The general description of the IPMI jumphost is here. This page describes the riseup specific host and puppet configuration.
Host and switch setup¶
Same as the general document.
Puppet setup¶
Create a user for the ipmi in manifests/components/account.pp¶
'foo': {
account { 'foo':
ensure => $ensure,
homeroot => $homeroot,
shell => $shell,
uid => 2099,
gid => 2099,
password => '!',
fullname => 'ipmi user',
}
}
Setup the ssh keys and restrictions for the new user in files/keys/foo_id_rsa.pub¶
command="/usr/local/bin/ipmi-wrapper",no-agent-forwarding,no-X11-forwarding,permitopen="foo-ipmi:22",permitopen="foo-ipmi:80",permitopen="foo-ipmi:443",permitopen="foo-ipmi:5900",permitopen="foo-ipmi:623" ssh-rsa AAAAB.... user@host
Add that user to the jump host’s node config in manifests/site.pp¶
'jumphost': {
users { [ 'foo' ]: }
}
and include the jumphost class with the IP of the ipmi device
class { 'ipmi::jumphost': host => 'foo', ip => '192.168.99.2' }
In the jump host’s hiera config (modules/site_hiera/files/hieradata/jumphost.yaml) add the needed ssh options¶
sshd::tail_additional_options: "Match User foo\n
AllowTcpForwarding yes"
