# openssh-server konfigurieren
class ubuntu_server::openssh_server($port='22',$groups_only='root',$authorized_keys=false,$use_no_weak_crypto=true){

    package{['openssh-server','openssh-blacklist-extra','openssh-blacklist']:
        ensure => present,
    }

    file_line{'openssh_server_config_Port':
        path    => '/etc/ssh/sshd_config',
        line    => "Port ${port}",
        match   => '^Port',
        require => Package['openssh-server'],
    } ~> Service['ssh']

    file_line{'openssh_server_config_PermitRootLogin':
        path    => '/etc/ssh/sshd_config',
        line    => 'PermitRootLogin without-password',
        match   => '^PermitRootLogin',
        require => Package['openssh-server'],
    } ~> Service['ssh']

    file_line{'openssh_server_config_AllowGroups':
        path    => '/etc/ssh/sshd_config',
        line    => "AllowGroups ${groups_only}",
        match   => '^AllowGroups',
        require => Package['openssh-server'],
    } ~> Service['ssh']

    unless $authorized_keys == false {
        file{'/root/.ssh/authorized_keys':
            ensure => present,
            mode   => '0664',
            owner  => root,
            group  => root,
            source => $authorized_keys,
        }
    }

    if $use_no_weak_crypto == true {
        file_line{'openssh_server_config_KexAlgorithms':
            path    => '/etc/ssh/sshd_config',
            line    => 'KexAlgorithms diffie-hellman-group-exchange-sha256',
            match   => '^KexAlgorithms',
            require => Package['openssh-server'],
        } ~> Service['ssh']

        file_line{'openssh_server_config_Ciphers':
            path    => '/etc/ssh/sshd_config',
            line    => 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr',
            match   => '^Ciphers',
            require => Package['openssh-server'],
        } ~> Service['ssh']

        file_line{'openssh_server_config_NoDSA':
            path    => '/etc/ssh/sshd_config',
            line    => '#HostKey /etc/ssh/ssh_host_dsa_key',
            match   => '^HostKey /etc/ssh/ssh_host_dsa_key',
            require => Package['openssh-server'],
        } ~> Service['ssh']

        file_line{'openssh_server_config_NoEcdsa':
            path    => '/etc/ssh/sshd_config',
            line    => '#HostKey /etc/ssh/ssh_host_ecdsa_key',
            match   => '^HostKey /etc/ssh/ssh_host_ecdsa_key',
            require => Package['openssh-server'],
        } ~> Service['ssh']

        file_line{'openssh_server_config_NoEd25519':
            path    => '/etc/ssh/sshd_config',
            line    => '#HostKey /etc/ssh/ssh_host_ed25519_key',
            match   => '^HostKey /etc/ssh/ssh_host_ed25519_key',
            require => Package['openssh-server'],
        } ~> Service['ssh']
    }

    service{'ssh':
        ensure => running,
    }

    file{'/root/.ssh':
        ensure => directory,
        owner  => root,
        group  => root,
        mode   => '0700',
    }

}