added common settings

2020-12-22 11:46:20 +01:00 · 2020-12-22 11:46:20 +01:00 · caf47ab94f
commit caf47ab94f
parent 864c02a77b
8 changed files with 361 additions and 0 deletions
--- a/common/groups.sls
+++ b/common/groups.sls
@ -0,0 +1,13 @@
+{% if pillar['groups'] is defined %}
+{% for group, args in pillar['groups'].items() %}
+Added {{ group }} group:
+  group.present:
+    - name: {{ group }}
+    {% if args['gid'] is defined %}
+    - gid: {{ args['gid'] }}
+    {% endif %}
+    {%if args['system'] is defined %}
+    - system: {{ args['system'] }} %}
+    {% endif %}
+{% endfor %}
+{% endif %}
--- a/common/users.sls
+++ b/common/users.sls
@ -0,0 +1,38 @@
+{% for user, args in pillar['users'].items() %}
+# remove users
+{% if args['remove'] is defined %}
+{{ user }}:
+  user.absent
+  {% if 'alias_target' in args %}
+  alias.present:
+    - target: {{ args['alias_target'] }}
+  {% endif %}
+{% else %}
+# add users
+{{ user }}:
+  user.present:
+    - fullname: {{ args['fullname'] | default('') }}
+    - home: {{ args['home'] | default('/home/'+user) }}
+    - shell: {{ args['shell'] | default('/bin/bash') }}
+    {% if args['uid'] is defined %}
+    - uid: {{ args['uid'] }}
+    {% endif %}
+    - password: {{ args['password'] }}
+    - enforce_password: {{ args['enforce_password'] | default('True') }}
+    {% if 'groups' in args %}
+    - groups: {{ args['groups'] }}
+    {% endif %}
+  {% if 'alias_target' in args %}
+  alias.present:
+    - target: {{ args['alias_target'] }}
+  {% endif %}
+
+{% if 'ssh_auth' in args %}
+{{ user }}_autherized_keys:
+  ssh_auth:
+    - present
+    - user: {{ user }}
+    - names: {{ args['ssh_auth'] }}
+{% endif %}
+{% endif %}
+{% endfor %}
--- a/ssh/files/ssh_known_hosts
+++ b/ssh/files/ssh_known_hosts
@ -0,0 +1,7 @@
+nod-01,nod-01.rre.nu,10.2.0.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJkbc0Q+v6EFuh8+pkmsMOPHXq0kioK2DTsQxKsa0yRbcS9yM1ONOAJGz6MZP+CpgrEHRm2Ntje/S48sIhgh2Q=
+crs,crs.rre.nu,10.0.10.1 ssh-rsa AAAAB3NzaC1yc2EAAAABAwAAAQEAsQC+cXG2Npcpy7a5x2HW02IBY+NsMiHIefFiZzlvZqF91ru3NItgUngNc1QbvpTO26/PhufyGIOkMZ9GM7iPFLnpqLmrAfBT89eqzf7u0qXDJ33HgLNhsiXHmlmzdNaG/Ln6m2ffhu/kVz7OizATSRXaB/pjRejKz05Afss6VZghwwY4Ko6hj8rP1sEulT59WAf2rPP8GC//RDPNn0slX7GgKce/2Jn5Oe/TqPE/ZTsgYsEJirHr74g7kz+n+k5S3LAELHbdEyQlaAy03M/kI6dHQKaBPlGzDI/hrAfxARTLtMxMz+M+bkHwmV+yCvcoiNkO90jYvvinJprjar799Q==
+nod-02,nod-02.rre.nu,10.2.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH/cq0oFp9P/ehoQOwqoa3HGQ3QzHqvdXxDgAb2koJN2rg1Pn62tizpcZ4KKcmNFnCh6REQwG1Vy3sR16FPaWdQ=
+rpi-01,rpi-01.rre.nu,10.0.10.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDGd59VmLjLDjdHfqWRz6WlZUY6/hDpR3wg/XUHS5tMki889Y3mbhRUfQBJ/eiP529FobfF5y9mxWW9z0d/SB3A=
+heater,heater.rre.nu,10.0.10.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL/jE4506u3kOjBCLOFta1IqQ+T+U1/4oahZJDJ8Ry5o73+gJtSzGrcRjb3tHGl7y+p1zRJ7bboO9sAkS5J5sC8=
+salt,salt.rre.nu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG8KYDPqRNrVhNi3ImirMoBTdULED82TxdvxmZg1aBge
+[pepper.rre.nu]:2222,[10.2.0.102]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEjbpZ74cN+hK1Q1N2ke5h5GP7nuKqNn2ddVzsoLXqcaGJpaSaUavCNTsc9NGbapHw8mx0fuzxosCF71/jAnoYU=
--- a/ssh/files/sshd_config.jinja
+++ b/ssh/files/sshd_config.jinja
@ -0,0 +1,149 @@
+# Managed by salt
+
+#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port {{ salt['pillar.get']('ssh:sshd:port', 22) }}
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
+# to maintain compatibility with RFC4419, but should be set higher.
+# Upstream default is identical to setting this to 2048.
+#KexDHMin 1024
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+PermitRootLogin without-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
--- a/ssh/init.sls
+++ b/ssh/init.sls
@ -0,0 +1,45 @@
+# Pillar data:
+#
+# ssh:
+#   sshd:
+#     port: <port number>
+
+install OpenSSH:
+  pkg.installed:
+    {% if grains['os_family'] == 'Suse' %}
+    - name: openssh
+    {% elif grains['os_family'] == 'Debian' %}
+    - name: ssh
+    {% endif %}
+    - refresh: False
+
+/etc/ssh/ssh_known_hosts:
+  file.managed:
+    - source: salt://ssh/files/ssh_known_hosts
+    - user: root
+    - group: root
+    - mode: 0644
+
+/etc/ssh/sshd_config:
+  file.managed:
+    - source: salt://ssh/files/sshd_config.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 0640
+
+OpenSSH Service:
+  service.running:
+    {% if grains['os_family'] == 'Suse' %}
+    - name: sshd
+    {% elif grains['os_family'] == 'Debian' %}
+    - name: ssh
+    {% endif %}
+    - enable: True
+    - watch:
+      {% if grains['os_family'] == 'Suse' %}
+      - pkg: openssh
+      {% elif grains['os_family'] == 'Debian' %}
+      - pkg: ssh
+      {% endif %}
+      - file: /etc/ssh/sshd_config
--- a/sudo/files/sudoers
+++ b/sudo/files/sudoers
@ -0,0 +1,93 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
+
+##
+## Defaults specification
+##
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+## Path that will be used for every command run from sudo
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be nevessary after this change
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
+## Uncomment to use a hard-coded PATH instead of the user's to find commands
+# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+##
+## Uncomment to send mail if the user does not enter the correct password.
+# Defaults mail_badpass
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!REBOOT !log_output
+
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+#Defaults targetpw   # ask for the password of the target user i.e. root
+#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+{% if grains['os_family'] == 'Suse' %}
+%wheel ALL=(ALL) ALL
+{% elif grains['os_family'] == 'Debian' %}
+%sudo ALL=(ALL) ALL
+{% endif %}
+
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Read drop-in files from /etc/sudoers.d
+## (the '#' here does not indicate a comment)
+#includedir /etc/sudoers.d
--- a/sudo/init.sls
+++ b/sudo/init.sls
@ -0,0 +1,10 @@
+sudo:
+  pkg.installed 
+
+/etc/sudoers:
+  file.managed:
+    - source: salt://sudo/files/sudoers
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 0440
--- a/top.sls
+++ b/top.sls
@ -1,4 +1,10 @@
 base:
+  '*':
+    - common.groups
+    - common.users
+    - sudo
+    - ssh
+
  'pepper.rre.nu':
    - dnsmasq