diff --git a/README.rst b/README.rst index 86a551e..77895ca 100644 --- a/README.rst +++ b/README.rst @@ -57,7 +57,7 @@ so root login will be disabled. Manages the site-wide ssh_known_hosts file and fills it with the public SSH host keys of all minions. You can restrict the set of minions whose keys are listed by using the pillar data ``openssh:known_hosts:target`` -and ``openssh:known_hosts:expr_form`` (those fields map directly to the +and ``openssh:known_hosts:tgt_type`` (those fields map directly to the corresponding attributes of the ``mine.get`` function). The Salt mine is used to share the public SSH host keys, you must thus diff --git a/openssh/files/ssh_known_hosts b/openssh/files/ssh_known_hosts index ff448bd..9229fd3 100644 --- a/openssh/files/ssh_known_hosts +++ b/openssh/files/ssh_known_hosts @@ -16,7 +16,7 @@ {#- Extract the hostname from the FQDN and add it to the names. #} {%- if use_hostnames is iterable -%} {%- for name in names | sort -%} -{%- if salt["match.{}".format(hostnames_expr_form)](hostnames_target, minion_id=name) -%} +{%- if salt["match.{}".format(hostnames_tgt_type)](hostnames_target, minion_id=name) -%} {%- set hostname = name.split('.')|first -%} {%- if hostname not in names -%} {%- do names.append(hostname) -%} @@ -45,13 +45,13 @@ {#- Pre-fetch pillar data #} {%- set target = salt['pillar.get']('openssh:known_hosts:target', '*') -%} -{%- set expr_form = salt['pillar.get']('openssh:known_hosts:expr_form', 'glob') -%} +{%- set tgt_type = salt['pillar.get']('openssh:known_hosts:tgt_type', 'glob') -%} {%- set keys_function = salt['pillar.get']('openssh:known_hosts:mine_keys_function', 'public_ssh_host_keys') -%} {%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%} {%- set use_hostnames = salt['pillar.get']('openssh:known_hosts:hostnames', False) -%} {%- set hostnames_target_default = '*' if grains['domain'] == '' else "*.{}".format(grains['domain']) -%} {%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%} -{%- set hostnames_expr_form = salt['pillar.get']('openssh:known_hosts:hostnames:expr_form', 'glob') -%} +{%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%} {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name in the SSH known_hosts entry -#} @@ -64,8 +64,8 @@ {%- endfor -%} {#- Loop over targetted minions -#} -{%- set host_keys = salt['mine.get'](target, keys_function, expr_form=expr_form) -%} -{%- set host_names = salt['mine.get'](target, hostname_function, expr_form=expr_form) -%} +{%- set host_keys = salt['mine.get'](target, keys_function, tgt_type=tgt_type) -%} +{%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%} {%- for host, keys in host_keys|dictsort -%} {{ known_host_entry(host, host_names, keys) }} {%- endfor -%} diff --git a/pillar.example b/pillar.example index 0db24b4..5708859 100644 --- a/pillar.example +++ b/pillar.example @@ -47,12 +47,12 @@ sshd_config: # set as string AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' # or set as list - AllowUsers: - - vader@10.0.0.1 - - maul@evil.com - - sidious + AllowUsers: + - vader@10.0.0.1 + - maul@evil.com + - sidious - luke - # set as string + # set as string DenyUsers: 'yoda chewbaca@112.10.21.1' # or set as list DenyUsers: @@ -286,7 +286,7 @@ openssh: # The next 2 settings restrict the set of minions that will be added in # the generated ssh_known_hosts files (the default is to match all minions) target: '*' - expr_form: 'glob' + tgt_type: 'glob' # Name of mining functions used to gather public keys and hostnames # (the default values are shown here) mine_keys_function: public_ssh_host_keys @@ -304,7 +304,7 @@ openssh: # Restrict wich hosts you want to use via their hostname # (i.e. ssh user@host instead of ssh user@host.example.com) # target: '*' # Defaults to "*.{}".format(grains['domain']) with a fallback to '*' - # expr_form: 'glob' + # tgt_type: 'glob' # To activate the defaults you can just set an empty dict. #hostnames: {}