Class: Construqt::Flavour::Ubuntu::Host
- Inherits:
-
OpenStruct
- Object
- OpenStruct
- Construqt::Flavour::Ubuntu::Host
- Defined in:
- lib/construqt/flavour/ubuntu/flavour_ubuntu.rb
Instance Method Summary collapse
- #build_config(host, unused) ⇒ Object
-
#initialize(cfg) ⇒ Host
constructor
A new instance of Host.
Constructor Details
#initialize(cfg) ⇒ Host
Returns a new instance of Host.
140 141 142 |
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu.rb', line 140 def initialize(cfg) super(cfg) end |
Instance Method Details
#build_config(host, unused) ⇒ Object
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 |
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu.rb', line 144 def build_config(host, unused) host.result.add(self, <<SCTL, Construqt::Resources::Rights::ROOT_0644, "etc", "sysctl.conf") net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.vs.pmtu_disc=1 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.all.forwarding=1 SCTL host.result.add(self, <<HOSTS, Construqt::Resources::Rights::ROOT_0644, "etc", "hosts") 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.1.1 #{host.name} #{host.region.network.fqdn(host.name)} HOSTS host.result.add(self, host.name, Construqt::Resources::Rights::ROOT_0644, "etc", "hostname") host.result.add(self, "# WTF resolvconf", Construqt::Resources::Rights::ROOT_0644, "etc", "resolvconf", "resolv.conf.d", "orignal"); host.result.add(self, (host.region.network.dns_resolver.nameservers.ips.map{|i| "nameserver #{i.to_s}" }+ ["search #{host.region.network.dns_resolver.search.join(' ')}"]).join("\n"), Construqt::Resources::Rights::ROOT_0644, "etc", "resolv.conf") #binding.pry Dns.build_config(host) if host.delegate.dns_server akeys = [] ykeys = [] skeys = [] host.region.users.all.each do |u| akeys << u.public_key if u.public_key ykeys << "#{u.name}:#{u.yubikey}" if u.yubikey skeys << "#{u.shadow}" if u.shadow end host.result.add(self, skeys.join(), Construqt::Resources::Rights::ROOT_0644, "etc", "shadow.merge") host.result.add(self, akeys.join(), Construqt::Resources::Rights::ROOT_0644, "root", ".ssh", "authorized_keys") host.result.add(self, ykeys.join("\n"), Construqt::Resources::Rights::ROOT_0644, "etc", "yubikey_mappings") host.result.add(self, <<SSH , Construqt::Resources::Rights::ROOT_0644, "etc", "ssh", "sshd_config") # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin without-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes SSH host.result.add(self, <<PAM , Construqt::Resources::Rights::ROOT_0644, "etc", "pam.d", "openvpn") #{host.delegate.yubikey ? '':'# '}auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so @include common-account @include common-session-noninteractive PAM #binding.pry host.delegate.files && host.delegate.files.each do |file| if host.result.replace(nil, file.data, file.right, *file.path) Construqt.logger.warn("the file #{file.path} was overriden!") end end end |