diff --git a/REFERENCE.md b/REFERENCE.md
index 53c7fef3..d426ff68 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -10,9 +10,8 @@
* [`ssh`](#ssh): This class manages ssh client and server
* [`ssh::client`](#ssh--client): This class add ssh client management
-* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys
-* [`ssh::knownhosts`](#ssh--knownhosts): This class manages knownhosts if collection is enabled.
-* [`ssh::server`](#ssh--server): This class managed ssh server
+* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`.
+* [`ssh::server`](#ssh--server): This class manages the ssh server and related resources, including host keys.
#### Private Classes
@@ -337,6 +336,7 @@ The following parameters are available in the `ssh::client` class:
* [`options_absent`](#-ssh--client--options_absent)
* [`default_options`](#-ssh--client--default_options)
* [`match_block`](#-ssh--client--match_block)
+* [`storeconfigs_group`](#-ssh--client--storeconfigs_group)
* [`config_user`](#-ssh--client--config_user)
* [`config_group`](#-ssh--client--config_group)
@@ -408,6 +408,13 @@ Add ssh match_block (with concat)
Default value: `{}`
+##### `storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Define the hostkeys tag to filter with
+
+Default value: `undef`
##### `config_user`
Data type: `Variant[Integer, String[1]]`
@@ -422,7 +429,7 @@ Numeric id or name of the group for the config file
### `ssh::hostkeys`
-This class manages hostkeys
+This class manages hostkeys. It is intended to be called from `ssh::server`.
#### Parameters
@@ -444,7 +451,7 @@ Data type: `Boolean`
Whether ip addresses should be added as aliases
-Default value: `true`
+Default value: `$ssh::server::export_ipaddresses`
##### `storeconfigs_group`
@@ -452,7 +459,7 @@ Data type: `Optional[String[1]]`
Tag hostkeys with this group to allow segregation
-Default value: `undef`
+Default value: `$ssh::server::storeconfigs_group`
##### `extra_aliases`
@@ -460,7 +467,7 @@ Data type: `Array`
Additional aliases to set for host keys
-Default value: `[]`
+Default value: `$ssh::server::extra_aliases`
##### `exclude_interfaces`
@@ -468,7 +475,7 @@ Data type: `Array`
List of interfaces to exclude
-Default value: `[]`
+Default value: `$ssh::server::exclude_interfaces`
##### `exclude_interfaces_re`
@@ -476,7 +483,7 @@ Data type: `Array`
List of regular expressions to exclude interfaces
-Default value: `[]`
+Default value: `$ssh::server::exclude_interfaces_re`
##### `exclude_ipaddresses`
@@ -484,7 +491,7 @@ Data type: `Array`
List of ip addresses to exclude
-Default value: `[]`
+Default value: `$ssh::server::exclude_ipaddresses`
##### `exclude_key_types`
@@ -500,7 +507,7 @@ Data type: `Boolean`
Whether to use trusted or normal facts
-Default value: `false`
+Default value: `$ssh::server::use_trusted_facts`
##### `tags`
@@ -508,38 +515,11 @@ Data type: `Optional[Array[String[1]]]`
Array of custom tags
-Default value: `undef`
-
-### `ssh::knownhosts`
-
-This class manages knownhosts if collection is enabled.
-
-#### Parameters
-
-The following parameters are available in the `ssh::knownhosts` class:
-
-* [`collect_enabled`](#-ssh--knownhosts--collect_enabled)
-* [`storeconfigs_group`](#-ssh--knownhosts--storeconfigs_group)
-
-##### `collect_enabled`
-
-Data type: `Boolean`
-
-Enable collection
-
-Default value: `$ssh::knownhosts::collect_enabled`
-
-##### `storeconfigs_group`
-
-Data type: `Optional[String[1]]`
-
-Define the hostkeys group storage
-
-Default value: `undef`
+Default value: `$ssh::server::tags`
### `ssh::server`
-This class managed ssh server
+This class manages the ssh server and related resources, including host keys.
#### Examples
@@ -582,6 +562,14 @@ The following parameters are available in the `ssh::server` class:
* [`use_issue_net`](#-ssh--server--use_issue_net)
* [`sshd_environments_file`](#-ssh--server--sshd_environments_file)
* [`server_package_name`](#-ssh--server--server_package_name)
+* [`export_ipaddresses`](#-ssh--server--export_ipaddresses)
+* [`storeconfigs_group`](#-ssh--server--storeconfigs_group)
+* [`extra_aliases`](#-ssh--server--extra_aliases)
+* [`exclude_interfaces`](#-ssh--server--exclude_interfaces)
+* [`exclude_interfaces_re`](#-ssh--server--exclude_interfaces_re)
+* [`exclude_ipaddresses`](#-ssh--server--exclude_ipaddresses)
+* [`use_trusted_facts`](#-ssh--server--use_trusted_facts)
+* [`tags`](#-ssh--server--tags)
##### `service_name`
@@ -761,6 +749,70 @@ Name of the server package to install
Default value: `undef`
+##### `export_ipaddresses`
+
+Data type: `Boolean`
+
+Whether IP addresses should be added as aliases for host keys
+
+Default value: `true`
+
+##### `storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Tag host keys with this group to allow segregation
+
+Default value: `undef`
+
+##### `extra_aliases`
+
+Data type: `Array`
+
+Additional aliases to set for host keys
+
+Default value: `[]`
+
+##### `exclude_interfaces`
+
+Data type: `Array`
+
+List of interfaces to exclude when collecting IPs for host keys
+
+Default value: `[]`
+
+##### `exclude_interfaces_re`
+
+Data type: `Array`
+
+List of regular expressions to exclude interfaces
+
+Default value: `[]`
+
+##### `exclude_ipaddresses`
+
+Data type: `Array`
+
+List of IP addresses to exclude from host key aliases
+
+Default value: `[]`
+
+##### `use_trusted_facts`
+
+Data type: `Boolean`
+
+Whether to use trusted facts instead of legacy facts
+
+Default value: `false`
+
+##### `tags`
+
+Data type: `Optional[Array[String[1]]]`
+
+Array of custom tags to apply to exported host keys
+
+Default value: `undef`
+
## Defined types
### `ssh::client::config::user`
diff --git a/data/common.yaml b/data/common.yaml
index cfc822e6..8cfb3379 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -29,9 +29,7 @@ ssh::server::host_priv_key_user: 0
ssh::server::host_priv_key_group: 0
ssh::server::host_priv_key_mode: '0600'
ssh::validate_sshd_file : false
-ssh::collect_enabled : true # Collect sshkey resources
ssh::server::issue_net : '/etc/issue.net'
-ssh::knownhosts::collect_enabled : true
ssh::server::default_options:
X11Forwarding: 'yes'
diff --git a/manifests/client.pp b/manifests/client.pp
index 73e4fc2c..1eb7cee3 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -35,6 +35,9 @@
# @param match_block
# Add ssh match_block (with concat)
#
+# @param storeconfigs_group
+# Define the hostkeys tag to filter with
+#
# @param config_user
# Numeric id or name of the user for the config file
# @param config_group
@@ -52,6 +55,7 @@
Boolean $use_augeas = false,
Array $options_absent = [],
Hash $match_block = {},
+ Optional[String[1]] $storeconfigs_group = undef,
) {
if $use_augeas {
$merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config })
@@ -62,14 +66,16 @@
contain ssh::client::install
contain ssh::client::config
- # Provide option to *not* use storeconfigs/puppetdb, which means not managing
- # hostkeys and knownhosts
+ # Provide option to *not* use storeconfigs/puppetdb, which means not collecting host keys into knownhosts
if ($storeconfigs_enabled) {
- contain ssh::knownhosts
-
Class['ssh::client::install']
-> Class['ssh::client::config']
- -> Class['ssh::knownhosts']
+
+ if $storeconfigs_group {
+ Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>>
+ } else {
+ Sshkey <<| |>>
+ }
} else {
Class['ssh::client::install']
-> Class['ssh::client::config']
diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp
index 19d05cec..901954c4 100644
--- a/manifests/hostkeys.pp
+++ b/manifests/hostkeys.pp
@@ -1,5 +1,5 @@
# @summary
-# This class manages hostkeys
+# This class manages hostkeys. It is intended to be called from `ssh::server`.
#
# @param export_ipaddresses
# Whether ip addresses should be added as aliases
@@ -29,26 +29,26 @@
# Array of custom tags
#
class ssh::hostkeys (
- Boolean $export_ipaddresses = true,
- Optional[String[1]] $storeconfigs_group = undef,
- Array $extra_aliases = [],
- Array $exclude_interfaces = [],
- Array $exclude_interfaces_re = [],
- Array $exclude_ipaddresses = [],
+ Boolean $export_ipaddresses = $ssh::server::export_ipaddresses,
+ Optional[String[1]] $storeconfigs_group = $ssh::server::storeconfigs_group,
+ Array $extra_aliases = $ssh::server::extra_aliases,
+ Array $exclude_interfaces = $ssh::server::exclude_interfaces,
+ Array $exclude_interfaces_re = $ssh::server::exclude_interfaces_re,
+ Array $exclude_ipaddresses = $ssh::server::exclude_ipaddresses,
Array[String[1]] $exclude_key_types = [],
- Boolean $use_trusted_facts = false,
- Optional[Array[String[1]]] $tags = undef,
+ Boolean $use_trusted_facts = $ssh::server::use_trusted_facts,
+ Optional[Array[String[1]]] $tags = $ssh::server::tags,
) {
if $use_trusted_facts {
$fqdn_real = $trusted['certname']
$hostname_real = $trusted['hostname']
} else {
- # stick to legacy facts for older versions of facter
+ # stick to normal facts
$fqdn_real = $facts['networking']['fqdn']
$hostname_real = $facts['networking']['hostname']
}
- if $export_ipaddresses == true {
+ if $export_ipaddresses {
$ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re)
$ipaddresses_real = $ipaddresses - $exclude_ipaddresses
$host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real])))
diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp
deleted file mode 100644
index 3cd113e1..00000000
--- a/manifests/knownhosts.pp
+++ /dev/null
@@ -1,21 +0,0 @@
-# @summary
-# This class manages knownhosts if collection is enabled.
-#
-# @param collect_enabled
-# Enable collection
-#
-# @param storeconfigs_group
-# Define the hostkeys group storage
-#
-class ssh::knownhosts (
- Boolean $collect_enabled = $ssh::knownhosts::collect_enabled,
- Optional[String[1]] $storeconfigs_group = undef,
-) {
- if ($collect_enabled) {
- if $storeconfigs_group {
- Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>>
- } else {
- Sshkey <<| |>>
- }
- }
-}
diff --git a/manifests/server.pp b/manifests/server.pp
index 3e040a80..8e136de9 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,5 +1,5 @@
# @summary
-# This class managed ssh server
+# This class manages the ssh server and related resources, including host keys.
#
# @example Puppet usage
# class { 'ssh::server':
@@ -83,6 +83,30 @@
# @param server_package_name
# Name of the server package to install
#
+# @param export_ipaddresses
+# Whether IP addresses should be added as aliases for host keys
+#
+# @param storeconfigs_group
+# Tag host keys with this group to allow segregation
+#
+# @param extra_aliases
+# Additional aliases to set for host keys
+#
+# @param exclude_interfaces
+# List of interfaces to exclude when collecting IPs for host keys
+#
+# @param exclude_interfaces_re
+# List of regular expressions to exclude interfaces
+#
+# @param exclude_ipaddresses
+# List of IP addresses to exclude from host key aliases
+#
+# @param use_trusted_facts
+# Whether to use trusted facts instead of legacy facts
+#
+# @param tags
+# Array of custom tags to apply to exported host keys
+#
class ssh::server (
String[1] $service_name,
Stdlib::Absolutepath $sshd_config,
@@ -109,6 +133,15 @@
Boolean $use_issue_net = false,
Optional[Stdlib::Absolutepath] $sshd_environments_file = undef,
Optional[String[1]] $server_package_name = undef,
+ # Host key management (used by ssh::hostkeys)
+ Boolean $export_ipaddresses = true,
+ Optional[String[1]] $storeconfigs_group = undef,
+ Array $extra_aliases = [],
+ Array $exclude_interfaces = [],
+ Array $exclude_interfaces_re = [],
+ Array $exclude_ipaddresses = [],
+ Boolean $use_trusted_facts = false,
+ Optional[Array[String[1]]] $tags = undef,
) {
if $use_augeas {
$merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config })
@@ -125,17 +158,14 @@
contain ssh::server::config
contain ssh::server::service
- # Provide option to *not* use storeconfigs/puppetdb, which means not managing
- # hostkeys and knownhosts
- if ($storeconfigs_enabled) {
+ # Provide option to *not* use storeconfigs/puppetdb, which means not exporting hostkeys
+ if $storeconfigs_enabled {
contain ssh::hostkeys
- contain ssh::knownhosts
Class['ssh::server::install']
-> Class['ssh::server::config']
~> Class['ssh::server::service']
-> Class['ssh::hostkeys']
- -> Class['ssh::knownhosts']
} else {
Class['ssh::server::install']
-> Class['ssh::server::config']