diff options
Diffstat (limited to 'sitemodules/profiles/templates')
3 files changed, 51 insertions, 52 deletions
diff --git a/sitemodules/profiles/templates/base/sshd_config.epp b/sitemodules/profiles/templates/base/sshd_config.epp new file mode 100644 index 0000000..fc85e87 --- /dev/null +++ b/sitemodules/profiles/templates/base/sshd_config.epp @@ -0,0 +1,29 @@ +# sshd_config: Managed by Puppet +# + +# Shorten login timeout. 15s should be enough for public key authentication +LoginGraceTime 15s + +# We use sudo, root should not login directly +PermitRootLogin no + +# Be a bit tolerant to allow admins to have more than a single key pair +MaxAuthTries 2 +MaxSessions 3 + +# We only want public key authentication +PasswordAuthentication no +ChallengeResponseAuthentication no +UsePAM yes + +# No X11 forwarding for non-interactive use/non-sudo users +X11Forwarding no +PrintMotd no + +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Allow X11Forwarding for users in the sudo group +Match Group sudo + X11Forwarding yes diff --git a/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp new file mode 100644 index 0000000..c4caa7f --- /dev/null +++ b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp @@ -0,0 +1,22 @@ +<%- | Hash[String, String] $https_forwards, Integer $https_port | -%> +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. + +stream { + map $ssl_preread_server_name $targetBackend { +<%- $https_forwards.each |$host_name, $target| { %> + <%= $host_name %> <%= $target %>; +<%- } %> + } + + server { + listen <%= $https_port %>; + listen [::]:<%= $https_port %>; + + proxy_connect_timeout 1s; + proxy_timeout 3s; + + proxy_pass $targetBackend; + ssl_preread on; + } +} diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp deleted file mode 100644 index 9791139..0000000 --- a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp +++ /dev/null @@ -1,52 +0,0 @@ -<%- | Array[String] $https_forwards = [] | -%> -# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE -# NEXT PUPPET RUN. -# -# sniproxy configuration file -# lines that start with # are comments -# lines with only white space are ignored - -user daemon -pidfile /var/run/sniproxy.pid - -error_log { - # Log to the daemon syslog facility - syslog daemon - - # Alternatively we could log to file - #filename /var/log/sniproxy/sniproxy.log - - # Control the verbosity of the log - priority notice -} - -listen 80 { - proto http - table http_hosts - # Fallback backend server to use if we can not parse the client request - fallback 127.0.0.1:8080 - - access_log { - filename /var/log/sniproxy/http_access.log - priority notice - } -} - -listen 443 { - proto tls - table https_hosts - - access_log { - filename /var/log/sniproxy/https_access.log - priority notice - } -} - -table http_hosts { -} - -table https_hosts { -<%- $https_forwards.each |$forward| { %> - <%= $forward -%> -<% } %> -} |