From a47596f15af5e146d69e4f6b09530c88b6f44008 Mon Sep 17 00:00:00 2001 From: nb Date: Tue, 25 Jun 2019 15:31:34 +1100 Subject: [PATCH 1/2] feat(TOFS): ssh sshd configs known_host and banner --- docs/TOFS_pattern.rst | 443 ++++++++++++++++++++ openssh/banner.sls | 17 +- openssh/config.sls | 19 +- openssh/defaults.yaml | 6 +- openssh/files/{ => default}/banner | 0 openssh/files/{ => default}/fire_banner | 0 openssh/files/{ => default}/ssh_config | 0 openssh/files/{ => default}/ssh_known_hosts | 0 openssh/files/{ => default}/sshd_config | 0 openssh/known_hosts.sls | 8 +- openssh/libtofs.jinja | 101 +++++ pillar.example | 34 ++ 12 files changed, 615 insertions(+), 13 deletions(-) create mode 100644 docs/TOFS_pattern.rst rename openssh/files/{ => default}/banner (100%) rename openssh/files/{ => default}/fire_banner (100%) rename openssh/files/{ => default}/ssh_config (100%) rename openssh/files/{ => default}/ssh_known_hosts (100%) rename openssh/files/{ => default}/sshd_config (100%) create mode 100644 openssh/libtofs.jinja diff --git a/docs/TOFS_pattern.rst b/docs/TOFS_pattern.rst new file mode 100644 index 0000000..13c01e9 --- /dev/null +++ b/docs/TOFS_pattern.rst @@ -0,0 +1,443 @@ +.. _tofs_pattern: + +TOFS: A pattern for using SaltStack +=================================== + +.. list-table:: + :name: tofs-authors + :header-rows: 1 + :stub-columns: 1 + :widths: 2,2,3,2 + + * - + - Person + - Contact + - Date + * - Authored by + - Roberto Moreda + - moreda@allenta.com + - 29/12/2014 + * - Modified by + - Daniel Dehennin + - daniel.dehennin@baby-gnu.org + - 07/02/2019 + * - Modified by + - Imran Iqbal + - https://github.com/myii + - 23/02/2019 + +All that follows is a proposal based on my experience with `SaltStack `_. The good thing of a piece of software like this is that you can "bend it" to suit your needs in many possible ways, and this is one of them. All the recommendations and thoughts are given "as it is" with no warranty of any type. + +.. contents:: **Table of Contents** + +Usage of values in pillar vs templates in ``file_roots`` +-------------------------------------------------------- + +Among other functions, the *master* (or *salt-master*) serves files to the *minions* (or *salt-minions*). The `file_roots `_ is the list of directories used in sequence to find a file when a minion requires it: the first match is served to the minion. Those files could be `state files `_ or configuration templates, among others. + +Using SaltStack is a simple and effective way to implement configuration management, but even in a `non-multitenant `_ scenario, it is not a good idea to generally access some data (e.g. the database password in our `Zabbix `_ server configuration file or the private key of our `Nginx `_ TLS certificate). + +To avoid this situation we can use the `pillar mechanism `_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja `_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. + +There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas `_' repositories. `Some `_ `developments `_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja `_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. + +In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. + +On the reusability of SaltStack state files +------------------------------------------- + +There is a brilliant initiative of the SaltStack community called `salt-formulas `_. Their goal is to provide state files, pillar examples and configuration templates ready to be used for provisioning. I am a contributor for two small ones: `zabbix-formula `_ and `varnish-formula `_. + +The `design guidelines `_ for formulas are clear in many aspects and it is a recommended reading for anyone willing to write state files, even non-formulaic ones. + +In the next section, I am going to describe my proposal to extend further the reusability of formulas, suggesting some patterns of usage. + +The Template Override and Files Switch (TOFS) pattern +----------------------------------------------------- + +I understand a formula as a **complete, independent set of SaltStack state and configuration template files sufficient to configure a system**. A system could be something as simple as an NTP server or some other much more complex service that requires many state and configuration template files. + +The customization of a formula should be done mainly by providing pillar data used later to render either the state or the configuration template files. + +Example: NTP before applying TOFS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Let's work with the NTP example. A basic formula that follows the `design guidelines `_ has the following files and directories tree: + +.. code-block:: + + /srv/saltstack/salt-formulas/ntp-saltstack-formula/ + ntp/ + map.jinja + init.sls + conf.sls + files/ + default/ + etc/ + ntp.conf.jinja + +In order to use it, let's assume a `masterless configuration `_ and this relevant section of ``/etc/salt/minion``: + +.. code-block:: yaml + + pillar_roots: + base: + - /srv/saltstack/pillar + file_client: local + file_roots: + base: + - /srv/saltstack/salt + - /srv/saltstack/salt-formulas/ntp-saltstack-formula + +.. code-block:: jinja + + {#- /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/map.jinja #} + {%- set ntp = salt['grains.filter_by']({ + 'default': { + 'pkg': 'ntp', + 'service': 'ntp', + 'config': '/etc/ntp.conf', + }, + }, merge=salt['pillar.get']('ntp:lookup')) %} + +In ``init.sls`` we have the minimal states required to have NTP configured. In many cases ``init.sls`` is almost equivalent to an ``apt-get install`` or a ``yum install`` of the package. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/init.sls + {%- from 'ntp/map.jinja' import ntp with context %} + + Install NTP: + pkg.installed: + - name: {{ ntp.pkg }} + + Enable and start NTP: + service.running: + - name: {{ ntp.service }} + - enabled: True + - require: + - pkg: Install NTP package + +In ``conf.sls`` we have the configuration states. In most cases, that is just managing configuration file templates and making them to be watched by the service. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- from 'ntp/map.jinja' import ntp with context %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: salt://ntp/files/default/etc/ntp.conf.jinja + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + +Under ``files/default``, there is a structure that mimics the one in the minion in order to avoid clashes and confusion on where to put the needed templates. There you can find a mostly standard template for the configuration file. + +.. code-block:: jinja + + {#- /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/files/default/etc/ntp.conf.jinja #} + {#- Managed by saltstack #} + {#- Edit pillars or override this template in saltstack if you need customization #} + {%- set settings = salt['pillar.get']('ntp', {}) %} + {%- set default_servers = ['0.ubuntu.pool.ntp.org', + '1.ubuntu.pool.ntp.org', + '2.ubuntu.pool.ntp.org', + '3.ubuntu.pool.ntp.org'] %} + + driftfile /var/lib/ntp/ntp.drift + statistics loopstats peerstats clockstats + filegen loopstats file loopstats type day enable + filegen peerstats file peerstats type day enable + filegen clockstats file clockstats type day enable + + {%- for server in settings.get('servers', default_servers) %} + server {{ server }} + {%- endfor %} + + restrict -4 default kod notrap nomodify nopeer noquery + restrict -6 default kod notrap nomodify nopeer noquery + + restrict 127.0.0.1 + restrict ::1 + +With all this, it is easy to install and configure a simple NTP server by just running ``salt-call state.sls ntp.conf``: the package will be installed, the service will be running and the configuration should be correct for most of cases, even without pillar data. + +Alternatively, you can define a highstate in ``/srv/saltstack/salt/top.sls`` and run ``salt-call state.highstate``. + +.. code-block:: sls + + ## /srv/saltstack/salt/top.sls + base: + '*': + - ntp.conf + +**Customizing the formula just with pillar data**, we have the option to define the NTP servers. + +.. code-block:: sls + + ## /srv/saltstack/pillar/top.sls + base: + '*': + - ntp + +.. code-block:: sls + + ## /srv/saltstack/pillar/ntp.sls + ntp: + servers: + - 0.ch.pool.ntp.org + - 1.ch.pool.ntp.org + - 2.ch.pool.ntp.org + - 3.ch.pool.ntp.org + +Template Override +^^^^^^^^^^^^^^^^^ + +If the customization based on pillar data is not enough, we can override the template by creating a new one in ``/srv/saltstack/salt/ntp/files/default/etc/ntp.conf.jinja`` + +.. code-block:: jinja + + {#- /srv/saltstack/salt/ntp/files/default/etc/ntp.conf.jinja #} + {#- Managed by saltstack #} + {#- Edit pillars or override this template in saltstack if you need customization #} + + {#- Some bizarre configurations here #} + {#- ... #} + + {%- for server in settings.get('servers', default_servers) %} + server {{ server }} + {%- endfor %} + +This way we are locally **overriding the template files** offered by the formula in order to make a more complex adaptation. Of course, this could be applied as well to any of the files, including the state files. + +Files Switch +^^^^^^^^^^^^ + +To bring some order into the set of template files included in a formula, as we commented, we suggest having a similar structure to a normal final file system under ``files/default``. + +We can make different templates coexist for different minions, classified by any `grain `_ value, by simply creating new directories under ``files``. This mechanism is based on **using values of some grains as a switch for the directories under** ``files/``. + +If we decide that we want ``os_family`` as switch, then we could provide the formula template variants for both the ``RedHat`` and ``Debian`` families. + +.. code-block:: + + /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/files/ + default/ + etc/ + ntp.conf.jinja + RedHat/ + etc/ + ntp.conf.jinja + Debian/ + etc/ + ntp.conf.jinja + +To make this work we need a ``conf.sls`` state file that takes a list of possible files as the configuration template. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- from 'ntp/map.jinja' import ntp with context %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: + - salt://ntp/files/{{ grains.get('os_family', 'default') }}/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + +If we want to cover the possibility of a special template for a minion identified by ``node01`` then we could have a specific template in ``/srv/saltstack/salt/ntp/files/node01/etc/ntp.conf.jinja``. + +.. code-block:: jinja + + {#- /srv/saltstack/salt/ntp/files/node01/etc/ntp.conf.jinja #} + {#- Managed by saltstack #} + {#- Edit pillars or override this template in saltstack if you need customization #} + + {#- Some crazy configurations here for node01 #} + {#- ... #} + +To make this work we could write a specially crafted ``conf.sls``. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- from 'ntp/map.jinja' import ntp with context %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: + - salt://ntp/files/{{ grains.get('id') }}/etc/ntp.conf.jinja + - salt://ntp/files/{{ grains.get('os_family') }}/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + +Using the ``files_switch`` macro +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +We can simplify the ``conf.sls`` with the new ``files_switch`` macro to use in the ``source`` parameter for the ``file.managed`` state. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- set tplroot = tpldir.split('/')[0] %} + {%- from 'ntp/map.jinja' import ntp with context %} + {%- from 'ntp/libtofs.jinja' import files_switch %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: {{ files_switch(['/etc/ntp.conf.jinja'], + lookup='Configure NTP' + ) + }} + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + + +* This uses ``config.get``, searching for ``ntp:tofs:source_files:Configure NTP`` to determine the list of template files to use. +* If this does not yield any results, the default of ``['/etc/ntp.conf.jinja']`` will be used. + +In ``libtofs.jinja``, we define this new macro ``files_switch``. + +.. literalinclude:: ../template/libtofs.jinja + :caption: /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/libtofs.jinja + :language: jinja + +How to customise the ``source`` further +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The examples below are based on an ``Ubuntu`` minion called ``theminion`` being configured via. pillar. + +Using the default settings of the ``files_switch`` macro above, +the ``source`` will be: + +.. code-block:: sls + + - source: + - salt://ntp/files/theminion/etc/ntp.conf.jinja + - salt://ntp/files/Debian/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + +Customise ``files`` +~~~~~~~~~~~~~~~~~~~ + +The ``files`` portion can be customised: + +.. code-block:: sls + + ntp: + tofs: + dirs: + files: files_alt + +Resulting in: + +.. code-block:: sls + + - source: + - salt://ntp/files_alt/theminion/etc/ntp.conf.jinja + - salt://ntp/files_alt/Debian/etc/ntp.conf.jinja + - salt://ntp/files_alt/default/etc/ntp.conf.jinja + +Customise the use of grains +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Grains can be customised and even arbitrary paths can be supplied: + +.. code-block:: sls + + ntp: + tofs: + files_switch: + - any/path/can/be/used/here + - id + - os + - os_family + +Resulting in: + +.. code-block:: sls + + - source: + - salt://ntp/files/any/path/can/be/used/here/etc/ntp.conf.jinja + - salt://ntp/files/theminion/etc/ntp.conf.jinja + - salt://ntp/files/Ubuntu/etc/ntp.conf.jinja + - salt://ntp/files/Debian/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + +Customise the ``default`` path +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ``default`` portion of the path can be customised: + +.. code-block:: sls + + ntp: + tofs: + dirs: + default: default_alt + +Resulting in: + +.. code-block:: sls + + - source: + ... + - salt://ntp/files/default_alt/etc/ntp.conf.jinja + +Customise the list of ``source_files`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The list of ``source_files`` can be given: + +.. code-block:: sls + + ntp: + tofs: + source_files: + Configure NTP: + - '/etc/ntp.conf.jinja' + - '/etc/ntp.conf_alt.jinja' + +Resulting in: + +.. code-block:: sls + + - source: + - salt://ntp/files/theminion/etc/ntp.conf.jinja + - salt://ntp/files/theminion/etc/ntp.conf_alt.jinja + - salt://ntp/files/Debian/etc/ntp.conf.jinja + - salt://ntp/files/Debian/etc/ntp.conf_alt.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf_alt.jinja + diff --git a/openssh/banner.sls b/openssh/banner.sls index bc167d2..c69ecdb 100644 --- a/openssh/banner.sls +++ b/openssh/banner.sls @@ -1,4 +1,6 @@ -{% from "openssh/map.jinja" import openssh with context %} +{% set tplroot = tpldir.split('/')[0] %} +{% from tplroot ~ "/map.jinja" import openssh with context %} +{% from tplroot ~ "/libtofs.jinja" import files_switch %} include: - openssh @@ -6,9 +8,14 @@ include: sshd_banner: file.managed: - name: {{ openssh.banner }} - {% if openssh.banner_string is defined %} +{% if openssh.banner_string is defined %} - contents: {{ openssh.banner_string | yaml }} - {% else %} - - source: {{ openssh.banner_src }} +{% else %} + # Preserve backward compatibility + - source: {{ openssh.banner_src + if '://' in openssh.banner_src + else files_switch( [openssh.banner_src], + 'sshd_banner_file_managed' + ) }} - template: jinja - {% endif %} +{% endif %} diff --git a/openssh/config.sls b/openssh/config.sls index 8a725d0..d9d5b83 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -1,4 +1,7 @@ -{% from "openssh/map.jinja" import openssh, ssh_config, sshd_config with context %} +{% set tplroot = tpldir.split('/')[0] %} +{% from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %} +{% from tplroot ~ "/libtofs.jinja" import files_switch %} + include: - openssh @@ -7,7 +10,12 @@ include: sshd_config: file.managed: - name: {{ openssh.sshd_config }} - - source: {{ openssh.sshd_config_src }} + # Preserve backward compatibility + - source: {{ openssh.sshd_config_src + if '://' in openssh.sshd_config_src + else files_switch( [openssh.sshd_config_src], + 'sshd_config_file_managed' + ) }} - template: jinja - user: {{ openssh.sshd_config_user }} - group: {{ openssh.sshd_config_group }} @@ -24,7 +32,12 @@ sshd_config: ssh_config: file.managed: - name: {{ openssh.ssh_config }} - - source: {{ openssh.ssh_config_src }} + # Preserve backward compatibility + - source: {{ openssh.ssh_config_src + if '://' in openssh.ssh_config_src + else files_switch( [openssh.ssh_config_src], + 'ssh_config_file_managed' + ) }} - template: jinja - user: {{ openssh.ssh_config_user }} - group: {{ openssh.ssh_config_group }} diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml index 4a98490..b24daeb 100644 --- a/openssh/defaults.yaml +++ b/openssh/defaults.yaml @@ -3,19 +3,19 @@ default: sshd_enable: True sshd_binary: /usr/sbin/sshd sshd_config: /etc/ssh/sshd_config - sshd_config_src: salt://openssh/files/sshd_config + sshd_config_src: sshd_config # Default TOFS source filename sshd_config_user: root sshd_config_group: root sshd_config_mode: '644' sshd_config_backup: True ssh_config: /etc/ssh/ssh_config - ssh_config_src: salt://openssh/files/ssh_config + ssh_config_src: ssh_config # Default TOFS source filename ssh_config_user: root ssh_config_group: root ssh_config_mode: '644' ssh_config_backup: True banner: /etc/ssh/banner - banner_src: salt://openssh/files/banner + banner_src: banner # Default TOFS source filename ssh_known_hosts: /etc/ssh/ssh_known_hosts dig_pkg: dnsutils ssh_moduli: /etc/ssh/moduli diff --git a/openssh/files/banner b/openssh/files/default/banner similarity index 100% rename from openssh/files/banner rename to openssh/files/default/banner diff --git a/openssh/files/fire_banner b/openssh/files/default/fire_banner similarity index 100% rename from openssh/files/fire_banner rename to openssh/files/default/fire_banner diff --git a/openssh/files/ssh_config b/openssh/files/default/ssh_config similarity index 100% rename from openssh/files/ssh_config rename to openssh/files/default/ssh_config diff --git a/openssh/files/ssh_known_hosts b/openssh/files/default/ssh_known_hosts similarity index 100% rename from openssh/files/ssh_known_hosts rename to openssh/files/default/ssh_known_hosts diff --git a/openssh/files/sshd_config b/openssh/files/default/sshd_config similarity index 100% rename from openssh/files/sshd_config rename to openssh/files/default/sshd_config diff --git a/openssh/known_hosts.sls b/openssh/known_hosts.sls index cb12a42..d19e043 100644 --- a/openssh/known_hosts.sls +++ b/openssh/known_hosts.sls @@ -1,4 +1,6 @@ -{% from "openssh/map.jinja" import openssh with context %} +{% set tplroot = tpldir.split('/')[0] %} +{% from tplroot ~ "/map.jinja" import openssh with context %} +{% from tplroot ~ "/libtofs.jinja" import files_switch %} ensure dig is available: pkg.installed: @@ -8,7 +10,9 @@ ensure dig is available: manage ssh_known_hosts file: file.managed: - name: {{ openssh.ssh_known_hosts }} - - source: salt://openssh/files/ssh_known_hosts + - source: {{ files_switch( ['ssh_known_hosts'], + 'ssh_known_hosts_file_managed' + ) }} - template: jinja - user: root - group: {{ openssh.ssh_config_group }} diff --git a/openssh/libtofs.jinja b/openssh/libtofs.jinja new file mode 100644 index 0000000..da656a5 --- /dev/null +++ b/openssh/libtofs.jinja @@ -0,0 +1,101 @@ +{%- macro files_switch(source_files, + lookup=None, + default_files_switch=['id', 'os_family'], + indent_width=6, + v1_path_prefix='') %} + {#- + Returns a valid value for the "source" parameter of a "file.managed" + state function. This makes easier the usage of the Template Override and + Files Switch (TOFS) pattern. + + Params: + * source_files: ordered list of files to look for + * lookup: key under ':tofs:source_files' to override + list of source files + * default_files_switch: if there's no config (e.g. pillar) + ':tofs:files_switch' this is the ordered list of grains to + use as selector switch of the directories under + "/files" + * indent_witdh: indentation of the result value to conform to YAML + * v1_path_prefix: (deprecated) only used for injecting a path prefix into + the source, to support older TOFS configs + + Example (based on a `tplroot` of `xxx`): + + If we have a state: + + Deploy configuration: + file.managed: + - name: /etc/yyy/zzz.conf + - source: {{ files_switch(['/etc/yyy/zzz.conf', '/etc/yyy/zzz.conf.jinja'], + lookup='Deploy configuration' + ) }} + - template: jinja + + In a minion with id=theminion and os_family=RedHat, it's going to be + rendered as: + + Deploy configuration: + file.managed: + - name: /etc/yyy/zzz.conf + - source: + - salt://xxx/files/theminion/etc/yyy/zzz.conf + - salt://xxx/files/theminion/etc/yyy/zzz.conf.jinja + - salt://xxx/files/RedHat/etc/yyy/zzz.conf + - salt://xxx/files/RedHat/etc/yyy/zzz.conf.jinja + - salt://xxx/files/default/etc/yyy/zzz.conf + - salt://xxx/files/default/etc/yyy/zzz.conf.jinja + - template: jinja + #} + {#- Get the `tplroot` from `tpldir` #} + {%- set tplroot = tpldir.split('/')[0] %} + {%- set path_prefix = salt['config.get'](tplroot ~ ':tofs:path_prefix', tplroot) %} + {%- set files_dir = salt['config.get'](tplroot ~ ':tofs:dirs:files', 'files') %} + {%- set files_switch_list = salt['config.get']( + tplroot ~ ':tofs:files_switch', + default_files_switch + ) %} + {#- Lookup source_files (v2), files (v1), or fallback to source_files parameter #} + {%- set src_files = salt['config.get']( + tplroot ~ ':tofs:source_files:' ~ lookup, + salt['config.get']( + tplroot ~ ':tofs:files:' ~ lookup, + source_files + ) + ) %} + {#- Only add to [''] when supporting older TOFS implementations #} + {%- set path_prefix_exts = [''] %} + {%- if v1_path_prefix != '' %} + {%- do path_prefix_exts.append(v1_path_prefix) %} + {%- endif %} + {%- for path_prefix_ext in path_prefix_exts %} + {%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %} + {#- For older TOFS implementation, use `files_switch` from the config #} + {#- Use the default, new method otherwise #} + {%- set fsl = salt['config.get']( + tplroot ~ path_prefix_ext|replace('/', ':') ~ ':files_switch', + files_switch_list + ) %} + {#- Append an empty value to evaluate as `default` in the loop below #} + {%- if '' not in fsl %} + {%- do fsl.append('') %} + {%- endif %} + {%- for fs in fsl %} + {%- for src_file in src_files %} + {%- if fs %} + {%- set fs_dir = salt['config.get'](fs, fs) %} + {%- else %} + {%- set fs_dir = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %} + {%- endif %} + {%- set url = [ + '- salt:/', + path_prefix_inc_ext.strip('/'), + files_dir.strip('/'), + fs_dir.strip('/'), + src_file.strip('/'), + ] | select | join('/') %} +{{ url | indent(indent_width, true) }} + {%- endfor %} + {%- endfor %} + {%- endfor %} +{%- endmacro %} diff --git a/pillar.example b/pillar.example index fb09fa2..e19e95f 100644 --- a/pillar.example +++ b/pillar.example @@ -194,6 +194,10 @@ ssh_config: openssh: + # Banner file can be retrieved either by TOFS or by url + banner_src: banner_fire + # banner_src: salt://ssh/files/banner_src # <- old style + # Instead of adding a custom banner file you can set it in pillar banner_string: | Welcome to {{ grains['id'] }}! @@ -329,6 +333,7 @@ openssh: static: github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' + # The template of ssh_know_host file can be overriden thanks to TOFS # specify DH parameters (see /etc/ssh/moduli) moduli: | @@ -355,3 +360,32 @@ mine_functions: public_ssh_hostname: mine_function: grains.get key: id + + tofs: + # The files_switch key serves as a selector for alternative + # directories under the formula files directory. See TOFS pattern + # doc for more info. + # Note: Any value not evaluated by `config.get` will be used literally. + # This can be used to set custom paths, as many levels deep as required. + # files_switch: + # - any/path/can/be/used/here + # - id + # - role + # - osfinger + # - os + # - os_family + # All aspects of path/file resolution are customisable using the options below. + # This is unnecessary in most cases; there are sensible defaults. + # path_prefix: template_alt + # dirs: + # files: files_alt + # default: default_alt + source_files: + ssh_known_hosts_file_managed: + - alt_known_hosts + sshd_config_file_managed: + - alt_sshd_config + ssh_config_file_managed: + - alt_ssh_config + sshd_banner_file_managed: + - alt_banner_src \ No newline at end of file From f6dbca33524c38667f20fdc99a3c51498e79cb1a Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Thu, 4 Jul 2019 00:07:34 +0100 Subject: [PATCH 2/2] fix: complete PR #164 * Use consistent Jinja whitespace control `{%- ... -}` * Improve debug output (comments & whitespace control) * Use exact state names with TOFS `files_switch` * Add `ssh_known_hosts_src` to `defaults` (for consistency) * Restrict `pillar.example` changes to TOFS only * Use `fire_banner` in `pillar.example` to indicate available template --- openssh/banner.sls | 19 +++++++++---------- openssh/config.sls | 30 ++++++++++++++---------------- openssh/defaults.yaml | 1 + openssh/known_hosts.sls | 10 +++++----- pillar.example | 17 ++++++----------- 5 files changed, 35 insertions(+), 42 deletions(-) diff --git a/openssh/banner.sls b/openssh/banner.sls index c69ecdb..d173970 100644 --- a/openssh/banner.sls +++ b/openssh/banner.sls @@ -1,6 +1,6 @@ -{% set tplroot = tpldir.split('/')[0] %} -{% from tplroot ~ "/map.jinja" import openssh with context %} -{% from tplroot ~ "/libtofs.jinja" import files_switch %} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import openssh with context %} +{%- from tplroot ~ "/libtofs.jinja" import files_switch %} include: - openssh @@ -8,14 +8,13 @@ include: sshd_banner: file.managed: - name: {{ openssh.banner }} -{% if openssh.banner_string is defined %} + {%- if openssh.banner_string is defined %} - contents: {{ openssh.banner_string | yaml }} -{% else %} - # Preserve backward compatibility - - source: {{ openssh.banner_src - if '://' in openssh.banner_src + {%- else %} + {#- Preserve backward compatibility using the `if` below #} + - source: {{ openssh.banner_src if '://' in openssh.banner_src else files_switch( [openssh.banner_src], - 'sshd_banner_file_managed' + 'sshd_banner' ) }} - template: jinja -{% endif %} + {%- endif %} diff --git a/openssh/config.sls b/openssh/config.sls index d9d5b83..dde58a2 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -1,20 +1,19 @@ -{% set tplroot = tpldir.split('/')[0] %} -{% from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %} -{% from tplroot ~ "/libtofs.jinja" import files_switch %} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %} +{%- from tplroot ~ "/libtofs.jinja" import files_switch %} include: - openssh -{% if sshd_config %} +{%- if sshd_config %} sshd_config: file.managed: - name: {{ openssh.sshd_config }} - # Preserve backward compatibility - - source: {{ openssh.sshd_config_src - if '://' in openssh.sshd_config_src + {#- Preserve backward compatibility using the `if` below #} + - source: {{ openssh.sshd_config_src if '://' in openssh.sshd_config_src else files_switch( [openssh.sshd_config_src], - 'sshd_config_file_managed' + 'sshd_config' ) }} - template: jinja - user: {{ openssh.sshd_config_user }} @@ -26,17 +25,16 @@ sshd_config: {%- endif %} - watch_in: - service: {{ openssh.service }} -{% endif %} +{%- endif %} -{% if ssh_config %} +{%- if ssh_config %} ssh_config: file.managed: - name: {{ openssh.ssh_config }} - # Preserve backward compatibility - - source: {{ openssh.ssh_config_src - if '://' in openssh.ssh_config_src + {#- Preserve backward compatibility using the `if` below #} + - source: {{ openssh.ssh_config_src if '://' in openssh.ssh_config_src else files_switch( [openssh.ssh_config_src], - 'ssh_config_file_managed' + 'ssh_config' ) }} - template: jinja - user: {{ openssh.ssh_config_user }} @@ -45,7 +43,7 @@ ssh_config: {%- if openssh.ssh_config_backup %} - backup: minion {%- endif %} -{% endif %} +{%- endif %} {%- for keyType in openssh['host_key_algos'].split(',') %} {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %} @@ -134,4 +132,4 @@ ssh_host_{{ keyType }}_key.pub: - file: sshd_config - watch_in: - service: {{ openssh.service }} -{% endif %} +{%- endif %} diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml index b24daeb..02563e1 100644 --- a/openssh/defaults.yaml +++ b/openssh/defaults.yaml @@ -17,6 +17,7 @@ default: banner: /etc/ssh/banner banner_src: banner # Default TOFS source filename ssh_known_hosts: /etc/ssh/ssh_known_hosts + ssh_known_hosts_src: ssh_known_hosts # Default TOFS source filename dig_pkg: dnsutils ssh_moduli: /etc/ssh/moduli root_group: root diff --git a/openssh/known_hosts.sls b/openssh/known_hosts.sls index d19e043..fdc02c5 100644 --- a/openssh/known_hosts.sls +++ b/openssh/known_hosts.sls @@ -1,6 +1,6 @@ -{% set tplroot = tpldir.split('/')[0] %} -{% from tplroot ~ "/map.jinja" import openssh with context %} -{% from tplroot ~ "/libtofs.jinja" import files_switch %} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import openssh with context %} +{%- from tplroot ~ "/libtofs.jinja" import files_switch %} ensure dig is available: pkg.installed: @@ -10,8 +10,8 @@ ensure dig is available: manage ssh_known_hosts file: file.managed: - name: {{ openssh.ssh_known_hosts }} - - source: {{ files_switch( ['ssh_known_hosts'], - 'ssh_known_hosts_file_managed' + - source: {{ files_switch( [openssh.ssh_known_hosts_src], + 'manage ssh_known_hosts file' ) }} - template: jinja - user: root diff --git a/pillar.example b/pillar.example index e19e95f..65fea10 100644 --- a/pillar.example +++ b/pillar.example @@ -194,10 +194,6 @@ ssh_config: openssh: - # Banner file can be retrieved either by TOFS or by url - banner_src: banner_fire - # banner_src: salt://ssh/files/banner_src # <- old style - # Instead of adding a custom banner file you can set it in pillar banner_string: | Welcome to {{ grains['id'] }}! @@ -333,7 +329,6 @@ openssh: static: github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' - # The template of ssh_know_host file can be overriden thanks to TOFS # specify DH parameters (see /etc/ssh/moduli) moduli: | @@ -381,11 +376,11 @@ mine_functions: # files: files_alt # default: default_alt source_files: - ssh_known_hosts_file_managed: - - alt_known_hosts - sshd_config_file_managed: + manage ssh_known_hosts file: + - alt_ssh_known_hosts + sshd_config: - alt_sshd_config - ssh_config_file_managed: + ssh_config: - alt_ssh_config - sshd_banner_file_managed: - - alt_banner_src \ No newline at end of file + sshd_banner: + - fire_banner