Manage common SSH server

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-26 23:05:21 +01:00 · 2023-01-26 23:05:21 +01:00 · 698234c040
commit 698234c040
parent f949c0aba0
6 changed files with 63 additions and 1 deletions
--- a/pillar/formulas.yaml
+++ b/pillar/formulas.yaml
@ -1,3 +1,4 @@
 - postfix
 - salt
 - users
+- openssh
--- a/pillar/global/init.sls
+++ b/pillar/global/init.sls
@ -2,6 +2,7 @@ include:
  - role.salt.common
  - role.salt.minion
  - .mta
+  - .ssh

 managed_header_pound: |
  ### This file is managed via https://git.com.de/LibertaCasa/salt
--- a/pillar/global/macros.jinja
+++ b/pillar/global/macros.jinja
@ -0,0 +1,17 @@
+{%- macro listeners() -%}
+{%- set listen_ips = [] -%}
+{%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%}
+{%- for ip in salt['network.ip_addrs']() -%}
+{%- if salt['network.is_private'](ip) -%}
+{%- do listen_ips.append(ip) -%}
+{%- endif -%}
+{%- endfor -%}
+{%- for ip in salt['network.ip_addrs6']() -%}
+{%- if ip.startswith(legal6s) -%}
+{%- do listen_ips.append(ip) -%}
+{%- endif -%}
+{%- endfor -%}
+{%- for ip in listen_ips %}
+- {{ ip }}
+{%- endfor %}
+{%- endmacro -%}
--- a/pillar/global/ssh.sls
+++ b/pillar/global/ssh.sls
@ -0,0 +1,31 @@
+{%- from slspath ~ '/../global/macros.jinja' import listeners -%}
+{#-
+{%- from '/tmp/salt-libertacasa/pillar/global/macros.jinja' import listeners with context -%}
+#}
+{%- set host = grains['host'] -%}
+
+sshd_config:
+  ConfigBanner: |
+    ### This file is managed via https://git.com.de/LibertaCasa/salt
+    ### Manual changes will be overwritten
+  ListenAddress: {{ listeners() | indent }}
+  Protocol: 2
+  SyslogFacility: AUTH
+  LogLevel: FATAL
+  HostKey:
+    - /etc/ssh/{{ host }}
+  HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com
+  HostCertificate: /etc/ssh/{{ host }}-cert.pub
+  TrustedUserCAKeys: /etc/ssh/user_ca
+  PasswordAuthentication: 'no'
+  LoginGraceTime: 1m
+  PermitRootLogin: 'no'
+  StrictModes: 'yes'
+  MaxAuthTries: 1
+  MaxSessions: 3
+  UsePAM: 'yes'
+  X11Forwarding: 'no'
+  PrintMotd: 'yes'
+  PrintLastLog: 'yes'
+  Subsystem: sftp /usr/lib/ssh/sftp-server
+
--- a/salt/common/ssh.sls
+++ b/salt/common/ssh.sls
@ -0,0 +1,12 @@
+include:
+  - openssh.banner
+  - openssh.config
+
+/etc/ssh/user_ca:
+  file.managed:
+    - contents:
+      {%- for key in salt['pillar.get']('secret_ssh:userca_keys') -%}
+      - {{ key }}
+      {%- endfor -%}
+    - require:
+      - pkg: openssh
--- a/salt/common/suse.sls
+++ b/salt/common/suse.sls
@ -3,7 +3,7 @@ include:
  - profile.zypp
  - profile.node_exporter
  - users
-  - postfix
+  - .ssh
  - postfix.config

 {#- to-do: move this to some formula or macro -#}