jonas/salt-states_old
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added common settings

Browse Source
This commit is contained in:
= 2020-12-22 11:46:20 +01:00
parent 864c02a77b
commit caf47ab94f
8 changed files with 361 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
common/groups.sls Normal file
View File

@ -0,0 +1,13 @@
{% if pillar['groups'] is defined %}
{% for group, args in pillar['groups'].items() %}
Added {{ group }} group:
group.present:
- name: {{ group }}
{% if args['gid'] is defined %}
- gid: {{ args['gid'] }}
{% endif %}
{%if args['system'] is defined %}
- system: {{ args['system'] }} %}
{% endif %}
{% endfor %}
{% endif %}

38
common/users.sls Normal file
View File

@ -0,0 +1,38 @@
{% for user, args in pillar['users'].items() %}
# remove users
{% if args['remove'] is defined %}
{{ user }}:
user.absent
{% if 'alias_target' in args %}
alias.present:
- target: {{ args['alias_target'] }}
{% endif %}
{% else %}
# add users
{{ user }}:
user.present:
- fullname: {{ args['fullname'] | default('') }}
- home: {{ args['home'] | default('/home/'+user) }}
- shell: {{ args['shell'] | default('/bin/bash') }}
{% if args['uid'] is defined %}
- uid: {{ args['uid'] }}
{% endif %}
- password: {{ args['password'] }}
- enforce_password: {{ args['enforce_password'] | default('True') }}
{% if 'groups' in args %}
- groups: {{ args['groups'] }}
{% endif %}
{% if 'alias_target' in args %}
alias.present:
- target: {{ args['alias_target'] }}
{% endif %}
{% if 'ssh_auth' in args %}
{{ user }}_autherized_keys:
ssh_auth:
- present
- user: {{ user }}
- names: {{ args['ssh_auth'] }}
{% endif %}
{% endif %}
{% endfor %}

7
ssh/files/ssh_known_hosts Normal file
View File

@ -0,0 +1,7 @@
nod-01,nod-01.rre.nu,10.2.0.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJkbc0Q+v6EFuh8+pkmsMOPHXq0kioK2DTsQxKsa0yRbcS9yM1ONOAJGz6MZP+CpgrEHRm2Ntje/S48sIhgh2Q=
crs,crs.rre.nu,10.0.10.1 ssh-rsa AAAAB3NzaC1yc2EAAAABAwAAAQEAsQC+cXG2Npcpy7a5x2HW02IBY+NsMiHIefFiZzlvZqF91ru3NItgUngNc1QbvpTO26/PhufyGIOkMZ9GM7iPFLnpqLmrAfBT89eqzf7u0qXDJ33HgLNhsiXHmlmzdNaG/Ln6m2ffhu/kVz7OizATSRXaB/pjRejKz05Afss6VZghwwY4Ko6hj8rP1sEulT59WAf2rPP8GC//RDPNn0slX7GgKce/2Jn5Oe/TqPE/ZTsgYsEJirHr74g7kz+n+k5S3LAELHbdEyQlaAy03M/kI6dHQKaBPlGzDI/hrAfxARTLtMxMz+M+bkHwmV+yCvcoiNkO90jYvvinJprjar799Q==
nod-02,nod-02.rre.nu,10.2.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH/cq0oFp9P/ehoQOwqoa3HGQ3QzHqvdXxDgAb2koJN2rg1Pn62tizpcZ4KKcmNFnCh6REQwG1Vy3sR16FPaWdQ=
rpi-01,rpi-01.rre.nu,10.0.10.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDGd59VmLjLDjdHfqWRz6WlZUY6/hDpR3wg/XUHS5tMki889Y3mbhRUfQBJ/eiP529FobfF5y9mxWW9z0d/SB3A=
heater,heater.rre.nu,10.0.10.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL/jE4506u3kOjBCLOFta1IqQ+T+U1/4oahZJDJ8Ry5o73+gJtSzGrcRjb3tHGl7y+p1zRJ7bboO9sAkS5J5sC8=
salt,salt.rre.nu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG8KYDPqRNrVhNi3ImirMoBTdULED82TxdvxmZg1aBge
[pepper.rre.nu]:2222,[10.2.0.102]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEjbpZ74cN+hK1Q1N2ke5h5GP7nuKqNn2ddVzsoLXqcaGJpaSaUavCNTsc9NGbapHw8mx0fuzxosCF71/jAnoYU=

149
ssh/files/sshd_config.jinja Normal file
View File

@ -0,0 +1,149 @@
# Managed by salt
# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port {{ salt['pillar.get']('ssh:sshd:port', 22) }}
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Minimum accepted size of the DH parameter p. By default this is set to 1024
# to maintain compatibility with RFC4419, but should be set higher.
# Upstream default is identical to setting this to 2048.
#KexDHMin 1024
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

45
ssh/init.sls Normal file
View File

@ -0,0 +1,45 @@
# Pillar data:
#
# ssh:
# sshd:
# port: <port number>
install OpenSSH:
pkg.installed:
{% if grains['os_family'] == 'Suse' %}
- name: openssh
{% elif grains['os_family'] == 'Debian' %}
- name: ssh
{% endif %}
- refresh: False
/etc/ssh/ssh_known_hosts:
file.managed:
- source: salt://ssh/files/ssh_known_hosts
- user: root
- group: root
- mode: 0644
/etc/ssh/sshd_config:
file.managed:
- source: salt://ssh/files/sshd_config.jinja
- template: jinja
- user: root
- group: root
- mode: 0640
OpenSSH Service:
service.running:
{% if grains['os_family'] == 'Suse' %}
- name: sshd
{% elif grains['os_family'] == 'Debian' %}
- name: ssh
{% endif %}
- enable: True
- watch:
{% if grains['os_family'] == 'Suse' %}
- pkg: openssh
{% elif grains['os_family'] == 'Debian' %}
- pkg: ssh
{% endif %}
- file: /etc/ssh/sshd_config

93
sudo/files/sudoers Normal file
View File

@ -0,0 +1,93 @@
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## Prevent environment variables from influencing programs in an
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
## Path that will be used for every command run from sudo
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset
## Change env_reset to !env_reset in previous line to keep all environment variables
## Following list will no longer be nevessary after this change
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Comment out the preceding line and uncomment the following one if you need
## to use special input methods. This may allow users to compromise the root
## account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Do not insult users when they enter an incorrect password.
Defaults !insults
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
#Defaults targetpw # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
{% if grains['os_family'] == 'Suse' %}
%wheel ALL=(ALL) ALL
{% elif grains['os_family'] == 'Debian' %}
%sudo ALL=(ALL) ALL
{% endif %}
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

10
sudo/init.sls Normal file
View File

@ -0,0 +1,10 @@
sudo:
pkg.installed
/etc/sudoers:
file.managed:
- source: salt://sudo/files/sudoers
- template: jinja
- user: root
- group: root
- mode: 0440

6
top.sls
View File

@ -1,4 +1,10 @@
base: base:
'*':
- common.groups
- common.users
- sudo
- ssh
'pepper.rre.nu': 'pepper.rre.nu':
- dnsmasq - dnsmasq