Merge branch 'master' into windows-compatibility

saz · web-flow · commit b0bad5c4b5ac · 2025-10-28T07:26:20.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   puppet:
     name: Puppet
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -8,6 +8,10 @@ name: "Pull Request Labeler"
 on:
   pull_request_target: {}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   labeler:
     permissions:
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
@@ -11,6 +11,10 @@ on:
         description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)'
         required: false
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release_prep:
     uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: Release
diff --git a/.msync.yml b/.msync.yml
@@ -2,4 +2,4 @@
 # Managed by modulesync - DO NOT EDIT
 # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/
 
-modulesync_config_version: '9.4.0'
+modulesync_config_version: '10.3.0'
diff --git a/Gemfile b/Gemfile
@@ -4,10 +4,8 @@
 source ENV['GEM_SOURCE'] || 'https://rubygems.org'
 
 group :test do
-  gem 'voxpupuli-test', '~> 9.0',   :require => false
-  gem 'coveralls',                  :require => false
-  gem 'simplecov-console',          :require => false
-  gem 'puppet_metadata', '~> 4.0',  :require => false
+  gem 'voxpupuli-test', '~> 13.0',  :require => false
+  gem 'puppet_metadata', '~> 5.0',  :require => false
 end
 
 group :development do
@@ -16,17 +14,15 @@ group :development do
 end
 
 group :system_tests do
-  gem 'voxpupuli-acceptance', '~> 3.0',  :require => false
+  gem 'voxpupuli-acceptance', '~> 4.0',  :require => false
 end
 
 group :release do
-  gem 'voxpupuli-release', '~> 3.0',  :require => false
+  gem 'voxpupuli-release', '~> 5.0',  :require => false
 end
 
 gem 'rake', :require => false
-gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test]
 
-puppetversion = ENV['PUPPET_GEM_VERSION'] || [">= 7.24", "< 9"]
-gem 'puppet', puppetversion, :require => false, :groups => [:test]
+gem 'openvox', ENV.fetch('OPENVOX_GEM_VERSION', [">= 7", "< 9"]), :require => false, :groups => [:test]
 
 # vim: syntax=ruby
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -555,6 +555,7 @@ The following parameters are available in the `ssh::server` class:
 * [`sshd_config_mode`](#-ssh--server--sshd_config_mode)
 * [`host_priv_key_user`](#-ssh--server--host_priv_key_user)
 * [`host_priv_key_group`](#-ssh--server--host_priv_key_group)
+* [`host_priv_key_mode`](#-ssh--server--host_priv_key_mode)
 * [`config_user`](#-ssh--server--config_user)
 * [`config_group`](#-ssh--server--config_group)
 * [`manage_config_permissions`](#-ssh--server--manage_config_permissions)
@@ -634,6 +635,12 @@ Data type: `Boolean`
 
 Whether to manage user and group ownership for the sshd config file
 
+##### <a name="-ssh--server--host_priv_key_mode"></a>`host_priv_key_mode`
+
+Data type: `Stdlib::Filemode`
+
+Mode of the private host key
+
 ##### <a name="-ssh--server--default_options"></a>`default_options`
 
 Data type: `Hash`
diff --git a/Rakefile b/Rakefile
@@ -1,30 +1,22 @@
 # Managed by modulesync - DO NOT EDIT
 # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/
 
-# Attempt to load voxpupuli-test (which pulls in puppetlabs_spec_helper),
-# otherwise attempt to load it directly.
 begin
   require 'voxpupuli/test/rake'
 rescue LoadError
-  begin
-    require 'puppetlabs_spec_helper/rake_tasks'
-  rescue LoadError
-  end
+  # only available if gem group test is installed
 end
 
-# load optional tasks for acceptance
-# only available if gem group releases is installed
 begin
   require 'voxpupuli/acceptance/rake'
 rescue LoadError
+  # only available if gem group acceptance is installed
 end
 
-# load optional tasks for releases
-# only available if gem group releases is installed
 begin
   require 'voxpupuli/release/rake_tasks'
 rescue LoadError
-  # voxpupuli-release not present
+  # only available if gem group releases is installed
 else
   GCGConfig.user = 'saz'
   GCGConfig.project = 'puppet-ssh'
diff --git a/data/AIX.yaml b/data/AIX.yaml
@@ -3,8 +3,7 @@ ssh::server::sshd_dir: '/etc/ssh'
 ssh::server::sshd_binary: '/usr/sbin/sshd'
 ssh::server::sshd_config: '/etc/ssh/sshd_config'
 ssh::server::sshd_config_mode: '0644'
-ssh::server::ssh_config: '/etc/ssh/ssh_config'
-ssh::server::ssh_known_hosts: '/etc/ssh/ssh_known_hosts'
+ssh::client::ssh_config: '/etc/ssh/ssh_config'
 ssh::server::service_name: 'sshd'
 ssh::sftp_server_path: '/usr/sbin/sftp-server'
 ssh::server::host_priv_key_group: 0
diff --git a/data/common.yaml b/data/common.yaml
@@ -28,6 +28,7 @@ ssh::server::config_user: 0
 ssh::server::config_group: 0
 ssh::server::host_priv_key_user: 0
 ssh::server::host_priv_key_group: 0
+ssh::server::host_priv_key_mode: '0600'
 ssh::validate_sshd_file             : false
 ssh::collect_enabled                : true   # Collect sshkey resources
 ssh::server::issue_net              : '/etc/issue.net'
diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp
@@ -63,26 +63,18 @@
   }
 
   ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| {
-    # can be removed as soon as we drop support for puppet 4
-    # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22
-    if $key_type == 'ecdsa' {
-      $key_type_real = 'ecdsa-sha2-nistp256'
-    } else {
-      $key_type_real = $key_type
-    }
-
     if $key_type in $facts['ssh'] {
       @@sshkey { "${fqdn_real}_${key_type}":
         ensure       => present,
         host_aliases => $host_aliases,
-        type         => $key_type_real,
+        type         => $key_type,
         key          => $facts['ssh'][$key_type]['key'],
         tag          => $_tags,
       }
     } else {
       @@sshkey { "${fqdn_real}_${key_type}":
         ensure => absent,
-        type   => $key_type_real,
+        type   => $key_type,
       }
     }
   }
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -38,6 +38,9 @@
 # @param manage_config_permissions
 #   Whether to manage user and group ownership for the sshd config file
 #
+# @param host_priv_key_mode
+#   Mode of the private host key
+#
 # @param default_options
 #   Default options to set, will be merged with options parameter
 #
@@ -91,6 +94,7 @@
   Stdlib::Filemode               $sshd_config_mode,
   Variant[Integer, String[1]]    $host_priv_key_user,
   Variant[Integer, String[1]]    $host_priv_key_group,
+  Stdlib::Filemode               $host_priv_key_mode,
   Variant[Integer, String[1]]    $config_user,
   Variant[Integer, String[1]]    $config_group,
   Boolean                        $manage_config_permissions,
diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp
@@ -100,7 +100,7 @@
       ensure    => $ensure,
       owner     => $ssh::server::host_priv_key_user,
       group     => $ssh::server::host_priv_key_group,
-      mode      => '0600',
+      mode      => $ssh::server::host_priv_key_mode,
       path      => "${ssh::server::sshd_dir}/${name}",
       source    => $manage_priv_key_source,
       content   => $manage_priv_key_content,
@@ -121,7 +121,7 @@
       ensure    => $ensure,
       owner     => $ssh::server::host_priv_key_user,
       group     => $ssh::server::host_priv_key_group,
-      mode      => '0600',
+      mode      => $ssh::server::host_priv_key_mode,
       path      => "${ssh::server::sshd_dir}/${name}",
       show_diff => false,
       notify    => Class['ssh::server::service'],
diff --git a/metadata.json b/metadata.json
@@ -17,7 +17,7 @@
     },
     {
       "name": "puppet/systemd",
-      "version_requirement": ">= 3.7.0 < 9.0.0"
+      "version_requirement": ">= 3.7.0 < 10.0.0"
     }
   ],
   "operatingsystem_support": [
@@ -52,7 +52,8 @@
       "operatingsystem": "Ubuntu",
       "operatingsystemrelease": [
         "20.04",
-        "22.04"
+        "22.04",
+        "24.04"
       ]
     },
     {
@@ -107,8 +108,8 @@
   ],
   "requirements": [
     {
-      "name": "puppet",
-      "version_requirement": ">= 7.0.0 < 9.0.0"
+      "name": "openvox",
+      "version_requirement": ">= 8.19.0 < 9.0.0"
     }
   ]
 }
diff --git a/templates/ssh_instance.erb b/templates/ssh_instance.erb
@@ -40,7 +40,7 @@ ListenAddress <%= listen %>
 <%- v.keys.sort.each do |key| -%>
     <%- value = v[key] -%>
     <%- if value.is_a?(Array) -%>
-    <%- if ['ciphers', 'macs', 'kexalgorithms'].include?(key.downcase) -%>
+    <%- if ['ciphers', 'macs', 'kexalgorithms', 'gssapikexalgorithms', 'hostbasedacceptedkeytypes', 'hostbasedacceptedalgorithms', 'hostkeyalgorithms', 'pubkeyacceptedkeytypes', 'pubkeyacceptedalgorithms'].include?(key.downcase) -%>
     <%= key %> <%= value.join(',') %>
     <%- else -%>
     <%- value.each do |a| -%>
@@ -55,7 +55,7 @@ ListenAddress <%= listen %>
 <%- end -%>
 <%- else -%>
 <%- if v.is_a?(Array) -%>
-<%- if ['ciphers', 'macs', 'kexalgorithms'].include?(k.downcase) -%>
+<%- if ['ciphers', 'macs', 'kexalgorithms', 'gssapikexalgorithms', 'hostbasedacceptedkeytypes', 'hostbasedacceptedalgorithms', 'hostkeyalgorithms', 'pubkeyacceptedkeytypes', 'pubkeyacceptedalgorithms'].include?(k.downcase) -%>
 <%= k %> <%= v.join(',') %>
 <%- else -%>
 <%- v.each do |a| -%>
