Basic secure configuration - ghomem/legacy_puppet_infrastructure GitHub Wiki

Basic secure configuration

For a default configuration with SSH enabled in the internet with access by the default passwd_common users the following node declaration must be written in the manifest:

node 'basic-secure01' {

    include puppet_infrastructure::node_base
    include passwd_common
    
}

You can easily modify the configuration by passing other parameters to the node_base class. Pass the boolean value of ssh_strict as true to limit access to the IPs given by the ssh_acl list.

node 'basic-secure02' {

    class {'puppet_infrastructure::node_base':
        ssh_strict              => true,
        ssh_acl                 => [ 'X.Y.Z.W', 'A.B.C.D', '...', ],
    }

    include passwd_common
}

By including the firewall_addon_web you can enable http access through the Internet.

node 'basic-secure03' {

    class {'puppet_infrastructure::node_base':
        ssh_strict              => true,
        ssh_acl                 => [ 'X.Y.Z.W', 'A.B.C.D', '...', ],
    }

    include passwd_common
    
    # open HTTP ports to the Internet
    include puppet_infrastructure::firewall_addon_web
}

Alternatively, make http ports available based on a whitelist by adding the IPs to the Whitelist array in the following way:

# server with SSH available based on a whitelist, and HTTP ports based on a whitelist
node 'basic-secure04' {

    class {'puppet_infrastructure::node_base':
        ssh_strict              => true,
        ssh_acl                 => [ 'X.Y.Z.W', 'A.B.C.D', '...', ],
    }

    include passwd_common
    
    # IPs that can access the HTTP ports
    $whitelist = [ 'Q.W.E.R', 'X.C.V.B']

    $whitelist.each |String $ip| {
      firewall { "1000 accept http  $ip whitelist": proto => 'tcp', dport => 80 , action => 'accept', source => $ip }
      firewall { "1001 accept https $ip whitelist": proto => 'tcp', dport => 443, action => 'accept', source => $ip }
    }

}

By default, port 22 is used for ssh connections but you can specify another port by passing the value of ssh_port as parameter. You can also set the value of password_authentication to true to enable authentication by password instead of/alongside publickey_authentication.

node 'basic-secure05' {

    class {'puppet_infrastructure::node_base':
        ssh_strict              => true,
        ssh_acl                 => [ 'X.Y.Z.W', 'A.B.C.D', '...', ],
        ssh_port                => 4242,
        password_authentication => true,
    }

    include passwd_common
}
⚠️ **GitHub.com Fallback** ⚠️