P:puppet::server: Restrict source addresses for puppet-sync keys

supertassu · supertassu · commit 15a489404ab1 · 2024-06-10T14:27:05.000+03:00
diff --git a/modules/profile/manifests/puppet/server.pp b/modules/profile/manifests/puppet/server.pp
@@ -265,7 +265,7 @@
       user    => 'root',
       type    => $key.split(' ')[0],
       key     => $key.split(' ')[1],
-      options => ['restrict'],
+      options => ['restrict', ssh::client::from_restriction()],
       tag     => 'profile::puppet::server::puppet_sync',
     }
   }
diff --git a/modules/ssh/functions/client/from_restriction.pp b/modules/ssh/functions/client/from_restriction.pp
@@ -0,0 +1,10 @@
+# @summary constructs a ssh authorized_keys from= restriction
+#  for connections from this machine.
+function ssh::client::from_restriction () >> String[1] {
+  $ips = [$facts['networking']['ip'], $facts['networking']['ip6']].filter |$x| {
+    # check if we have a routable IPv6 address (and not just a link-local one)
+    $x =~ NotUndef and !($x =~ /^fe80/)
+  }.sort
+
+  "from=\"${ips.join(',')}\""
+}

Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@`
`265`	`265`	`user => 'root',`
`266`	`266`	`type => $key.split(' ')[0],`
`267`	`267`	`key => $key.split(' ')[1],`
`268`		`- options => ['restrict'],`
	`268`	`+ options => ['restrict', ssh::client::from_restriction()],`
`269`	`269`	`tag => 'profile::puppet::server::puppet_sync',`
`270`	`270`	`}`
`271`	`271`	`}`