diff options
| author | Georg Pfuetzenreuter | 2023-01-26 23:05:21 +0100 |
|---|---|---|
| committer | Georg Pfuetzenreuter | 2023-01-26 23:05:21 +0100 |
| commit | 698234c0402eeff37517869695c75682a3fad332 (patch) | |
| tree | e23a9ce4be37b8134d9bf14c1046d5ecf73ad540 | |
| parent | f949c0aba0bd9863474a35e1613eb23554acc449 (diff) | |
| download | salt-698234c0402eeff37517869695c75682a3fad332.tar.gz salt-698234c0402eeff37517869695c75682a3fad332.tar.bz2 salt-698234c0402eeff37517869695c75682a3fad332.zip | |
Manage common SSH server
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| -rw-r--r-- | pillar/formulas.yaml | 1 | ||||
| -rw-r--r-- | pillar/global/init.sls | 1 | ||||
| -rw-r--r-- | pillar/global/macros.jinja | 17 | ||||
| -rw-r--r-- | pillar/global/ssh.sls | 31 | ||||
| -rw-r--r-- | salt/common/ssh.sls | 12 | ||||
| -rw-r--r-- | salt/common/suse.sls | 2 |
6 files changed, 63 insertions, 1 deletions
diff --git a/pillar/formulas.yaml b/pillar/formulas.yaml index a9095f1..18da508 100644 --- a/pillar/formulas.yaml +++ b/pillar/formulas.yaml @@ -1,3 +1,4 @@ - postfix - salt - users +- openssh diff --git a/pillar/global/init.sls b/pillar/global/init.sls index 98536a3..ed05b4c 100644 --- a/pillar/global/init.sls +++ b/pillar/global/init.sls @@ -2,6 +2,7 @@ include: - role.salt.common - role.salt.minion - .mta + - .ssh managed_header_pound: | ### This file is managed via https://git.com.de/LibertaCasa/salt diff --git a/pillar/global/macros.jinja b/pillar/global/macros.jinja new file mode 100644 index 0000000..3cc8848 --- /dev/null +++ b/pillar/global/macros.jinja @@ -0,0 +1,17 @@ +{%- macro listeners() -%} +{%- set listen_ips = [] -%} +{%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%} +{%- for ip in salt['network.ip_addrs']() -%} +{%- if salt['network.is_private'](ip) -%} +{%- do listen_ips.append(ip) -%} +{%- endif -%} +{%- endfor -%} +{%- for ip in salt['network.ip_addrs6']() -%} +{%- if ip.startswith(legal6s) -%} +{%- do listen_ips.append(ip) -%} +{%- endif -%} +{%- endfor -%} +{%- for ip in listen_ips %} +- {{ ip }} +{%- endfor %} +{%- endmacro -%} diff --git a/pillar/global/ssh.sls b/pillar/global/ssh.sls new file mode 100644 index 0000000..bd960bd --- /dev/null +++ b/pillar/global/ssh.sls @@ -0,0 +1,31 @@ +{%- from slspath ~ '/../global/macros.jinja' import listeners -%} +{#- +{%- from '/tmp/salt-libertacasa/pillar/global/macros.jinja' import listeners with context -%} +#} +{%- set host = grains['host'] -%} + +sshd_config: + ConfigBanner: | + ### This file is managed via https://git.com.de/LibertaCasa/salt + ### Manual changes will be overwritten + ListenAddress: {{ listeners() | indent }} + Protocol: 2 + SyslogFacility: AUTH + LogLevel: FATAL + HostKey: + - /etc/ssh/{{ host }} + HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com + HostCertificate: /etc/ssh/{{ host }}-cert.pub + TrustedUserCAKeys: /etc/ssh/user_ca + PasswordAuthentication: 'no' + LoginGraceTime: 1m + PermitRootLogin: 'no' + StrictModes: 'yes' + MaxAuthTries: 1 + MaxSessions: 3 + UsePAM: 'yes' + X11Forwarding: 'no' + PrintMotd: 'yes' + PrintLastLog: 'yes' + Subsystem: sftp /usr/lib/ssh/sftp-server + diff --git a/salt/common/ssh.sls b/salt/common/ssh.sls new file mode 100644 index 0000000..76033fd --- /dev/null +++ b/salt/common/ssh.sls @@ -0,0 +1,12 @@ +include: + - openssh.banner + - openssh.config + +/etc/ssh/user_ca: + file.managed: + - contents: + {%- for key in salt['pillar.get']('secret_ssh:userca_keys') -%} + - {{ key }} + {%- endfor -%} + - require: + - pkg: openssh diff --git a/salt/common/suse.sls b/salt/common/suse.sls index b4abd7a..bd252c8 100644 --- a/salt/common/suse.sls +++ b/salt/common/suse.sls @@ -3,7 +3,7 @@ include: - profile.zypp - profile.node_exporter - users - - postfix + - .ssh - postfix.config {#- to-do: move this to some formula or macro -#} |