Manage common SSH server #6

Merged
Georg merged 1 commits from ssh into production 2023-01-27 11:48:51 +01:00
6 changed files with 63 additions and 1 deletions

View File

@ -1,3 +1,4 @@
- postfix - postfix
- salt - salt
- users - users
- openssh

View File

@ -2,6 +2,7 @@ include:
- role.salt.common - role.salt.common
- role.salt.minion - role.salt.minion
- .mta - .mta
- .ssh
managed_header_pound: | managed_header_pound: |
### This file is managed via https://git.com.de/LibertaCasa/salt ### This file is managed via https://git.com.de/LibertaCasa/salt

View File

@ -0,0 +1,17 @@
{%- macro listeners() -%}
{%- set listen_ips = [] -%}
{%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%}
{%- for ip in salt['network.ip_addrs']() -%}
{%- if salt['network.is_private'](ip) -%}
{%- do listen_ips.append(ip) -%}
{%- endif -%}
{%- endfor -%}
{%- for ip in salt['network.ip_addrs6']() -%}
{%- if ip.startswith(legal6s) -%}
{%- do listen_ips.append(ip) -%}
{%- endif -%}
{%- endfor -%}
{%- for ip in listen_ips %}
- {{ ip }}
{%- endfor %}
{%- endmacro -%}

31
pillar/global/ssh.sls Normal file
View File

@ -0,0 +1,31 @@
{%- from slspath ~ '/../global/macros.jinja' import listeners -%}
{#-
{%- from '/tmp/salt-libertacasa/pillar/global/macros.jinja' import listeners with context -%}
#}
{%- set host = grains['host'] -%}
sshd_config:
ConfigBanner: |
### This file is managed via https://git.com.de/LibertaCasa/salt
### Manual changes will be overwritten
ListenAddress: {{ listeners() | indent }}
Protocol: 2
SyslogFacility: AUTH
LogLevel: FATAL
HostKey:
- /etc/ssh/{{ host }}
HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com
HostCertificate: /etc/ssh/{{ host }}-cert.pub
TrustedUserCAKeys: /etc/ssh/user_ca
PasswordAuthentication: 'no'
LoginGraceTime: 1m
PermitRootLogin: 'no'
StrictModes: 'yes'
MaxAuthTries: 1
MaxSessions: 3
UsePAM: 'yes'
X11Forwarding: 'no'
PrintMotd: 'yes'
PrintLastLog: 'yes'
Subsystem: sftp /usr/lib/ssh/sftp-server

12
salt/common/ssh.sls Normal file
View File

@ -0,0 +1,12 @@
include:
- openssh.banner
- openssh.config
/etc/ssh/user_ca:
file.managed:
- contents:
{%- for key in salt['pillar.get']('secret_ssh:userca_keys') -%}
- {{ key }}
{%- endfor -%}
- require:
- pkg: openssh

View File

@ -3,7 +3,7 @@ include:
- profile.zypp - profile.zypp
- profile.node_exporter - profile.node_exporter
- users - users
- postfix - .ssh
- postfix.config - postfix.config
{#- to-do: move this to some formula or macro -#} {#- to-do: move this to some formula or macro -#}