From 54dde36e53fbe4e1d81604d66beb6b011b3d6b57 Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Tue, 12 Feb 2019 14:22:14 +0100
Subject: [PATCH 1/5] split map.jinja according to template-formula

---
 openssh/map.jinja        | 137 +++++++--------------------------------
 openssh/osfamilymap.yaml |  68 +++++++++++++++++++
 openssh/osfingermap.yaml |   1 +
 openssh/osmap.yaml       |   1 +
 4 files changed, 93 insertions(+), 114 deletions(-)
 create mode 100644 openssh/osfamilymap.yaml
 create mode 100644 openssh/osfingermap.yaml
 create mode 100644 openssh/osmap.yaml

diff --git a/openssh/map.jinja b/openssh/map.jinja
index c6a0ae4..29005a9 100644
--- a/openssh/map.jinja
+++ b/openssh/map.jinja
@@ -1,120 +1,29 @@
-{## Start with  defaults from defaults.yaml ##}
-{% import_yaml "openssh/defaults.yaml" as default_settings %}
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
 
-{##
-Setup variable using grains['os_family'] based logic, only add key:values here
-that differ from whats in defaults.yaml
-##}
-{% set os_family_map = salt['grains.filter_by']({
-    'Arch': {
-      'server': 'openssh',
-      'client': 'openssh',
-      'service': 'sshd',
-      'dig_pkg': 'bind-tools',
-    },
-    'Debian': {
-      'server': 'openssh-server',
-      'client': 'openssh-client',
-      'service': 'ssh',
-    },
-    'FreeBSD': {
-      'service': 'sshd',
-      'dig_pkg': 'bind-tools',
-      'sshd_config_group': 'wheel',
-      'ssh_config_group': 'wheel',
-    },
-    'OpenBSD': {
-      'service': 'sshd',
-      'sshd_config_group': 'wheel',
-      'ssh_config_group': 'wheel',
-    },
-    'Gentoo': {
-      'server': 'net-misc/openssh',
-      'client': 'net-misc/openssh',
-      'service': 'sshd',
-      'dig_pkg': 'net-dns/bind-tools',
-    },
-    'RedHat': {
-      'server': 'openssh-server',
-      'client': 'openssh-clients',
-      'service': 'sshd',
-      'dig_pkg': 'bind-utils',
-    },
-    'Suse': {
-      'server': 'openssh',
-      'client': 'openssh',
-      'service': 'sshd',
-      'dig_pkg': 'bind-utils',
-    },
-    'Solaris': {
-      'service': 'network/ssh',
-      'sshd_config_group': 'root',
-      'ssh_config_group': 'root',
-      'dig_pkg': 'bind',
-      'sshd_binary': '/usr/lib/ssh/sshd',
-    },
-  }
-  , grain="os_family"
-  , merge=salt['pillar.get']('openssh:lookup'))
-%}
+{## Start imports as  ##}
+{% import_yaml 'openssh/defaults.yaml' as defaults %}
+{% import_yaml 'openssh/osfamilymap.yaml' as osfamilymap %}
+{% import_yaml 'openssh/osmap.yaml' as osmap %}
+{% import_yaml 'openssh/osfingermap.yaml' as osfingermap %}
 
-{## Merge the flavor_map to the default settings ##}
-{% do default_settings.openssh.update(os_family_map) %}
+{## merge the osfamilymap ##}
+{% set osfamily = salt['grains.filter_by'](osfamilymap, grain='os_family') or {} %}
+{% do salt['defaults.merge'](defaults, osfamily) %}
 
-{## Merge in openssh:lookup pillar ##}
-{% set openssh = salt['pillar.get'](
-    'openssh',
-    default=default_settings.openssh,
-    merge=True
-  )
-%}
+{## merge the osmap ##}
+{% set os = salt['grains.filter_by'](osmap, grain='os') or {} %}
+{% do salt['defaults.merge'](defaults, os) %}
 
-{% set os_family_map = salt['grains.filter_by']({
-    'FreeBSD': {
-        'Subsystem': 'sftp /usr/libexec/sftp-server',
-    },
-    'OpenBSD': {
-        'Subsystem': 'sftp /usr/libexec/sftp-server',
-    },
-    'Suse': {
-        'Subsystem': 'sftp /usr/lib/ssh/sftp-server',
-    },
-    'Arch': {
-        'Subsystem': 'sftp /usr/lib/ssh/sftp-server',
-    },
-    'Debian': {
-        'Subsystem': 'sftp /usr/lib/openssh/sftp-server',
-    },
-    'RedHat': {
-        'Subsystem': 'sftp /usr/libexec/openssh/sftp-server',
-    },
-    'Solaris': {
-        'Subsystem': 'sftp internal-sftp',
-    },
-    'default': {}
-  }
-  , grain="os_family"
-  , merge=salt['pillar.get']('sshd_config:lookup'))
-%}
+{## merge the osfingermap ##}
+{% set osfinger = salt['grains.filter_by'](osfingermap, grain='osfinger') or {} %}
+{% do salt['defaults.merge'](defaults, osfinger) %}
 
-{% set os_finger_map = salt['grains.filter_by']({
-    'CentOS-6': {
-    },
-    'default': {}
-  }
-  , grain="osfinger"
-  , merge=salt['pillar.get']('sshd_config:lookup'))
-%}
+{## merge the lookup ##}
+{% set lookup = salt['pillar.get']('openssh:lookup', default={}, merge=True) %}
+{% do salt['defaults.merge'](defaults['openssh'], lookup) %}
 
-
-{## Merge the flavor_map to the default settings ##}
-{% do default_settings.sshd_config.update(os_family_map) %}
-{% do default_settings.sshd_config.update(os_finger_map) %}
-
-{## Merge in sshd_config:lookup pillar ##}
-{% set sshd_config = salt['pillar.get'](
-    'sshd_config',
-    default=default_settings.sshd_config,
-    merge=True
-  )
-%}
+{## merge the openssh pillar ##}
+{% set openssh = salt['pillar.get']('openssh', default=defaults['openssh'], merge=True) %}
+{% set ssh_config = salt['pillar.get']('ssh_config', default=defaults['ssh_config'], merge=True) %}
+{% set sshd_config = salt['pillar.get']('sshd_config', default=defaults['sshd_config'], merge=True) %}
diff --git a/openssh/osfamilymap.yaml b/openssh/osfamilymap.yaml
new file mode 100644
index 0000000..15ffacf
--- /dev/null
+++ b/openssh/osfamilymap.yaml
@@ -0,0 +1,68 @@
+Arch:
+  openssh:
+    server: openssh
+    client: openssh
+    service: sshd
+    dig_pkg: bind-tools
+  sshd_config:
+    Subsystem: sftp /usr/lib/ssh/sftp-server
+
+Debian:
+  openssh:
+    server: openssh-server
+    client: openssh-client
+    service: ssh
+  sshd_config:
+    Subsystem: sftp /usr/lib/openssh/sftp-server
+
+FreeBSD:
+  openssh:
+    service: sshd
+    dig_pkg: bind-tools
+    sshd_config_group: wheel
+    ssh_config_group: wheel
+  sshd_config:
+    Subsystem: sftp /usr/libexec/sftp-server
+
+Gentoo:
+  openssh:
+    server: net-misc/openssh
+    client: net-misc/openssh
+    service: sshd
+    dig_pkg: net-dns/bind-tools
+
+OpenBSD:
+  openssh:
+    service: sshd
+    sshd_config_group: wheel
+    ssh_config_group: wheel
+  sshd_config:
+    Subsystem: sftp /usr/libexec/sftp-server
+
+RedHat:
+  openssh:
+    server: openssh-server
+    client: openssh-clients
+    service: sshd
+    dig_pkg: bind-utils
+  sshd_config:
+    Subsystem: sftp /usr/libexec/openssh/sftp-server
+
+Solaris:
+  openssh:
+    service: network/ssh
+    sshd_config_group: root
+    ssh_config_group: root
+    dig_pkg: bind
+    sshd_binary: /usr/lib/ssh/sshd
+  sshd_config:
+    Subsystem: sftp internal-sftp
+
+Suse:
+  openssh:
+    server: openssh
+    client: openssh
+    service: sshd
+    dig_pkg: bind-utils
+  sshd_config:
+    Subsystem: sftp /usr/lib/ssh/sftp-server
diff --git a/openssh/osfingermap.yaml b/openssh/osfingermap.yaml
new file mode 100644
index 0000000..86ff6f8
--- /dev/null
+++ b/openssh/osfingermap.yaml
@@ -0,0 +1 @@
+Ubuntu-18.04: {}
diff --git a/openssh/osmap.yaml b/openssh/osmap.yaml
new file mode 100644
index 0000000..335f6d3
--- /dev/null
+++ b/openssh/osmap.yaml
@@ -0,0 +1 @@
+FreeBSD: {}

From 4b84dead8ef1bb7a47014291b8e279a1d48d5074 Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Tue, 12 Feb 2019 14:53:10 +0100
Subject: [PATCH 2/5] Made host key algos configurable; dropped DSA

---
 openssh/config.sls    | 2 +-
 openssh/defaults.yaml | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/openssh/config.sls b/openssh/config.sls
index 9fbe895..76a11a1 100644
--- a/openssh/config.sls
+++ b/openssh/config.sls
@@ -36,7 +36,7 @@ ssh_config:
     {%- endif %}
 {% endif %}
 
-{%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
+{%- for keyType in openssh['host_key_algos'].split(',') %}
 {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
 {%-   set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
 {%-   if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}
diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml
index f26d784..4652da6 100644
--- a/openssh/defaults.yaml
+++ b/openssh/defaults.yaml
@@ -19,6 +19,10 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+  # Prevent merge of array; always override values
+  host_key_algos: ecdsa,ed25519,rsa
+  # To manage/remove DSA:
+  #host_key_algos: dsa,ecdsa,ed25519,rsa
 
 sshd_config: {}
 ssh_config: {}

From f53ccccd3f4bb7c092bf7f246c8c75eccb050490 Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Tue, 12 Feb 2019 14:53:53 +0100
Subject: [PATCH 3/5] CentOS does not support ed25519; fixes #98

---
 openssh/osfingermap.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/openssh/osfingermap.yaml b/openssh/osfingermap.yaml
index 86ff6f8..b14bb95 100644
--- a/openssh/osfingermap.yaml
+++ b/openssh/osfingermap.yaml
@@ -1 +1,4 @@
 Ubuntu-18.04: {}
+CentOS-6:
+  openssh:
+    host_key_algos: ecdsa,rsa

From 0c6a353969b36c40b74ba9476470b6517036dac3 Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Tue, 12 Feb 2019 19:01:34 +0100
Subject: [PATCH 4/5] Fix map.jinja: openssh:lookup is not used anyways

---
 openssh/map.jinja | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/openssh/map.jinja b/openssh/map.jinja
index 29005a9..898558e 100644
--- a/openssh/map.jinja
+++ b/openssh/map.jinja
@@ -19,10 +19,6 @@
 {% set osfinger = salt['grains.filter_by'](osfingermap, grain='osfinger') or {} %}
 {% do salt['defaults.merge'](defaults, osfinger) %}
 
-{## merge the lookup ##}
-{% set lookup = salt['pillar.get']('openssh:lookup', default={}, merge=True) %}
-{% do salt['defaults.merge'](defaults['openssh'], lookup) %}
-
 {## merge the openssh pillar ##}
 {% set openssh = salt['pillar.get']('openssh', default=defaults['openssh'], merge=True) %}
 {% set ssh_config = salt['pillar.get']('ssh_config', default=defaults['ssh_config'], merge=True) %}

From 29b89f0fb9c707b096b92d55b2d8f4ad5e2f514a Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Tue, 12 Feb 2019 19:11:46 +0100
Subject: [PATCH 5/5] map.jinja: replace defaults.merge with grains.filter_by

---
 openssh/defaults.yaml | 55 ++++++++++++++++++++++---------------------
 openssh/map.jinja     | 21 +++++++----------
 2 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml
index 4652da6..4a98490 100644
--- a/openssh/defaults.yaml
+++ b/openssh/defaults.yaml
@@ -1,28 +1,29 @@
-openssh:
-  sshd_enable: True
-  sshd_binary: /usr/sbin/sshd
-  sshd_config: /etc/ssh/sshd_config
-  sshd_config_src: salt://openssh/files/sshd_config
-  sshd_config_user: root
-  sshd_config_group: root
-  sshd_config_mode: '644'
-  sshd_config_backup: True
-  ssh_config: /etc/ssh/ssh_config
-  ssh_config_src: salt://openssh/files/ssh_config
-  ssh_config_user: root
-  ssh_config_group: root
-  ssh_config_mode: '644'
-  ssh_config_backup: True
-  banner: /etc/ssh/banner
-  banner_src: salt://openssh/files/banner
-  ssh_known_hosts: /etc/ssh/ssh_known_hosts
-  dig_pkg: dnsutils
-  ssh_moduli: /etc/ssh/moduli
-  root_group: root
-  # Prevent merge of array; always override values
-  host_key_algos: ecdsa,ed25519,rsa
-  # To manage/remove DSA:
-  #host_key_algos: dsa,ecdsa,ed25519,rsa
+default:
+  openssh:
+    sshd_enable: True
+    sshd_binary: /usr/sbin/sshd
+    sshd_config: /etc/ssh/sshd_config
+    sshd_config_src: salt://openssh/files/sshd_config
+    sshd_config_user: root
+    sshd_config_group: root
+    sshd_config_mode: '644'
+    sshd_config_backup: True
+    ssh_config: /etc/ssh/ssh_config
+    ssh_config_src: salt://openssh/files/ssh_config
+    ssh_config_user: root
+    ssh_config_group: root
+    ssh_config_mode: '644'
+    ssh_config_backup: True
+    banner: /etc/ssh/banner
+    banner_src: salt://openssh/files/banner
+    ssh_known_hosts: /etc/ssh/ssh_known_hosts
+    dig_pkg: dnsutils
+    ssh_moduli: /etc/ssh/moduli
+    root_group: root
+    # Prevent merge of array; always override values
+    host_key_algos: ecdsa,ed25519,rsa
+    # To manage/remove DSA:
+    #host_key_algos: dsa,ecdsa,ed25519,rsa
 
-sshd_config: {}
-ssh_config: {}
+  sshd_config: {}
+  ssh_config: {}
diff --git a/openssh/map.jinja b/openssh/map.jinja
index 898558e..a907f5e 100644
--- a/openssh/map.jinja
+++ b/openssh/map.jinja
@@ -2,22 +2,19 @@
 # vim: ft=jinja
 
 {## Start imports as  ##}
-{% import_yaml 'openssh/defaults.yaml' as defaults %}
+{% import_yaml 'openssh/defaults.yaml' as default_settings %}
 {% import_yaml 'openssh/osfamilymap.yaml' as osfamilymap %}
 {% import_yaml 'openssh/osmap.yaml' as osmap %}
 {% import_yaml 'openssh/osfingermap.yaml' as osfingermap %}
 
-{## merge the osfamilymap ##}
-{% set osfamily = salt['grains.filter_by'](osfamilymap, grain='os_family') or {} %}
-{% do salt['defaults.merge'](defaults, osfamily) %}
-
-{## merge the osmap ##}
-{% set os = salt['grains.filter_by'](osmap, grain='os') or {} %}
-{% do salt['defaults.merge'](defaults, os) %}
-
-{## merge the osfingermap ##}
-{% set osfinger = salt['grains.filter_by'](osfingermap, grain='osfinger') or {} %}
-{% do salt['defaults.merge'](defaults, osfinger) %}
+{% set defaults = salt['grains.filter_by'](default_settings,
+    default='default',
+    merge=salt['grains.filter_by'](osfamilymap, grain='os_family',
+      merge=salt['grains.filter_by'](osmap, grain='os',
+        merge=salt['grains.filter_by'](osfingermap, grain='osfinger')
+      )
+    )
+) %}
 
 {## merge the openssh pillar ##}
 {% set openssh = salt['pillar.get']('openssh', default=defaults['openssh'], merge=True) %}