From caf47ab94f3129f12ee9031b7320466c21b528b8 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 22 Dec 2020 11:46:20 +0100 Subject: [PATCH] added common settings --- common/groups.sls | 13 ++++ common/users.sls | 38 +++++++++ ssh/files/ssh_known_hosts | 7 ++ ssh/files/sshd_config.jinja | 149 ++++++++++++++++++++++++++++++++++++ ssh/init.sls | 45 +++++++++++ sudo/files/sudoers | 93 ++++++++++++++++++++++ sudo/init.sls | 10 +++ top.sls | 6 ++ 8 files changed, 361 insertions(+) create mode 100644 common/groups.sls create mode 100644 common/users.sls create mode 100644 ssh/files/ssh_known_hosts create mode 100644 ssh/files/sshd_config.jinja create mode 100644 ssh/init.sls create mode 100644 sudo/files/sudoers create mode 100644 sudo/init.sls diff --git a/common/groups.sls b/common/groups.sls new file mode 100644 index 0000000..69449f6 --- /dev/null +++ b/common/groups.sls @@ -0,0 +1,13 @@ +{% if pillar['groups'] is defined %} +{% for group, args in pillar['groups'].items() %} +Added {{ group }} group: + group.present: + - name: {{ group }} + {% if args['gid'] is defined %} + - gid: {{ args['gid'] }} + {% endif %} + {%if args['system'] is defined %} + - system: {{ args['system'] }} %} + {% endif %} +{% endfor %} +{% endif %} diff --git a/common/users.sls b/common/users.sls new file mode 100644 index 0000000..8e00b7c --- /dev/null +++ b/common/users.sls @@ -0,0 +1,38 @@ +{% for user, args in pillar['users'].items() %} +# remove users +{% if args['remove'] is defined %} +{{ user }}: + user.absent + {% if 'alias_target' in args %} + alias.present: + - target: {{ args['alias_target'] }} + {% endif %} +{% else %} +# add users +{{ user }}: + user.present: + - fullname: {{ args['fullname'] | default('') }} + - home: {{ args['home'] | default('/home/'+user) }} + - shell: {{ args['shell'] | default('/bin/bash') }} + {% if args['uid'] is defined %} + - uid: {{ args['uid'] }} + {% endif %} + - password: {{ args['password'] }} + - enforce_password: {{ args['enforce_password'] | default('True') }} + {% if 'groups' in args %} + - groups: {{ args['groups'] }} + {% endif %} + {% if 'alias_target' in args %} + alias.present: + - target: {{ args['alias_target'] }} + {% endif %} + +{% if 'ssh_auth' in args %} +{{ user }}_autherized_keys: + ssh_auth: + - present + - user: {{ user }} + - names: {{ args['ssh_auth'] }} +{% endif %} +{% endif %} +{% endfor %} diff --git a/ssh/files/ssh_known_hosts b/ssh/files/ssh_known_hosts new file mode 100644 index 0000000..0b4ced2 --- /dev/null +++ b/ssh/files/ssh_known_hosts @@ -0,0 +1,7 @@ +nod-01,nod-01.rre.nu,10.2.0.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJkbc0Q+v6EFuh8+pkmsMOPHXq0kioK2DTsQxKsa0yRbcS9yM1ONOAJGz6MZP+CpgrEHRm2Ntje/S48sIhgh2Q= +crs,crs.rre.nu,10.0.10.1 ssh-rsa AAAAB3NzaC1yc2EAAAABAwAAAQEAsQC+cXG2Npcpy7a5x2HW02IBY+NsMiHIefFiZzlvZqF91ru3NItgUngNc1QbvpTO26/PhufyGIOkMZ9GM7iPFLnpqLmrAfBT89eqzf7u0qXDJ33HgLNhsiXHmlmzdNaG/Ln6m2ffhu/kVz7OizATSRXaB/pjRejKz05Afss6VZghwwY4Ko6hj8rP1sEulT59WAf2rPP8GC//RDPNn0slX7GgKce/2Jn5Oe/TqPE/ZTsgYsEJirHr74g7kz+n+k5S3LAELHbdEyQlaAy03M/kI6dHQKaBPlGzDI/hrAfxARTLtMxMz+M+bkHwmV+yCvcoiNkO90jYvvinJprjar799Q== +nod-02,nod-02.rre.nu,10.2.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH/cq0oFp9P/ehoQOwqoa3HGQ3QzHqvdXxDgAb2koJN2rg1Pn62tizpcZ4KKcmNFnCh6REQwG1Vy3sR16FPaWdQ= +rpi-01,rpi-01.rre.nu,10.0.10.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDGd59VmLjLDjdHfqWRz6WlZUY6/hDpR3wg/XUHS5tMki889Y3mbhRUfQBJ/eiP529FobfF5y9mxWW9z0d/SB3A= +heater,heater.rre.nu,10.0.10.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL/jE4506u3kOjBCLOFta1IqQ+T+U1/4oahZJDJ8Ry5o73+gJtSzGrcRjb3tHGl7y+p1zRJ7bboO9sAkS5J5sC8= +salt,salt.rre.nu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG8KYDPqRNrVhNi3ImirMoBTdULED82TxdvxmZg1aBge +[pepper.rre.nu]:2222,[10.2.0.102]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEjbpZ74cN+hK1Q1N2ke5h5GP7nuKqNn2ddVzsoLXqcaGJpaSaUavCNTsc9NGbapHw8mx0fuzxosCF71/jAnoYU= diff --git a/ssh/files/sshd_config.jinja b/ssh/files/sshd_config.jinja new file mode 100644 index 0000000..27b0a80 --- /dev/null +++ b/ssh/files/sshd_config.jinja @@ -0,0 +1,149 @@ +# Managed by salt + +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port {{ salt['pillar.get']('ssh:sshd:port', 22) }} +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Minimum accepted size of the DH parameter p. By default this is set to 1024 +# to maintain compatibility with RFC4419, but should be set higher. +# Upstream default is identical to setting this to 2048. +#KexDHMin 1024 + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +PermitRootLogin without-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/ssh/init.sls b/ssh/init.sls new file mode 100644 index 0000000..ff48fcd --- /dev/null +++ b/ssh/init.sls @@ -0,0 +1,45 @@ +# Pillar data: +# +# ssh: +# sshd: +# port: + +install OpenSSH: + pkg.installed: + {% if grains['os_family'] == 'Suse' %} + - name: openssh + {% elif grains['os_family'] == 'Debian' %} + - name: ssh + {% endif %} + - refresh: False + +/etc/ssh/ssh_known_hosts: + file.managed: + - source: salt://ssh/files/ssh_known_hosts + - user: root + - group: root + - mode: 0644 + +/etc/ssh/sshd_config: + file.managed: + - source: salt://ssh/files/sshd_config.jinja + - template: jinja + - user: root + - group: root + - mode: 0640 + +OpenSSH Service: + service.running: + {% if grains['os_family'] == 'Suse' %} + - name: sshd + {% elif grains['os_family'] == 'Debian' %} + - name: ssh + {% endif %} + - enable: True + - watch: + {% if grains['os_family'] == 'Suse' %} + - pkg: openssh + {% elif grains['os_family'] == 'Debian' %} + - pkg: ssh + {% endif %} + - file: /etc/ssh/sshd_config diff --git a/sudo/files/sudoers b/sudo/files/sudoers new file mode 100644 index 0000000..dab54d9 --- /dev/null +++ b/sudo/files/sudoers @@ -0,0 +1,93 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +## Path that will be used for every command run from sudo +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be nevessary after this change +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +#Defaults targetpw # ask for the password of the target user i.e. root +#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +{% if grains['os_family'] == 'Suse' %} +%wheel ALL=(ALL) ALL +{% elif grains['os_family'] == 'Debian' %} +%sudo ALL=(ALL) ALL +{% endif %} + + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Read drop-in files from /etc/sudoers.d +## (the '#' here does not indicate a comment) +#includedir /etc/sudoers.d diff --git a/sudo/init.sls b/sudo/init.sls new file mode 100644 index 0000000..0756661 --- /dev/null +++ b/sudo/init.sls @@ -0,0 +1,10 @@ +sudo: + pkg.installed + +/etc/sudoers: + file.managed: + - source: salt://sudo/files/sudoers + - template: jinja + - user: root + - group: root + - mode: 0440 diff --git a/top.sls b/top.sls index bca27d1..1e426df 100644 --- a/top.sls +++ b/top.sls @@ -1,4 +1,10 @@ base: + '*': + - common.groups + - common.users + - sudo + - ssh + 'pepper.rre.nu': - dnsmasq