ipmi jumphost - riseup

The general description of the IPMI jumphost is here. This page describes the riseup specific host and puppet configuration.

Host and switch setup

Same as the general document.

Puppet setup

Create a user for the ipmi in manifests/components/account.pp

    'foo': {
      account { 'foo':
        ensure   => $ensure,
        homeroot => $homeroot,
        shell    => $shell,
        uid      => 2099,
        gid      => 2099,
        password => '!',
        fullname => 'ipmi user',
      }
    }

Setup the ssh keys and restrictions for the new user in files/keys/foo_id_rsa.pub

command="/usr/local/bin/ipmi-wrapper",no-agent-forwarding,no-X11-forwarding,permitopen="foo-ipmi:22",permitopen="foo-ipmi:80",permitopen="foo-ipmi:443",permitopen="foo-ipmi:5900",permitopen="foo-ipmi:623" ssh-rsa AAAAB.... user@host

Add that user to the jump host’s node config in manifests/site.pp

    'jumphost': {
      users { [ 'foo' ]: }
    }

and include the jumphost class with the IP of the ipmi device

    class { 'ipmi::jumphost': host => 'foo', ip => '192.168.99.2' }

In the jump host’s hiera config (modules/site_hiera/files/hieradata/jumphost.yaml) add the needed ssh options

sshd::tail_additional_options: "Match User foo\n
AllowTcpForwarding yes"