summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/templates
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules/profiles/templates')
-rw-r--r--sitemodules/profiles/templates/base/sshd_config.epp29
-rw-r--r--sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp22
-rw-r--r--sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp52
3 files changed, 51 insertions, 52 deletions
diff --git a/sitemodules/profiles/templates/base/sshd_config.epp b/sitemodules/profiles/templates/base/sshd_config.epp
new file mode 100644
index 0000000..fc85e87
--- /dev/null
+++ b/sitemodules/profiles/templates/base/sshd_config.epp
@@ -0,0 +1,29 @@
+# sshd_config: Managed by Puppet
+#
+
+# Shorten login timeout. 15s should be enough for public key authentication
+LoginGraceTime 15s
+
+# We use sudo, root should not login directly
+PermitRootLogin no
+
+# Be a bit tolerant to allow admins to have more than a single key pair
+MaxAuthTries 2
+MaxSessions 3
+
+# We only want public key authentication
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+UsePAM yes
+
+# No X11 forwarding for non-interactive use/non-sudo users
+X11Forwarding no
+PrintMotd no
+
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Allow X11Forwarding for users in the sudo group
+Match Group sudo
+ X11Forwarding yes
diff --git a/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp
new file mode 100644
index 0000000..c4caa7f
--- /dev/null
+++ b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp
@@ -0,0 +1,22 @@
+<%- | Hash[String, String] $https_forwards, Integer $https_port | -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+stream {
+ map $ssl_preread_server_name $targetBackend {
+<%- $https_forwards.each |$host_name, $target| { %>
+ <%= $host_name %> <%= $target %>;
+<%- } %>
+ }
+
+ server {
+ listen <%= $https_port %>;
+ listen [::]:<%= $https_port %>;
+
+ proxy_connect_timeout 1s;
+ proxy_timeout 3s;
+
+ proxy_pass $targetBackend;
+ ssl_preread on;
+ }
+}
diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
deleted file mode 100644
index 9791139..0000000
--- a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
+++ /dev/null
@@ -1,52 +0,0 @@
-<%- | Array[String] $https_forwards = [] | -%>
-# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
-# NEXT PUPPET RUN.
-#
-# sniproxy configuration file
-# lines that start with # are comments
-# lines with only white space are ignored
-
-user daemon
-pidfile /var/run/sniproxy.pid
-
-error_log {
- # Log to the daemon syslog facility
- syslog daemon
-
- # Alternatively we could log to file
- #filename /var/log/sniproxy/sniproxy.log
-
- # Control the verbosity of the log
- priority notice
-}
-
-listen 80 {
- proto http
- table http_hosts
- # Fallback backend server to use if we can not parse the client request
- fallback 127.0.0.1:8080
-
- access_log {
- filename /var/log/sniproxy/http_access.log
- priority notice
- }
-}
-
-listen 443 {
- proto tls
- table https_hosts
-
- access_log {
- filename /var/log/sniproxy/https_access.log
- priority notice
- }
-}
-
-table http_hosts {
-}
-
-table https_hosts {
-<%- $https_forwards.each |$forward| { %>
- <%= $forward -%>
-<% } %>
-}