Puppet Class: profile::ssh::ca

Defined in:
modules/profile/manifests/ssh/ca.pp

Summary

provisions scripts needed to sign ssh server certificates

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: lookup('profile::ssh::ca::ensure', {default_value => 'absent'}))

    ensurable param

  • ca_key_id (Optional[String[1]]) (defaults to: lookup('profile::ssh::ca::ca_key_id', {default_value => undef}))

    human-readable name for the CA key

  • ca_key_secret (Optional[String[1]]) (defaults to: lookup('profile::ssh::ca::ca_key_secret', {default_value => undef}))

    path to pass to secret() to get the ca key



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
# File 'modules/profile/manifests/ssh/ca.pp', line 6

class profile::ssh::ca (
  Wmflib::Ensure      $ensure        = lookup('profile::ssh::ca::ensure',        {default_value => 'absent'}),
  Optional[String[1]] $ca_key_id     = lookup('profile::ssh::ca::ca_key_id',     {default_value => undef}),
  Optional[String[1]] $ca_key_secret = lookup('profile::ssh::ca::ca_key_secret', {default_value => undef}),
) {
  if $ensure == 'present' and !($ca_key_id and $ca_key_secret) {
    fail('profile::ssh::ca: must specify either both ca_key_id and ca_key_secret when present')
  }

  file { '/etc/ssh/ca-key-id.txt':
    ensure  => stdlib::ensure($ensure, 'file'),
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => $ca_key_id,
  }

  $ca_content = $ensure ? {
    present => secret($ca_key_secret),
    default => undef,
  }

  file { '/etc/ssh/ca':
    ensure    => stdlib::ensure($ensure, 'file'),
    owner     => 'puppet',
    group     => 'puppet',
    mode      => '0400',
    content   => $ca_content,
    show_diff => false,
  }
}