Merge pull request 'Manage common SSH server' (#6) from ssh into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #6
This commit is contained in:
commit
b7ec9e683f
@ -1,3 +1,4 @@
|
|||||||
- postfix
|
- postfix
|
||||||
- salt
|
- salt
|
||||||
- users
|
- users
|
||||||
|
- openssh
|
||||||
|
|||||||
@ -2,6 +2,7 @@ include:
|
|||||||
- role.salt.common
|
- role.salt.common
|
||||||
- role.salt.minion
|
- role.salt.minion
|
||||||
- .mta
|
- .mta
|
||||||
|
- .ssh
|
||||||
|
|
||||||
managed_header_pound: |
|
managed_header_pound: |
|
||||||
### This file is managed via https://git.com.de/LibertaCasa/salt
|
### This file is managed via https://git.com.de/LibertaCasa/salt
|
||||||
|
|||||||
17
pillar/global/macros.jinja
Normal file
17
pillar/global/macros.jinja
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{%- macro listeners() -%}
|
||||||
|
{%- set listen_ips = [] -%}
|
||||||
|
{%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%}
|
||||||
|
{%- for ip in salt['network.ip_addrs']() -%}
|
||||||
|
{%- if salt['network.is_private'](ip) -%}
|
||||||
|
{%- do listen_ips.append(ip) -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{%- endfor -%}
|
||||||
|
{%- for ip in salt['network.ip_addrs6']() -%}
|
||||||
|
{%- if ip.startswith(legal6s) -%}
|
||||||
|
{%- do listen_ips.append(ip) -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{%- endfor -%}
|
||||||
|
{%- for ip in listen_ips %}
|
||||||
|
- {{ ip }}
|
||||||
|
{%- endfor %}
|
||||||
|
{%- endmacro -%}
|
||||||
31
pillar/global/ssh.sls
Normal file
31
pillar/global/ssh.sls
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
{%- from slspath ~ '/../global/macros.jinja' import listeners -%}
|
||||||
|
{#-
|
||||||
|
{%- from '/tmp/salt-libertacasa/pillar/global/macros.jinja' import listeners with context -%}
|
||||||
|
#}
|
||||||
|
{%- set host = grains['host'] -%}
|
||||||
|
|
||||||
|
sshd_config:
|
||||||
|
ConfigBanner: |
|
||||||
|
### This file is managed via https://git.com.de/LibertaCasa/salt
|
||||||
|
### Manual changes will be overwritten
|
||||||
|
ListenAddress: {{ listeners() | indent }}
|
||||||
|
Protocol: 2
|
||||||
|
SyslogFacility: AUTH
|
||||||
|
LogLevel: FATAL
|
||||||
|
HostKey:
|
||||||
|
- /etc/ssh/{{ host }}
|
||||||
|
HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com
|
||||||
|
HostCertificate: /etc/ssh/{{ host }}-cert.pub
|
||||||
|
TrustedUserCAKeys: /etc/ssh/user_ca
|
||||||
|
PasswordAuthentication: 'no'
|
||||||
|
LoginGraceTime: 1m
|
||||||
|
PermitRootLogin: 'no'
|
||||||
|
StrictModes: 'yes'
|
||||||
|
MaxAuthTries: 1
|
||||||
|
MaxSessions: 3
|
||||||
|
UsePAM: 'yes'
|
||||||
|
X11Forwarding: 'no'
|
||||||
|
PrintMotd: 'yes'
|
||||||
|
PrintLastLog: 'yes'
|
||||||
|
Subsystem: sftp /usr/lib/ssh/sftp-server
|
||||||
|
|
||||||
12
salt/common/ssh.sls
Normal file
12
salt/common/ssh.sls
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
include:
|
||||||
|
- openssh.banner
|
||||||
|
- openssh.config
|
||||||
|
|
||||||
|
/etc/ssh/user_ca:
|
||||||
|
file.managed:
|
||||||
|
- contents:
|
||||||
|
{%- for key in salt['pillar.get']('secret_ssh:userca_keys') -%}
|
||||||
|
- {{ key }}
|
||||||
|
{%- endfor -%}
|
||||||
|
- require:
|
||||||
|
- pkg: openssh
|
||||||
@ -3,7 +3,7 @@ include:
|
|||||||
- profile.zypp
|
- profile.zypp
|
||||||
- profile.node_exporter
|
- profile.node_exporter
|
||||||
- users
|
- users
|
||||||
- postfix
|
- .ssh
|
||||||
- postfix.config
|
- postfix.config
|
||||||
|
|
||||||
{#- to-do: move this to some formula or macro -#}
|
{#- to-do: move this to some formula or macro -#}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user