Merge pull request #166 from myii/feat/semantic-release

feat(semantic-release): implement for this formula
This commit is contained in:
Imran Iqbal 2019-09-13 04:30:09 +01:00 committed by GitHub
commit 107fc44f48
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 1506 additions and 96 deletions

123
.gitignore vendored
View File

@ -1,3 +1,122 @@
*.swp # Byte-compiled / optimized / DLL files
.kitchen/ __pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a packager
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.kitchen
.kitchen.local.yml .kitchen.local.yml
kitchen.local.yml
junit-*.xml
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# dotenv
.env
# virtualenv
.venv
venv/
ENV/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
# Bundler
Gemfile.lock
# copied `.md` files used for conversion to `.rst` using `m2r`
docs/*.md
# Vim
*.sw?
## Collected when centralising formulas (check and sort)
# `collectd-formula`
.pytest_cache/
/.idea/
Dockerfile.*_*
ignore/
tmp/

86
.travis.yml Normal file
View File

@ -0,0 +1,86 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
dist: bionic
stages:
- test
- lint
- name: release
if: branch = master AND type != pull_request
sudo: required
cache: bundler
language: ruby
services:
- docker
# Make sure the instances listed below match up with
# the `platforms` defined in `kitchen.yml`
env:
matrix:
- INSTANCE: default-debian-10-develop-py3
# - INSTANCE: default-ubuntu-1804-develop-py3
# - INSTANCE: default-centos-7-develop-py3
# - INSTANCE: default-fedora-30-develop-py3
# - INSTANCE: default-opensuse-leap-15-develop-py3
# - INSTANCE: default-amazonlinux-2-develop-py2
# - INSTANCE: default-debian-9-2019-2-py3
- INSTANCE: default-ubuntu-1804-2019-2-py3
# - INSTANCE: default-centos-7-2019-2-py3
# - INSTANCE: default-fedora-30-2019-2-py3
# - INSTANCE: default-opensuse-leap-15-2019-2-py3
- INSTANCE: default-amazonlinux-2-2019-2-py2
# - INSTANCE: default-debian-9-2018-3-py2
# - INSTANCE: default-ubuntu-1604-2018-3-py2
# - INSTANCE: default-centos-7-2018-3-py2
- INSTANCE: default-fedora-29-2018-3-py2
- INSTANCE: default-opensuse-leap-15-2018-3-py2
# - INSTANCE: default-amazonlinux-2-2018-3-py2
# - INSTANCE: default-debian-8-2017-7-py2
# - INSTANCE: default-ubuntu-1604-2017-7-py2
- INSTANCE: default-centos-6-2017-7-py2
# - INSTANCE: default-fedora-29-2017-7-py2
# - INSTANCE: default-opensuse-leap-15-2017-7-py2
# - INSTANCE: default-amazonlinux-2-2017-7-py2
script:
- bin/kitchen verify ${INSTANCE}
jobs:
include:
# Define the `lint` stage (runs `yamllint` and `commitlint`)
- stage: lint
language: node_js
node_js: lts/*
before_install: skip
script:
# Install and run `yamllint`
# Need at least `v1.17.0` for the `yaml-files` setting
- pip install --user yamllint>=1.17.0
- yamllint -s .
# Install and run `commitlint`
- npm install @commitlint/config-conventional -D
- npm install @commitlint/travis-cli -D
- commitlint-travis
# Define the release stage that runs `semantic-release`
- stage: release
language: node_js
node_js: lts/*
before_install: skip
script:
# Update `AUTHORS.md`
- export MAINTAINER_TOKEN=${GH_TOKEN}
- go get github.com/myii/maintainer
- maintainer contributor
# Install all dependencies required for `semantic-release`
- npm install @semantic-release/changelog@3 -D
- npm install @semantic-release/exec@3 -D
- npm install @semantic-release/git@7 -D
deploy:
provider: script
skip_cleanup: true
script:
# Run `semantic-release`
- npx semantic-release@15

30
.yamllint Normal file
View File

@ -0,0 +1,30 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# Extend the `default` configuration provided by `yamllint`
extends: default
# Files to ignore completely
# 1. All YAML files under directory `node_modules/`, introduced during the Travis run
# 2. Any SLS files under directory `test/`, which are actually state files
ignore: |
node_modules/
test/**/states/**/*.sls
yaml-files:
# Default settings
- '*.yaml'
- '*.yml'
- .yamllint
# SaltStack Formulas additional settings
- '*.example'
- test/**/*.sls
rules:
empty-values:
forbid-in-block-mappings: true
forbid-in-flow-mappings: true
line-length:
# Increase from default of `80`
# Based on https://github.com/PyCQA/flake8-bugbear#opinionated-warnings (`B950`)
max: 88

9
FORMULA Normal file
View File

@ -0,0 +1,9 @@
name: openssh
os: Debian, Ubuntu, Raspbian, RedHat, Fedora, CentOS, Suse, openSUSE, Gentoo, Funtoo, Arch, Manjaro, Alpine, FreeBSD, OpenBSD, Solaris, SmartOS, Windows, MacOS
os_family: Debian, RedHat, Suse, Gentoo, Arch, Alpine, FreeBSD, OpenBSD, Solaris, Windows, MacOS
version: 0.41.0
release: 1
minimum_version: 2017.7
summary: openssh formula
description: Install and configure an openssh server
top_level_dir: openssh

6
Gemfile Normal file
View File

@ -0,0 +1,6 @@
source "https://rubygems.org"
gem 'kitchen-docker', '>= 2.9'
gem 'kitchen-salt', '>= 0.6.0'
gem 'kitchen-inspec', '>= 1.1'

29
bin/kitchen Executable file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env ruby
# frozen_string_literal: true
#
# This file was generated by Bundler.
#
# The application 'kitchen' is installed as part of a gem, and
# this file is here to facilitate running it.
#
require "pathname"
ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
Pathname.new(__FILE__).realpath)
bundle_binstub = File.expand_path("../bundle", __FILE__)
if File.file?(bundle_binstub)
if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
load(bundle_binstub)
else
abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
end
end
require "rubygems"
require "bundler/setup"
load Gem.bin_path("test-kitchen", "kitchen")

3
commitlint.config.js Normal file
View File

@ -0,0 +1,3 @@
module.exports = {
extends: ['@commitlint/config-conventional'],
};

159
docs/CONTRIBUTING.rst Normal file
View File

@ -0,0 +1,159 @@
.. _contributing:
How to contribute
=================
This document will eventually outline all aspects of guidance to make your contributing experience a fruitful and enjoyable one.
What it already contains is information about *commit message formatting* and how that directly affects the numerous automated processes that are used for this repo.
It also covers how to contribute to this *formula's documentation*.
.. contents:: **Table of Contents**
Overview
--------
Submitting a pull request is more than just code!
To achieve a quality product, the *tests* and *documentation* need to be updated as well.
An excellent pull request will include these in the changes, wherever relevant.
Commit message formatting
-------------------------
Since every type of change requires making Git commits,
we will start by covering the importance of ensuring that all of your commit
messages are in the correct format.
Automation of multiple processes
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This formula uses `semantic-release <https://github.com/semantic-release/semantic-release>`_ for automating numerous processes such as bumping the version number appropriately, creating new tags/releases and updating the changelog.
The entire process relies on the structure of commit messages to determine the version bump, which is then used for the rest of the automation.
Full details are available in the upstream docs regarding the `Angular Commit Message Conventions <https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#-git-commit-guidelines>`_.
The key factor is that the first line of the commit message must follow this format:
.. code-block::
type(scope): subject
* E.g. ``docs(contributing): add commit message formatting instructions``.
Besides the version bump, the changelog and release notes are formatted accordingly.
So based on the example above:
..
.. raw:: html
<h3>Documentation</h3>
* **contributing:** add commit message formatting instructions
* The ``type`` translates into a ``Documentation`` sub-heading.
* The ``(scope):`` will be shown in bold text without the brackets.
* The ``subject`` follows the ``scope`` as standard text.
Linting commit messages in Travis CI
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This formula uses `commitlint <https://github.com/conventional-changelog/commitlint>`_ for checking commit messages during CI testing.
This ensures that they are in accordance with the ``semantic-release`` settings.
For more details about the default settings, refer back to the ``commitlint`` `reference rules <https://conventional-changelog.github.io/commitlint/#/reference-rules>`_.
Relationship between commit type and version bump
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This formula applies some customisations to the defaults, as outlined in the table below,
based upon the `type <https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#type>`_ of the commit:
.. list-table::
:name: commit-type-vs-version-bump
:header-rows: 1
:stub-columns: 0
:widths: 1,2,3,1,1
* - Type
- Heading
- Description
- Bump (default)
- Bump (custom)
* - ``build``
- Build System
- Changes related to the build system
-
-
* - ``chore``
-
- Changes to the build process or auxiliary tools and libraries such as
documentation generation
-
-
* - ``ci``
- Continuous Integration
- Changes to the continuous integration configuration
-
-
* - ``docs``
- Documentation
- Documentation only changes
-
- 0.0.1
* - ``feat``
- Features
- A new feature
- 0.1.0
-
* - ``fix``
- Bug Fixes
- A bug fix
- 0.0.1
-
* - ``perf``
- Performance Improvements
- A code change that improves performance
- 0.0.1
-
* - ``refactor``
- Code Refactoring
- A code change that neither fixes a bug nor adds a feature
-
- 0.0.1
* - ``revert``
- Reverts
- A commit used to revert a previous commit
-
- 0.0.1
* - ``style``
- Styles
- Changes that do not affect the meaning of the code (white-space,
formatting, missing semi-colons, etc.)
-
- 0.0.1
* - ``test``
- Tests
- Adding missing or correcting existing tests
-
- 0.0.1
Use ``BREAKING CHANGE`` to trigger a ``major`` version change
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Adding ``BREAKING CHANGE`` to the footer of the extended description of the commit message will **always** trigger a ``major`` version change, no matter which type has been used.
This will be appended to the changelog and release notes as well.
To preserve good formatting of these notes, the following format is prescribed:
* ``BREAKING CHANGE: <explanation in paragraph format>.``
An example of that:
.. code-block:: git
...
BREAKING CHANGE: With the removal of all of the `.sls` files under
`template package`, this formula no longer supports the installation of
packages.

View File

@ -1,47 +1,78 @@
.. _readme:
openssh openssh
======= =======
|img_travis| |img_sr|
.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/openssh-formula.svg?branch=master
:alt: Travis CI Build Status
:scale: 100%
:target: https://travis-ci.com/saltstack-formulas/openssh-formula
.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
:alt: Semantic Release
:scale: 100%
:target: https://github.com/semantic-release/semantic-release
Install and configure an openssh server. Install and configure an openssh server.
.. note:: .. contents:: **Table of Contents**
See the full `Salt Formulas installation and usage instructions General notes
<http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_. -------------
See the full `SaltStack Formulas installation and usage instructions
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.
If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.
See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.
Contributing to this repo
-------------------------
**Commit message formatting is significant!!**
Please see :ref:`How to contribute <CONTRIBUTING>` for more details.
Available states Available states
================ ----------------
.. contents:: .. contents::
:local: :local:
``openssh`` ``openssh``
----------- ^^^^^^^^^^^
Installs the ``openssh`` server package and service. Installs the ``openssh`` server package and service.
``openssh.auth`` ``openssh.auth``
----------- ^^^^^^^^^^^^^^^^
Manages SSH certificates for users. Manages SSH certificates for users.
``openssh.auth_map`` ``openssh.auth_map``
----------- ^^^^^^^^^^^^^^^^^^^^
Same functionality as openssh.auth but with a simplified Pillar syntax. Same functionality as openssh.auth but with a simplified Pillar syntax.
Plays nicely with `Pillarstack Plays nicely with `Pillarstack
<https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.stack.html>`_. <https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.stack.html>`_.
``openssh.banner`` ``openssh.banner``
------------------ ^^^^^^^^^^^^^^^^^^
Installs a banner that users see when SSH-ing in. Installs a banner that users see when SSH-ing in.
``openssh.client`` ``openssh.client``
------------------ ^^^^^^^^^^^^^^^^^^
Installs the openssh client package. Installs the openssh client package.
``openssh.config`` ``openssh.config``
------------------ ^^^^^^^^^^^^^^^^^^
Installs the ssh daemon configuration file included in this formula Installs the ssh daemon configuration file included in this formula
(under "openssh/files"). This configuration file is populated (under "openssh/files"). This configuration file is populated
@ -52,7 +83,7 @@ It is highly recommended ``PermitRootLogin`` is added to pillar
so root login will be disabled. so root login will be disabled.
``openssh.config_ini`` ``openssh.config_ini``
---------------------- ^^^^^^^^^^^^^^^^^^^^^^
Version of managing ``sshd_config`` that uses the Version of managing ``sshd_config`` that uses the
`ini_managed.option_present <https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ini_manage.html>`_ `ini_managed.option_present <https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ini_manage.html>`_
@ -62,7 +93,7 @@ distribution.
``openssh.known_hosts`` ``openssh.known_hosts``
----------------------- ^^^^^^^^^^^^^^^^^^^^^^^
Manages ``/etc/ssh/ssh_known_hosts`` and fills it with the Manages ``/etc/ssh/ssh_known_hosts`` and fills it with the
public SSH host keys of your minions (collected via the Salt mine) public SSH host keys of your minions (collected via the Salt mine)
@ -182,6 +213,52 @@ To **include localhost** and local IP addresses (``127.0.0.1`` and ``::1``) use
include_localhost: True include_localhost: True
``openssh.moduli`` ``openssh.moduli``
----------------------- ^^^^^^^^^^^^^^^^^^
Manages the system wide ``/etc/ssh/moduli`` file. Manages the system wide ``/etc/ssh/moduli`` file.
Testing
-------
Linux testing is done with ``kitchen-salt``.
Requirements
^^^^^^^^^^^^
* Ruby
* Docker
.. code-block:: bash
$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]
Where ``[platform]`` is the platform name defined in ``kitchen.yml``,
e.g. ``debian-9-2019-2-py3``.
``bin/kitchen converge``
^^^^^^^^^^^^^^^^^^^^^^^^
Creates the docker instance and runs the ``template`` main state, ready for testing.
``bin/kitchen verify``
^^^^^^^^^^^^^^^^^^^^^^
Runs the ``inspec`` tests on the actual instance.
``bin/kitchen destroy``
^^^^^^^^^^^^^^^^^^^^^^^
Removes the docker instance.
``bin/kitchen test``
^^^^^^^^^^^^^^^^^^^^
Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.
``bin/kitchen login``
^^^^^^^^^^^^^^^^^^^^^
Gives you SSH access to the instance for manual testing.

View File

@ -39,7 +39,7 @@ Using SaltStack is a simple and effective way to implement configuration managem
To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates.
There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/spsoit/nginx-formula/blob/81de880fe0276dd9488ffa15bc78944c0fc2b919/nginx/ng/files/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/saltstack-formulas/nginx-formula/blob/f74254c07e188bd448eaf1c5f9c802d78c4c005e/nginx/files/default/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer.
In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values.
@ -325,6 +325,7 @@ We can simplify the ``conf.sls`` with the new ``files_switch`` macro to use in t
* This uses ``config.get``, searching for ``ntp:tofs:source_files:Configure NTP`` to determine the list of template files to use. * This uses ``config.get``, searching for ``ntp:tofs:source_files:Configure NTP`` to determine the list of template files to use.
* If this returns a result, the default of ``['/etc/ntp.conf.jinja']`` will be appended to it.
* If this does not yield any results, the default of ``['/etc/ntp.conf.jinja']`` will be used. * If this does not yield any results, the default of ``['/etc/ntp.conf.jinja']`` will be used.
In ``libtofs.jinja``, we define this new macro ``files_switch``. In ``libtofs.jinja``, we define this new macro ``files_switch``.
@ -426,7 +427,6 @@ The list of ``source_files`` can be given:
tofs: tofs:
source_files: source_files:
Configure NTP: Configure NTP:
- '/etc/ntp.conf.jinja'
- '/etc/ntp.conf_alt.jinja' - '/etc/ntp.conf_alt.jinja'
Resulting in: Resulting in:
@ -434,10 +434,85 @@ Resulting in:
.. code-block:: sls .. code-block:: sls
- source: - source:
- salt://ntp/files/theminion/etc/ntp.conf.jinja
- salt://ntp/files/theminion/etc/ntp.conf_alt.jinja - salt://ntp/files/theminion/etc/ntp.conf_alt.jinja
- salt://ntp/files/Debian/etc/ntp.conf.jinja - salt://ntp/files/theminion/etc/ntp.conf.jinja
- salt://ntp/files/Debian/etc/ntp.conf_alt.jinja - salt://ntp/files/Debian/etc/ntp.conf_alt.jinja
- salt://ntp/files/default/etc/ntp.conf.jinja - salt://ntp/files/Debian/etc/ntp.conf.jinja
- salt://ntp/files/default/etc/ntp.conf_alt.jinja - salt://ntp/files/default/etc/ntp.conf_alt.jinja
- salt://ntp/files/default/etc/ntp.conf.jinja
Note: This does *not* override the default value.
Rather, the value from the pillar/config is prepended to the default.
Using sub-directories for ``components``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If your formula is composed of several components, you may prefer to provides files under sub-directories, like in the `systemd-formula <https://github.com/saltstack-formulas/systemd-formula>`_.
.. code-block::
/srv/saltstack/systemd-formula/
systemd/
init.sls
libtofs.jinja
map.jinja
networkd/
init.sls
files/
default/
network/
99-default.link
resolved/
init.sls
files/
default/
resolved.conf
timesyncd/
init.sls
files/
Arch/
resolved.conf
Debian/
resolved.conf
default/
resolved.conf
Ubuntu/
resolved.conf
For example, the following ``formula.component.config`` SLS:
.. code-block:: sls
{%- from "formula/libtofs.jinja" import files_switch with context %}
formula configuration file:
file.managed:
- name: /etc/formula.conf
- user: root
- group: root
- mode: 644
- template: jinja
- source: {{ files_switch(['formula.conf'],
lookup='formula',
use_subpath=True
)
}}
will be rendered on a ``Debian`` minion named ``salt-formula.ci.local`` as:
.. code-block:: sls
formula configuration file:
file.managed:
- name: /etc/formula.conf
- user: root
- group: root
- mode: 644
- template: jinja
- source:
- salt://formula/component/files/salt-formula.ci.local/formula.conf
- salt://formula/component/files/Debian/formula.conf
- salt://formula/component/files/default/formula.conf
- salt://formula/files/salt-formula.ci.local/formula.conf
- salt://formula/files/Debian/formula.conf
- salt://formula/files/default/formula.conf

View File

@ -1,3 +1,5 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
--- ---
driver: driver:
name: vagrant name: vagrant

167
kitchen.yml Normal file
View File

@ -0,0 +1,167 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# For help on this file's format, see https://kitchen.ci/
driver:
name: docker
use_sudo: false
privileged: true
run_command: /lib/systemd/systemd
# Make sure the platforms listed below match up with
# the `env.matrix` instances defined in `.travis.yml`
platforms:
## SALT `develop`
- name: debian-10-develop-py3
driver:
image: netmanagers/salt-develop-py3:debian-10
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: ubuntu-1804-develop-py3
driver:
image: netmanagers/salt-develop-py3:ubuntu-18.04
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: centos-7-develop-py3
driver:
image: netmanagers/salt-develop-py3:centos-7
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: fedora-30-develop-py3
driver:
image: netmanagers/salt-develop-py3:fedora-30
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: opensuse-leap-15-develop-py3
driver:
image: netmanagers/salt-develop-py3:opensuse-leap-15
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
run_command: /usr/lib/systemd/systemd
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-develop-py2
driver:
image: netmanagers/salt-develop-py2:amazonlinux-2
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python2 git develop
## SALT `2019.2`
- name: debian-9-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:debian-9
- name: ubuntu-1804-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:ubuntu-18.04
- name: centos-7-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:centos-7
- name: fedora-30-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:fedora-30
- name: opensuse-leap-15-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:opensuse-leap-15
run_command: /usr/lib/systemd/systemd
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-2019-2-py2
driver:
image: netmanagers/salt-2019.2-py2:amazonlinux-2
## SALT `2018.3`
- name: debian-9-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:debian-9
- name: ubuntu-1604-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:ubuntu-16.04
- name: centos-7-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:centos-7
- name: fedora-29-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:fedora-29
- name: opensuse-leap-15-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:opensuse-leap-15
run_command: /usr/lib/systemd/systemd
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:amazonlinux-2
## SALT `2017.7`
- name: debian-8-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:debian-8
- name: ubuntu-1604-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:ubuntu-16.04
- name: centos-6-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:centos-6
run_command: /sbin/init
- name: fedora-29-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:fedora-29
- name: opensuse-leap-15-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:opensuse-leap-15
run_command: /usr/lib/systemd/systemd
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:amazonlinux-2
provisioner:
name: salt_solo
log_level: info
salt_install: none
require_chef: false
formula: openssh
salt_copy_filter:
- .kitchen
- .git
verifier:
# https://www.inspec.io/
name: inspec
sudo: true
# cli, documentation, html, progress, json, json-min, json-rspec, junit
reporter:
- cli
suites:
- name: default
provisioner:
state_top:
base:
'*':
- openssh
pillars:
top.sls:
base:
'*':
- openssh
pillars_from_files:
openssh.sls: test/salt/pillar/default.sls
verifier:
inspec_tests:
- path: test/integration/default

View File

@ -1,19 +1,22 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
default: default:
openssh: openssh:
sshd_enable: True sshd_enable: true
sshd_binary: /usr/sbin/sshd sshd_binary: /usr/sbin/sshd
sshd_config: /etc/ssh/sshd_config sshd_config: /etc/ssh/sshd_config
sshd_config_src: sshd_config # Default TOFS source filename sshd_config_src: sshd_config # Default TOFS source filename
sshd_config_user: root sshd_config_user: root
sshd_config_group: root sshd_config_group: root
sshd_config_mode: '644' sshd_config_mode: '644'
sshd_config_backup: True sshd_config_backup: true
ssh_config: /etc/ssh/ssh_config ssh_config: /etc/ssh/ssh_config
ssh_config_src: ssh_config # Default TOFS source filename ssh_config_src: ssh_config # Default TOFS source filename
ssh_config_user: root ssh_config_user: root
ssh_config_group: root ssh_config_group: root
ssh_config_mode: '644' ssh_config_mode: '644'
ssh_config_backup: True ssh_config_backup: true
banner: /etc/ssh/banner banner: /etc/ssh/banner
banner_src: banner # Default TOFS source filename banner_src: banner # Default TOFS source filename
ssh_known_hosts: /etc/ssh/ssh_known_hosts ssh_known_hosts: /etc/ssh/ssh_known_hosts
@ -24,7 +27,7 @@ default:
# Prevent merge of array; always override values # Prevent merge of array; always override values
host_key_algos: ecdsa,ed25519,rsa host_key_algos: ecdsa,ed25519,rsa
# To manage/remove DSA: # To manage/remove DSA:
#host_key_algos: dsa,ecdsa,ed25519,rsa # host_key_algos: dsa,ecdsa,ed25519,rsa
sshd_config: {} sshd_config: {}
ssh_config: {} ssh_config: {}

View File

@ -2,7 +2,7 @@
lookup=None, lookup=None,
default_files_switch=['id', 'os_family'], default_files_switch=['id', 'os_family'],
indent_width=6, indent_width=6,
v1_path_prefix='') %} use_subpath=False) %}
{#- {#-
Returns a valid value for the "source" parameter of a "file.managed" Returns a valid value for the "source" parameter of a "file.managed"
state function. This makes easier the usage of the Template Override and state function. This makes easier the usage of the Template Override and
@ -10,15 +10,15 @@
Params: Params:
* source_files: ordered list of files to look for * source_files: ordered list of files to look for
* lookup: key under '<tplroot>:tofs:source_files' to override * lookup: key under '<tplroot>:tofs:source_files' to prepend to the
list of source files list of source files
* default_files_switch: if there's no config (e.g. pillar) * default_files_switch: if there's no config (e.g. pillar)
'<tplroot>:tofs:files_switch' this is the ordered list of grains to '<tplroot>:tofs:files_switch' this is the ordered list of grains to
use as selector switch of the directories under use as selector switch of the directories under
"<path_prefix>/files" "<path_prefix>/files"
* indent_witdh: indentation of the result value to conform to YAML * indent_witdh: indentation of the result value to conform to YAML
* v1_path_prefix: (deprecated) only used for injecting a path prefix into * use_subpath: defaults to `False` but if set, lookup the source file
the source, to support older TOFS configs recursively from the current state directory up to `tplroot`
Example (based on a `tplroot` of `xxx`): Example (based on a `tplroot` of `xxx`):
@ -55,20 +55,24 @@
tplroot ~ ':tofs:files_switch', tplroot ~ ':tofs:files_switch',
default_files_switch default_files_switch
) %} ) %}
{#- Lookup source_files (v2), files (v1), or fallback to source_files parameter #} {#- Lookup source_files (v2), files (v1), or fallback to an empty list #}
{%- set src_files = salt['config.get']( {%- set src_files = salt['config.get'](
tplroot ~ ':tofs:source_files:' ~ lookup, tplroot ~ ':tofs:source_files:' ~ lookup,
salt['config.get']( salt['config.get'](tplroot ~ ':tofs:files:' ~ lookup, [])
tplroot ~ ':tofs:files:' ~ lookup,
source_files
)
) %} ) %}
{#- Append the default source_files #}
{%- set src_files = src_files + source_files %}
{#- Only add to [''] when supporting older TOFS implementations #} {#- Only add to [''] when supporting older TOFS implementations #}
{%- set path_prefix_exts = [''] %} {%- set path_prefix_exts = [''] %}
{%- if v1_path_prefix != '' %} {%- if use_subpath and tplroot != tpldir %}
{%- do path_prefix_exts.append(v1_path_prefix) %} {#- Walk directory tree to find {{ files_dir }} #}
{%- set subpath_parts = tpldir.lstrip(tplroot).lstrip('/').split('/') %}
{%- for path in subpath_parts %}
{%- set subpath = subpath_parts[0:loop.index] | join('/') %}
{%- do path_prefix_exts.append('/' ~ subpath) %}
{%- endfor %}
{%- endif %} {%- endif %}
{%- for path_prefix_ext in path_prefix_exts %} {%- for path_prefix_ext in path_prefix_exts|reverse %}
{%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %} {%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %}
{#- For older TOFS implementation, use `files_switch` from the config #} {#- For older TOFS implementation, use `files_switch` from the config #}
{#- Use the default, new method otherwise #} {#- Use the default, new method otherwise #}
@ -83,10 +87,16 @@
{%- for fs in fsl %} {%- for fs in fsl %}
{%- for src_file in src_files %} {%- for src_file in src_files %}
{%- if fs %} {%- if fs %}
{%- set fs_dir = salt['config.get'](fs, fs) %} {%- set fs_dirs = salt['config.get'](fs, fs) %}
{%- else %} {%- else %}
{%- set fs_dir = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %} {%- set fs_dirs = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %}
{%- endif %} {%- endif %}
{#- Force the `config.get` lookup result as a list where necessary #}
{#- since we need to also handle grains that are lists #}
{%- if fs_dirs is string %}
{%- set fs_dirs = [fs_dirs] %}
{%- endif %}
{%- for fs_dir in fs_dirs %}
{%- set url = [ {%- set url = [
'- salt:/', '- salt:/',
path_prefix_inc_ext.strip('/'), path_prefix_inc_ext.strip('/'),
@ -98,4 +108,5 @@
{%- endfor %} {%- endfor %}
{%- endfor %} {%- endfor %}
{%- endfor %} {%- endfor %}
{%- endfor %}
{%- endmacro %} {%- endmacro %}

View File

@ -1,3 +1,6 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
Arch: Arch:
openssh: openssh:
server: openssh server: openssh

View File

@ -1,3 +1,6 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
Ubuntu-18.04: {} Ubuntu-18.04: {}
CentOS-6: CentOS-6:
openssh: openssh:

View File

@ -1 +1,4 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
FreeBSD: {} FreeBSD: {}

View File

@ -1,3 +1,6 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
sshd_config: sshd_config:
# This keyword is totally optional # This keyword is totally optional
ConfigBanner: | ConfigBanner: |
@ -41,7 +44,7 @@ sshd_config:
UsePAM: 'yes' UsePAM: 'yes'
UseDNS: 'yes' UseDNS: 'yes'
# set as string # set as string
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' # AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
# or set as list # or set as list
AllowUsers: AllowUsers:
- vader@10.0.0.1 - vader@10.0.0.1
@ -49,20 +52,20 @@ sshd_config:
- sidious - sidious
- luke - luke
# set as string # set as string
DenyUsers: 'yoda chewbaca@112.10.21.1' # DenyUsers: 'yoda chewbaca@112.10.21.1'
# or set as list # or set as list
DenyUsers: DenyUsers:
- yoda - yoda
- chewbaca@112.10.21.1 - chewbaca@112.10.21.1
# set as string # set as string
AllowGroups: 'wheel staff imperial' # AllowGroups: 'wheel staff imperial'
# or set as list # or set as list
AllowGroups: AllowGroups:
- wheel - wheel
- staff - staff
- imperial - imperial
# set as string # set as string
DenyGroups: 'rebel' # DenyGroups: 'rebel'
# or set as list # or set as list
DenyGroups: DenyGroups:
- rebel - rebel
@ -73,8 +76,8 @@ sshd_config:
Group: sftpusers Group: sftpusers
options: options:
ChrootDirectory: /sftp-chroot/%u ChrootDirectory: /sftp-chroot/%u
X11Forwarding: no X11Forwarding: 'no'
AllowTcpForwarding: no AllowTcpForwarding: 'no'
ForceCommand: internal-sftp ForceCommand: internal-sftp
# Supports complex compound matches in Match criteria. For example, be able # Supports complex compound matches in Match criteria. For example, be able
# to match against multiple Users for a given Match, or be able to match # to match against multiple Users for a given Match, or be able to match
@ -108,13 +111,15 @@ sshd_config:
options: options:
ChrootDirectory: /ex/%u ChrootDirectory: /ex/%u
# yamllint disable rule:line-length
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# The configuration given in the example below is based on: # The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html # https://stribika.github.io/2015/01/04/secure-secure-shell.html
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
# yamllint enable rule:line-length
KexAlgorithms: KexAlgorithms:
- 'curve25519-sha256@libssh.org' - 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256' - 'diffie-hellman-group-exchange-sha256'
@ -141,15 +146,15 @@ sshd_config:
ssh_config: ssh_config:
Hosts: Hosts:
'*': '*':
StrictHostKeyChecking: no StrictHostKeyChecking: 'no'
ForwardAgent: no ForwardAgent: 'no'
ForwardX11: no ForwardX11: 'no'
RhostsRSAAuthentication: no RhostsRSAAuthentication: 'no'
RSAAuthentication: yes RSAAuthentication: 'yes'
PasswordAuthentication: yes PasswordAuthentication: 'yes'
HostbasedAuthentication: no HostbasedAuthentication: 'no'
GSSAPIAuthentication: no GSSAPIAuthentication: 'no'
GSSAPIDelegateCredentials: no GSSAPIDelegateCredentials: 'no'
BatchMode: 'yes' BatchMode: 'yes'
CheckHostIP: 'yes' CheckHostIP: 'yes'
AddressFamily: 'any' AddressFamily: 'any'
@ -162,6 +167,7 @@ ssh_config:
TunnelDevice: 'any:any' TunnelDevice: 'any:any'
PermitLocalCommand: 'no' PermitLocalCommand: 'no'
VisualHostKey: 'no' VisualHostKey: 'no'
# yamllint disable rule:line-length
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
# WARNING! Please make sure you understand the implications of the below # WARNING! Please make sure you understand the implications of the below
# settings. The examples provided below might break your connection to older / # settings. The examples provided below might break your connection to older /
@ -169,9 +175,10 @@ ssh_config:
# The configuration given in the example below is based on: # The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html # https://stribika.github.io/2015/01/04/secure-secure-shell.html
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
# yamllint enable rule:line-length
KexAlgorithms: KexAlgorithms:
- 'curve25519-sha256@libssh.org' - 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256' - 'diffie-hellman-group-exchange-sha256'
@ -207,19 +214,19 @@ openssh:
auth: auth:
joe-valid-ssh-key-desktop: joe-valid-ssh-key-desktop:
- user: joe - user: joe
present: True present: true
enc: ssh-rsa enc: ssh-rsa
comment: main key - desktop comment: main key - desktop
source: salt://ssh_keys/joe.desktop.pub source: salt://ssh_keys/joe.desktop.pub
joe-valid-ssh-key-notebook: joe-valid-ssh-key-notebook:
- user: joe - user: joe
present: True present: true
enc: ssh-rsa enc: ssh-rsa
comment: main key - notebook comment: main key - notebook
source: salt://ssh_keys/joe.netbook.pub source: salt://ssh_keys/joe.netbook.pub
joe-non-valid-ssh-key: joe-non-valid-ssh-key:
- user: joe - user: joe
present: False present: false
enc: ssh-rsa enc: ssh-rsa
comment: obsolete key - removed comment: obsolete key - removed
source: salt://ssh_keys/joe.no-valid.pub source: salt://ssh_keys/joe.no-valid.pub
@ -235,11 +242,11 @@ openssh:
joe.netbook: joe.netbook:
options: [] # see salt.states.ssh_auth.present options: [] # see salt.states.ssh_auth.present
joe.no-valid: joe.no-valid:
present: False present: false
generate_dsa_keys: False generate_dsa_keys: false
absent_dsa_keys: False absent_dsa_keys: false
provide_dsa_keys: False provide_dsa_keys: false
dsa: dsa:
private_key: | private_key: |
-----BEGIN DSA PRIVATE KEY----- -----BEGIN DSA PRIVATE KEY-----
@ -248,9 +255,9 @@ openssh:
public_key: | public_key: |
ssh-dss NOT_DEFINED ssh-dss NOT_DEFINED
generate_ecdsa_keys: False generate_ecdsa_keys: false
absent_ecdsa_keys: False absent_ecdsa_keys: false
provide_ecdsa_keys: False provide_ecdsa_keys: false
ecdsa: ecdsa:
private_key: | private_key: |
-----BEGIN EC PRIVATE KEY----- -----BEGIN EC PRIVATE KEY-----
@ -259,12 +266,12 @@ openssh:
public_key: | public_key: |
ecdsa-sha2-nistp256 NOT_DEFINED ecdsa-sha2-nistp256 NOT_DEFINED
generate_rsa_keys: False generate_rsa_keys: false
generate_rsa_size: 4096 generate_rsa_size: 4096
# Will remove the old key if it is to short and generate a new one. # Will remove the old key if it is to short and generate a new one.
enforce_rsa_size: False enforce_rsa_size: false
absent_rsa_keys: False absent_rsa_keys: false
provide_rsa_keys: False provide_rsa_keys: false
rsa: rsa:
private_key: | private_key: |
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
@ -273,9 +280,9 @@ openssh:
public_key: | public_key: |
ssh-rsa NOT_DEFINED ssh-rsa NOT_DEFINED
generate_ed25519_keys: False generate_ed25519_keys: false
absent_ed25519_keys: False absent_ed25519_keys: false
provide_ed25519_keys: False provide_ed25519_keys: false
ed25519: ed25519:
private_key: | private_key: |
-----BEGIN OPENSSH PRIVATE KEY----- -----BEGIN OPENSSH PRIVATE KEY-----
@ -301,16 +308,16 @@ openssh:
# Includes short hostnames derived from the FQDN # Includes short hostnames derived from the FQDN
# (host.example.test -> host) # (host.example.test -> host)
# (Deactivated by default, because there can be collisions!) # (Deactivated by default, because there can be collisions!)
hostnames: False hostnames: false
#hostnames: # hostnames:
# Restrict wich hosts you want to use via their hostname # Restrict wich hosts you want to use via their hostname
# (i.e. ssh user@host instead of ssh user@host.example.com) # (i.e. ssh user@host instead of ssh user@host.example.com)
# target: '*' # Defaults to "*.{{ grains['domain']}}" # target: '*' # Defaults to "*.{{ grains['domain']}}"
# tgt_type: 'glob' # tgt_type: 'glob'
# To activate the defaults you can just set an empty dict. # To activate the defaults you can just set an empty dict.
#hostnames: {} # hostnames: {}
# Include localhost, 127.0.0.1 and ::1 (default: False) # Include localhost, 127.0.0.1 and ::1 (default: false)
include_localhost: False include_localhost: false
# Host keys fetched via salt-ssh # Host keys fetched via salt-ssh
salt_ssh: salt_ssh:
# The salt-ssh user # The salt-ssh user
@ -330,6 +337,7 @@ openssh:
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
# yamllint disable rule:line-length
# specify DH parameters (see /etc/ssh/moduli) # specify DH parameters (see /etc/ssh/moduli)
moduli: | moduli: |
# Time Type Tests Tries Size Generator Modulus # Time Type Tests Tries Size Generator Modulus
@ -337,9 +345,10 @@ openssh:
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
# yamllint enable rule:line-length
# ALTERNATIVELY, specify the location of the moduli file. Examples: # ALTERNATIVELY, specify the location of the moduli file. Examples:
#moduli_source: http://some.server.somewhere/salt/moduli # moduli_source: http://some.server.somewhere/salt/moduli
#moduli_source: salt://files/ssh/moduli # moduli_source: salt://files/ssh/moduli
# If moduli is specified, moduli_source will be ignored. # If moduli is specified, moduli_source will be ignored.
# Also, a proper hash file *must* be included in the same path. E.g.: # Also, a proper hash file *must* be included in the same path. E.g.:
# http://some.server.somewhere/salt/moduli.hash # http://some.server.somewhere/salt/moduli.hash
@ -351,7 +360,7 @@ mine_functions:
public_ssh_host_keys: public_ssh_host_keys:
mine_function: cmd.run mine_function: cmd.run
cmd: cat /etc/ssh/ssh_host_*_key.pub cmd: cat /etc/ssh/ssh_host_*_key.pub
python_shell: True python_shell: true
public_ssh_hostname: public_ssh_hostname:
mine_function: grains.get mine_function: grains.get
key: id key: id

30
pre-commit_semantic-release.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/sh
###############################################################################
# (A) Update `FORMULA` with `${nextRelease.version}`
###############################################################################
sed -i -e "s_^\(version:\).*_\1 ${1}_" FORMULA
###############################################################################
# (B) Use `m2r` to convert automatically produced `.md` docs to `.rst`
###############################################################################
# Install `m2r`
sudo -H pip install m2r
# Copy and then convert the `.md` docs
cp *.md docs/
cd docs/
m2r --overwrite *.md
# Change excess `H1` headings to `H2` in converted `CHANGELOG.rst`
sed -i -e '/^=.*$/s/=/-/g' CHANGELOG.rst
sed -i -e '1,4s/-/=/g' CHANGELOG.rst
# Use for debugging output, when required
# cat AUTHORS.rst
# cat CHANGELOG.rst
# Return back to the main directory
cd ..

18
release-rules.js Normal file
View File

@ -0,0 +1,18 @@
// No release is triggered for the types commented out below.
// Commits using these types will be incorporated into the next release.
//
// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`.
module.exports = [
{breaking: true, release: 'major'},
// {type: 'build', release: 'patch'},
// {type: 'chore', release: 'patch'},
// {type: 'ci', release: 'patch'},
{type: 'docs', release: 'patch'},
{type: 'feat', release: 'minor'},
{type: 'fix', release: 'patch'},
{type: 'perf', release: 'patch'},
{type: 'refactor', release: 'patch'},
{type: 'revert', release: 'patch'},
{type: 'style', release: 'patch'},
{type: 'test', release: 'patch'},
];

106
release.config.js Normal file
View File

@ -0,0 +1,106 @@
module.exports = {
branch: 'master',
plugins: [
['@semantic-release/commit-analyzer', {
preset: 'angular',
releaseRules: './release-rules.js',
}],
'@semantic-release/release-notes-generator',
['@semantic-release/changelog', {
changelogFile: 'CHANGELOG.md',
changelogTitle: '# Changelog',
}],
['@semantic-release/exec', {
prepareCmd: 'sh ./pre-commit_semantic-release.sh ${nextRelease.version}',
}],
['@semantic-release/git', {
assets: ['*.md', 'docs/*.rst', 'FORMULA'],
}],
'@semantic-release/github',
],
generateNotes: {
preset: 'angular',
writerOpts: {
// Required due to upstream bug preventing all types being displayed.
// Bug: https://github.com/conventional-changelog/conventional-changelog/issues/317
// Fix: https://github.com/conventional-changelog/conventional-changelog/pull/410
transform: (commit, context) => {
const issues = []
commit.notes.forEach(note => {
note.title = `BREAKING CHANGES`
})
// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`.
if (commit.type === `feat`) {
commit.type = `Features`
} else if (commit.type === `fix`) {
commit.type = `Bug Fixes`
} else if (commit.type === `perf`) {
commit.type = `Performance Improvements`
} else if (commit.type === `revert`) {
commit.type = `Reverts`
} else if (commit.type === `docs`) {
commit.type = `Documentation`
} else if (commit.type === `style`) {
commit.type = `Styles`
} else if (commit.type === `refactor`) {
commit.type = `Code Refactoring`
} else if (commit.type === `test`) {
commit.type = `Tests`
} else if (commit.type === `build`) {
commit.type = `Build System`
// } else if (commit.type === `chore`) {
// commit.type = `Maintenance`
} else if (commit.type === `ci`) {
commit.type = `Continuous Integration`
} else {
return
}
if (commit.scope === `*`) {
commit.scope = ``
}
if (typeof commit.hash === `string`) {
commit.hash = commit.hash.substring(0, 7)
}
if (typeof commit.subject === `string`) {
let url = context.repository
? `${context.host}/${context.owner}/${context.repository}`
: context.repoUrl
if (url) {
url = `${url}/issues/`
// Issue URLs.
commit.subject = commit.subject.replace(/#([0-9]+)/g, (_, issue) => {
issues.push(issue)
return `[#${issue}](${url}${issue})`
})
}
if (context.host) {
// User URLs.
commit.subject = commit.subject.replace(/\B@([a-z0-9](?:-?[a-z0-9/]){0,38})/g, (_, username) => {
if (username.includes('/')) {
return `@${username}`
}
return `[@${username}](${context.host}/${username})`
})
}
}
// remove references that already appear in the subject
commit.references = commit.references.filter(reference => {
if (issues.indexOf(reference.issue) === -1) {
return true
}
return false
})
return commit
},
},
},
};

View File

@ -0,0 +1,50 @@
# InSpec Profile: `default`
This shows the implementation of the `default` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
## Verify a profile
InSpec ships with built-in features to verify a profile structure.
```bash
$ inspec check default
Summary
-------
Location: default
Profile: profile
Controls: 4
Timestamp: 2019-06-24T23:09:01+00:00
Valid: true
Errors
------
Warnings
--------
```
## Execute a profile
To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.
```bash
$ inspec exec default
..
Finished in 0.0025 seconds (files took 0.12449 seconds to load)
8 examples, 0 failures
```
## Execute a specific control from a profile
To run one control from the profile use `inspec exec /path/to/profile --controls name`.
```bash
$ inspec exec default --controls package
.
Finished in 0.0025 seconds (files took 0.12449 seconds to load)
1 examples, 0 failures
```
See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).

View File

@ -0,0 +1,17 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
name: default
title: openssh formula
maintainer: SaltStack Formulas
license: Apache-2.0
summary: Verify that the openssh formula is setup and configured correctly
supports:
- platform-name: debian
- platform-name: ubuntu
- platform-name: centos
- platform-name: fedora
- platform-name: opensuse
- platform-name: suse
- platform-name: freebsd
- platform-name: amazon

View File

@ -0,0 +1,395 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
sshd_config:
# This keyword is totally optional
ConfigBanner: |
# Alternative banner for the config file
# (Indented) hash signs lose their special meaning here
# and the lines will be written as-is.
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: 'sandbox'
SyslogFacility: AUTH
LogLevel: INFO
ClientAliveInterval: 0
ClientAliveCountMax: 3
LoginGraceTime: 120
PermitRootLogin: 'yes'
PasswordAuthentication: 'no'
StrictModes: 'yes'
MaxAuthTries: 6
MaxSessions: 10
PubkeyAuthentication: 'yes'
AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
AuthorizedKeysCommandUser: 'nobody'
IgnoreRhosts: 'yes'
HostbasedAuthentication: 'no'
PermitEmptyPasswords: 'no'
ChallengeResponseAuthentication: 'no'
AuthenticationMethods: 'publickey,keyboard-interactive'
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
X11Forwarding: 'no'
X11DisplayOffset: 10
PrintMotd: 'yes'
PrintLastLog: 'yes'
TCPKeepAlive: 'yes'
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: 'yes'
UseDNS: 'yes'
# set as string
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
# # or set as list
# AllowUsers:
# - vader@10.0.0.1
# - maul@evil.com
# - sidious
# - luke
# # set as string
# DenyUsers: 'yoda chewbaca@112.10.21.1'
# or set as list
DenyUsers:
- yoda
- chewbaca@112.10.21.1
# # set as string
# AllowGroups: 'wheel staff imperial'
# or set as list
AllowGroups:
- wheel
- staff
- imperial
# set as string
DenyGroups: 'rebel'
# # or set as list
# DenyGroups:
# - rebel
# - badcompany
matches:
sftp_chroot:
type:
Group: sftpusers
options:
ChrootDirectory: /sftp-chroot/%u
X11Forwarding: 'no'
AllowTcpForwarding: 'no'
ForceCommand: internal-sftp
# Supports complex compound matches in Match criteria. For example, be able
# to match against multiple Users for a given Match, or be able to match
# against address ranges. Or Groups. Or any combination thereof.
#
# Support for matching users can take one of several different appearances
# in pillar data:
match_1:
type:
User: one_user
options:
ChrootDirectory: /ex/%u
match_2:
type:
User:
- jim
- bob
- sally
options:
ChrootDirectory: /ex/%u
# Note the syntax of match_3. By using empty dicts for each user, we can
# leverage Salt's pillar mergine. If we use simple lists, we cannot do
# this; Salt can't merge simple lists, because it doesn't know what order
# they ought to be in.
match_3:
type:
User:
jim: ~
bob: ~
sally: ~
options:
ChrootDirectory: /ex/%u
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
# yamllint disable rule:line-length
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
# yamllint enable rule:line-length
KexAlgorithms:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
Ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
- 'aes128-gcm@openssh.com'
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
- 'umac-128-etm@openssh.com'
- 'hmac-sha2-512'
- 'hmac-sha2-256'
- 'umac-128@openssh.com'
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
# pillar will overwrite the defaults of your distribution's SSH client. This
# will also force the default configuration for all the SSH clients on the
# machine. This can break SSH connections with servers using older versions of
# openssh. Please make sure you understand the implication of different settings
ssh_config:
Hosts:
'*':
StrictHostKeyChecking: 'no'
ForwardAgent: 'no'
ForwardX11: 'no'
RhostsRSAAuthentication: 'no'
RSAAuthentication: 'yes'
PasswordAuthentication: 'yes'
HostbasedAuthentication: 'no'
GSSAPIAuthentication: 'no'
GSSAPIDelegateCredentials: 'no'
BatchMode: 'yes'
CheckHostIP: 'yes'
AddressFamily: 'any'
ConnectTimeout: 0
IdentityFile: '~/.ssh/id_rsa'
Port: 22
Protocol: 2
Cipher: '3des'
Tunnel: 'no'
TunnelDevice: 'any:any'
PermitLocalCommand: 'no'
VisualHostKey: 'no'
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
# WARNING! Please make sure you understand the implications of the below
# settings. The examples provided below might break your connection to older /
# legacy openssh servers.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# yamllint disable rule:line-length
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
# yamllint enable rule:line-length
KexAlgorithms:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
- 'diffie-hellman-group-exchange-sha1'
- 'diffie-hellman-group14-sha1'
Ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
- 'aes128-gcm@openssh.com'
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
- 'umac-128-etm@openssh.com'
- 'hmac-sha2-512'
- 'hmac-sha2-256'
- 'umac-128@openssh.com'
openssh:
# Instead of adding a custom banner file you can set it in pillar
banner_string: |
Welcome to {{ grains['id'] }}!
# Set installed package version
server_version: latest
client_version: latest
# Controls if SSHD should be enabled/started
sshd_enable: true
auth:
joe-valid-ssh-key-desktop:
- user: joe
present: true
enc: ssh-rsa
comment: main key - desktop
source: salt://ssh_keys/joe.desktop.pub
joe-valid-ssh-key-notebook:
- user: joe
present: true
enc: ssh-rsa
comment: main key - notebook
source: salt://ssh_keys/joe.netbook.pub
joe-non-valid-ssh-key:
- user: joe
present: false
enc: ssh-rsa
comment: obsolete key - removed
source: salt://ssh_keys/joe.no-valid.pub
# Maps users to source files
# Designed to play nice with ext_pillar
# salt.states.ssh_auth: If source is set, comment and enc will be ignored
auth_map:
personal_keys: # store name
source: salt://ssh_keys
users:
joe:
joe.desktop: {}
joe.netbook:
options: [] # see salt.states.ssh_auth.present
joe.no-valid:
present: false
generate_dsa_keys: false
absent_dsa_keys: false
provide_dsa_keys: false
dsa:
private_key: |
-----BEGIN DSA PRIVATE KEY-----
NOT_DEFINED
-----END DSA PRIVATE KEY-----
public_key: |
ssh-dss NOT_DEFINED
generate_ecdsa_keys: false
absent_ecdsa_keys: false
provide_ecdsa_keys: false
ecdsa:
private_key: |
-----BEGIN EC PRIVATE KEY-----
NOT_DEFINED
-----END EC PRIVATE KEY-----
public_key: |
ecdsa-sha2-nistp256 NOT_DEFINED
generate_rsa_keys: false
generate_rsa_size: 4096
# Will remove the old key if it is to short and generate a new one.
enforce_rsa_size: false
absent_rsa_keys: false
provide_rsa_keys: false
rsa:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
NOT_DEFINED
-----END RSA PRIVATE KEY-----
public_key: |
ssh-rsa NOT_DEFINED
generate_ed25519_keys: false
absent_ed25519_keys: false
provide_ed25519_keys: false
ed25519:
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
NOT_DEFINED
-----END OPENSSH PRIVATE KEY-----
public_key: |
ssh-ed25519 NOT_DEFINED
known_hosts:
# The next 2 settings restrict the set of minions that will be added in
# the generated ssh_known_hosts files (the default is to match all minions)
target: '*'
tgt_type: 'glob'
# Name of mining functions used to gather public keys and hostnames
# (the default values are shown here)
mine_keys_function: public_ssh_host_keys
mine_hostname_function: public_ssh_hostname
# List of DNS entries also pointing to our managed machines and that we want
# to inject in our generated ssh_known_hosts file
aliases:
- cname-to-minion.example.org
- alias.example.org
# Includes short hostnames derived from the FQDN
# (host.example.test -> host)
# (Deactivated by default, because there can be collisions!)
hostnames: false
# hostnames:
# Restrict wich hosts you want to use via their hostname
# (i.e. ssh user@host instead of ssh user@host.example.com)
# target: '*' # Defaults to "*.{{ grains['domain']}}"
# tgt_type: 'glob'
# To activate the defaults you can just set an empty dict.
# hostnames: {}
# Include localhost, 127.0.0.1 and ::1 (default: false)
include_localhost: false
# Host keys fetched via salt-ssh
salt_ssh:
# The salt-ssh user
user: salt-master
# specify public host names of a minion
public_ssh_host_names:
minion.id:
- minion.id
- alias.of.minion.id
# specify public host keys of a minion
public_ssh_host_keys:
minion.id: |
ssh-rsa [...]
ssh-ed25519 [...]
# Here you can list keys for hosts which are not among your minions:
static:
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
# specify DH parameters (see /etc/ssh/moduli)
# yamllint disable rule:line-length
moduli: |
# Time Type Tests Tries Size Generator Modulus
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
# yamllint enable rule:line-length
# ALTERNATIVELY, specify the location of the moduli file. Examples:
# moduli_source: http://some.server.somewhere/salt/moduli
# moduli_source: salt://files/ssh/moduli
# If moduli is specified, moduli_source will be ignored.
# Also, a proper hash file *must* be included in the same path. E.g.:
# http://some.server.somewhere/salt/moduli.hash
# salt://files/ssh/moduli.hash
# These will be automatically referenced to by the ssh_moduli state.
# Required for openssh.known_hosts
mine_functions:
public_ssh_host_keys:
mine_function: cmd.run
cmd: cat /etc/ssh/ssh_host_*_key.pub
python_shell: true
public_ssh_hostname:
mine_function: grains.get
key: id
tofs:
# The files_switch key serves as a selector for alternative
# directories under the formula files directory. See TOFS pattern
# doc for more info.
# Note: Any value not evaluated by `config.get` will be used literally.
# This can be used to set custom paths, as many levels deep as required.
# files_switch:
# - any/path/can/be/used/here
# - id
# - role
# - osfinger
# - os
# - os_family
# All aspects of path/file resolution are customisable using the options below.
# This is unnecessary in most cases; there are sensible defaults.
# path_prefix: template_alt
# dirs:
# files: files_alt
# default: default_alt
source_files:
manage ssh_known_hosts file:
- alt_ssh_known_hosts
sshd_config:
- alt_sshd_config
ssh_config:
- alt_ssh_config
sshd_banner:
- fire_banner