diff options
| author | Georg Pfuetzenreuter | 2023-01-26 23:05:21 +0100 | 
|---|---|---|
| committer | Georg Pfuetzenreuter | 2023-01-26 23:05:21 +0100 | 
| commit | 698234c0402eeff37517869695c75682a3fad332 (patch) | |
| tree | e23a9ce4be37b8134d9bf14c1046d5ecf73ad540 | |
| parent | f949c0aba0bd9863474a35e1613eb23554acc449 (diff) | |
| download | salt-698234c0402eeff37517869695c75682a3fad332.tar.gz salt-698234c0402eeff37517869695c75682a3fad332.tar.bz2 salt-698234c0402eeff37517869695c75682a3fad332.zip | |
Manage common SSH server
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| -rw-r--r-- | pillar/formulas.yaml | 1 | ||||
| -rw-r--r-- | pillar/global/init.sls | 1 | ||||
| -rw-r--r-- | pillar/global/macros.jinja | 17 | ||||
| -rw-r--r-- | pillar/global/ssh.sls | 31 | ||||
| -rw-r--r-- | salt/common/ssh.sls | 12 | ||||
| -rw-r--r-- | salt/common/suse.sls | 2 | 
6 files changed, 63 insertions, 1 deletions
| diff --git a/pillar/formulas.yaml b/pillar/formulas.yaml index a9095f1..18da508 100644 --- a/pillar/formulas.yaml +++ b/pillar/formulas.yaml @@ -1,3 +1,4 @@  - postfix  - salt  - users +- openssh diff --git a/pillar/global/init.sls b/pillar/global/init.sls index 98536a3..ed05b4c 100644 --- a/pillar/global/init.sls +++ b/pillar/global/init.sls @@ -2,6 +2,7 @@ include:    - role.salt.common    - role.salt.minion    - .mta +  - .ssh  managed_header_pound: |    ### This file is managed via https://git.com.de/LibertaCasa/salt diff --git a/pillar/global/macros.jinja b/pillar/global/macros.jinja new file mode 100644 index 0000000..3cc8848 --- /dev/null +++ b/pillar/global/macros.jinja @@ -0,0 +1,17 @@ +{%- macro listeners() -%} +{%- set listen_ips = [] -%} +{%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%} +{%- for ip in salt['network.ip_addrs']() -%} +{%- if salt['network.is_private'](ip) -%} +{%- do listen_ips.append(ip) -%} +{%- endif -%} +{%- endfor -%} +{%- for ip in salt['network.ip_addrs6']() -%} +{%- if ip.startswith(legal6s) -%} +{%- do listen_ips.append(ip) -%} +{%- endif -%} +{%- endfor -%} +{%- for ip in listen_ips %} +- {{ ip }} +{%- endfor %} +{%- endmacro -%} diff --git a/pillar/global/ssh.sls b/pillar/global/ssh.sls new file mode 100644 index 0000000..bd960bd --- /dev/null +++ b/pillar/global/ssh.sls @@ -0,0 +1,31 @@ +{%- from slspath ~ '/../global/macros.jinja' import listeners -%} +{#- +{%- from '/tmp/salt-libertacasa/pillar/global/macros.jinja' import listeners with context -%} +#} +{%- set host = grains['host'] -%} + +sshd_config: +  ConfigBanner: | +    ### This file is managed via https://git.com.de/LibertaCasa/salt +    ### Manual changes will be overwritten +  ListenAddress: {{ listeners() | indent }} +  Protocol: 2 +  SyslogFacility: AUTH +  LogLevel: FATAL +  HostKey: +    - /etc/ssh/{{ host }} +  HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com +  HostCertificate: /etc/ssh/{{ host }}-cert.pub +  TrustedUserCAKeys: /etc/ssh/user_ca +  PasswordAuthentication: 'no' +  LoginGraceTime: 1m +  PermitRootLogin: 'no' +  StrictModes: 'yes' +  MaxAuthTries: 1 +  MaxSessions: 3 +  UsePAM: 'yes' +  X11Forwarding: 'no' +  PrintMotd: 'yes' +  PrintLastLog: 'yes' +  Subsystem: sftp /usr/lib/ssh/sftp-server + diff --git a/salt/common/ssh.sls b/salt/common/ssh.sls new file mode 100644 index 0000000..76033fd --- /dev/null +++ b/salt/common/ssh.sls @@ -0,0 +1,12 @@ +include: +  - openssh.banner +  - openssh.config + +/etc/ssh/user_ca: +  file.managed: +    - contents: +      {%- for key in salt['pillar.get']('secret_ssh:userca_keys') -%} +      - {{ key }} +      {%- endfor -%} +    - require: +      - pkg: openssh diff --git a/salt/common/suse.sls b/salt/common/suse.sls index b4abd7a..bd252c8 100644 --- a/salt/common/suse.sls +++ b/salt/common/suse.sls @@ -3,7 +3,7 @@ include:    - profile.zypp    - profile.node_exporter    - users -  - postfix +  - .ssh    - postfix.config  {#- to-do: move this to some formula or macro -#} | 
