${::fqdn}/host/host.keytab", true),
show_diff => false,
require => File['/etc/security/keytabs/host']
}
firewall::service { 'ssh-from-unprivcumin-masters':
proto => 'tcp',
port => 22,
srange => $unpriv_cumin_masters,
}
# OpenSSH searches for the host keytab in /etc/keytab. We deploy all keytabs
# centrally via Puppet in /etc/security/keytabs, so add a symlink as a fallback
file { '/etc/krb5.keytab':
ensure => link,
target => '/etc/security/keytabs/host/host.keytab',
}
}
|