* Close #165 * Move existing `.kitchen.yml` => `kitchen.vagrant.yml` * Semi-automated using https://github.com/myii/ssf-formula/pull/30 * Fix errors shown below: ```bash openssh-formula$ yamllint -s . ./pillar.example 49:3 error duplication of key "AllowUsers" in mapping (key-duplicates) 57:3 error duplication of key "DenyUsers" in mapping (key-duplicates) 63:3 error duplication of key "AllowGroups" in mapping (key-duplicates) 70:3 error duplication of key "DenyGroups" in mapping (key-duplicates) 79:24 warning truthy value should be one of [false, true] (truthy) 80:29 warning truthy value should be one of [false, true] (truthy) 118:4 warning missing starting space in comment (comments) 119:4 warning missing starting space in comment (comments) 119:89 error line too long (122 > 88 characters) (line-length) 120:4 warning missing starting space in comment (comments) 120:89 error line too long (144 > 88 characters) (line-length) 147:30 warning truthy value should be one of [false, true] (truthy) 148:21 warning truthy value should be one of [false, true] (truthy) 149:19 warning truthy value should be one of [false, true] (truthy) 150:32 warning truthy value should be one of [false, true] (truthy) 151:26 warning truthy value should be one of [false, true] (truthy) 152:31 warning truthy value should be one of [false, true] (truthy) 153:32 warning truthy value should be one of [false, true] (truthy) 154:29 warning truthy value should be one of [false, true] (truthy) 155:34 warning truthy value should be one of [false, true] (truthy) 175:8 warning missing starting space in comment (comments) 175:89 error line too long (152 > 88 characters) (line-length) 176:8 warning missing starting space in comment (comments) 176:89 error line too long (126 > 88 characters) (line-length) 177:8 warning missing starting space in comment (comments) 177:89 error line too long (148 > 88 characters) (line-length) 213:18 warning truthy value should be one of [false, true] (truthy) 219:18 warning truthy value should be one of [false, true] (truthy) 225:18 warning truthy value should be one of [false, true] (truthy) 241:22 warning truthy value should be one of [false, true] (truthy) 243:22 warning truthy value should be one of [false, true] (truthy) 244:20 warning truthy value should be one of [false, true] (truthy) 245:21 warning truthy value should be one of [false, true] (truthy) 254:24 warning truthy value should be one of [false, true] (truthy) 255:22 warning truthy value should be one of [false, true] (truthy) 256:23 warning truthy value should be one of [false, true] (truthy) 265:22 warning truthy value should be one of [false, true] (truthy) 268:21 warning truthy value should be one of [false, true] (truthy) 269:20 warning truthy value should be one of [false, true] (truthy) 270:21 warning truthy value should be one of [false, true] (truthy) 279:26 warning truthy value should be one of [false, true] (truthy) 280:24 warning truthy value should be one of [false, true] (truthy) 281:25 warning truthy value should be one of [false, true] (truthy) 307:16 warning truthy value should be one of [false, true] (truthy) 308:6 warning missing starting space in comment (comments) 314:6 warning missing starting space in comment (comments) 316:24 warning truthy value should be one of [false, true] (truthy) 339:89 error line too long (546 > 88 characters) (line-length) 340:89 error line too long (546 > 88 characters) (line-length) 341:89 error line too long (546 > 88 characters) (line-length) 342:89 error line too long (546 > 88 characters) (line-length) 344:4 warning missing starting space in comment (comments) 345:4 warning missing starting space in comment (comments) 357:19 warning truthy value should be one of [false, true] (truthy) ./openssh/osfamilymap.yaml 1:1 warning missing document start "---" (document-start) ./openssh/osfingermap.yaml 1:1 warning missing document start "---" (document-start) ./openssh/osmap.yaml 1:1 warning missing document start "---" (document-start) ./openssh/defaults.yaml 1:1 warning missing document start "---" (document-start) 3:18 warning truthy value should be one of [false, true] (truthy) 6:34 warning too few spaces before comment (comments) 10:25 warning truthy value should be one of [false, true] (truthy) 12:32 warning too few spaces before comment (comments) 16:24 warning truthy value should be one of [false, true] (truthy) 18:24 warning too few spaces before comment (comments) 20:42 warning too few spaces before comment (comments) 27:6 warning missing starting space in comment (comments) ```tags/v0.42.0
@@ -1,3 +1,122 @@ | |||
*.swp | |||
.kitchen/ | |||
# Byte-compiled / optimized / DLL files | |||
__pycache__/ | |||
*.py[cod] | |||
*$py.class | |||
# C extensions | |||
*.so | |||
# Distribution / packaging | |||
.Python | |||
env/ | |||
build/ | |||
develop-eggs/ | |||
dist/ | |||
downloads/ | |||
eggs/ | |||
.eggs/ | |||
lib/ | |||
lib64/ | |||
parts/ | |||
sdist/ | |||
var/ | |||
wheels/ | |||
*.egg-info/ | |||
.installed.cfg | |||
*.egg | |||
# PyInstaller | |||
# Usually these files are written by a python script from a packager | |||
# before PyInstaller builds the exe, so as to inject date/other infos into it. | |||
*.manifest | |||
*.spec | |||
# Installer logs | |||
pip-log.txt | |||
pip-delete-this-directory.txt | |||
# Unit test / coverage reports | |||
htmlcov/ | |||
.tox/ | |||
.coverage | |||
.coverage.* | |||
.cache | |||
nosetests.xml | |||
coverage.xml | |||
*.cover | |||
.hypothesis/ | |||
.kitchen | |||
.kitchen.local.yml | |||
kitchen.local.yml | |||
junit-*.xml | |||
# Translations | |||
*.mo | |||
*.pot | |||
# Django stuff: | |||
*.log | |||
local_settings.py | |||
# Flask stuff: | |||
instance/ | |||
.webassets-cache | |||
# Scrapy stuff: | |||
.scrapy | |||
# Sphinx documentation | |||
docs/_build/ | |||
# PyBuilder | |||
target/ | |||
# Jupyter Notebook | |||
.ipynb_checkpoints | |||
# pyenv | |||
.python-version | |||
# celery beat schedule file | |||
celerybeat-schedule | |||
# SageMath parsed files | |||
*.sage.py | |||
# dotenv | |||
.env | |||
# virtualenv | |||
.venv | |||
venv/ | |||
ENV/ | |||
# Spyder project settings | |||
.spyderproject | |||
.spyproject | |||
# Rope project settings | |||
.ropeproject | |||
# mkdocs documentation | |||
/site | |||
# mypy | |||
.mypy_cache/ | |||
# Bundler | |||
Gemfile.lock | |||
# copied `.md` files used for conversion to `.rst` using `m2r` | |||
docs/*.md | |||
# Vim | |||
*.sw? | |||
## Collected when centralising formulas (check and sort) | |||
# `collectd-formula` | |||
.pytest_cache/ | |||
/.idea/ | |||
Dockerfile.*_* | |||
ignore/ | |||
tmp/ |
@@ -0,0 +1,86 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
dist: bionic | |||
stages: | |||
- test | |||
- lint | |||
- name: release | |||
if: branch = master AND type != pull_request | |||
sudo: required | |||
cache: bundler | |||
language: ruby | |||
services: | |||
- docker | |||
# Make sure the instances listed below match up with | |||
# the `platforms` defined in `kitchen.yml` | |||
env: | |||
matrix: | |||
- INSTANCE: default-debian-10-develop-py3 | |||
# - INSTANCE: default-ubuntu-1804-develop-py3 | |||
# - INSTANCE: default-centos-7-develop-py3 | |||
# - INSTANCE: default-fedora-30-develop-py3 | |||
# - INSTANCE: default-opensuse-leap-15-develop-py3 | |||
# - INSTANCE: default-amazonlinux-2-develop-py2 | |||
# - INSTANCE: default-debian-9-2019-2-py3 | |||
- INSTANCE: default-ubuntu-1804-2019-2-py3 | |||
# - INSTANCE: default-centos-7-2019-2-py3 | |||
# - INSTANCE: default-fedora-30-2019-2-py3 | |||
# - INSTANCE: default-opensuse-leap-15-2019-2-py3 | |||
- INSTANCE: default-amazonlinux-2-2019-2-py2 | |||
# - INSTANCE: default-debian-9-2018-3-py2 | |||
# - INSTANCE: default-ubuntu-1604-2018-3-py2 | |||
# - INSTANCE: default-centos-7-2018-3-py2 | |||
- INSTANCE: default-fedora-29-2018-3-py2 | |||
- INSTANCE: default-opensuse-leap-15-2018-3-py2 | |||
# - INSTANCE: default-amazonlinux-2-2018-3-py2 | |||
# - INSTANCE: default-debian-8-2017-7-py2 | |||
# - INSTANCE: default-ubuntu-1604-2017-7-py2 | |||
- INSTANCE: default-centos-6-2017-7-py2 | |||
# - INSTANCE: default-fedora-29-2017-7-py2 | |||
# - INSTANCE: default-opensuse-leap-15-2017-7-py2 | |||
# - INSTANCE: default-amazonlinux-2-2017-7-py2 | |||
script: | |||
- bin/kitchen verify ${INSTANCE} | |||
jobs: | |||
include: | |||
# Define the `lint` stage (runs `yamllint` and `commitlint`) | |||
- stage: lint | |||
language: node_js | |||
node_js: lts/* | |||
before_install: skip | |||
script: | |||
# Install and run `yamllint` | |||
# Need at least `v1.17.0` for the `yaml-files` setting | |||
- pip install --user yamllint>=1.17.0 | |||
- yamllint -s . | |||
# Install and run `commitlint` | |||
- npm install @commitlint/config-conventional -D | |||
- npm install @commitlint/travis-cli -D | |||
- commitlint-travis | |||
# Define the release stage that runs `semantic-release` | |||
- stage: release | |||
language: node_js | |||
node_js: lts/* | |||
before_install: skip | |||
script: | |||
# Update `AUTHORS.md` | |||
- export MAINTAINER_TOKEN=${GH_TOKEN} | |||
- go get github.com/myii/maintainer | |||
- maintainer contributor | |||
# Install all dependencies required for `semantic-release` | |||
- npm install @semantic-release/changelog@3 -D | |||
- npm install @semantic-release/exec@3 -D | |||
- npm install @semantic-release/git@7 -D | |||
deploy: | |||
provider: script | |||
skip_cleanup: true | |||
script: | |||
# Run `semantic-release` | |||
- npx semantic-release@15 |
@@ -0,0 +1,30 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
# Extend the `default` configuration provided by `yamllint` | |||
extends: default | |||
# Files to ignore completely | |||
# 1. All YAML files under directory `node_modules/`, introduced during the Travis run | |||
# 2. Any SLS files under directory `test/`, which are actually state files | |||
ignore: | | |||
node_modules/ | |||
test/**/states/**/*.sls | |||
yaml-files: | |||
# Default settings | |||
- '*.yaml' | |||
- '*.yml' | |||
- .yamllint | |||
# SaltStack Formulas additional settings | |||
- '*.example' | |||
- test/**/*.sls | |||
rules: | |||
empty-values: | |||
forbid-in-block-mappings: true | |||
forbid-in-flow-mappings: true | |||
line-length: | |||
# Increase from default of `80` | |||
# Based on https://github.com/PyCQA/flake8-bugbear#opinionated-warnings (`B950`) | |||
max: 88 |
@@ -0,0 +1,9 @@ | |||
name: openssh | |||
os: Debian, Ubuntu, Raspbian, RedHat, Fedora, CentOS, Suse, openSUSE, Gentoo, Funtoo, Arch, Manjaro, Alpine, FreeBSD, OpenBSD, Solaris, SmartOS, Windows, MacOS | |||
os_family: Debian, RedHat, Suse, Gentoo, Arch, Alpine, FreeBSD, OpenBSD, Solaris, Windows, MacOS | |||
version: 0.41.0 | |||
release: 1 | |||
minimum_version: 2017.7 | |||
summary: openssh formula | |||
description: Install and configure an openssh server | |||
top_level_dir: openssh |
@@ -0,0 +1,6 @@ | |||
source "https://rubygems.org" | |||
gem 'kitchen-docker', '>= 2.9' | |||
gem 'kitchen-salt', '>= 0.6.0' | |||
gem 'kitchen-inspec', '>= 1.1' | |||
@@ -0,0 +1,29 @@ | |||
#!/usr/bin/env ruby | |||
# frozen_string_literal: true | |||
# | |||
# This file was generated by Bundler. | |||
# | |||
# The application 'kitchen' is installed as part of a gem, and | |||
# this file is here to facilitate running it. | |||
# | |||
require "pathname" | |||
ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile", | |||
Pathname.new(__FILE__).realpath) | |||
bundle_binstub = File.expand_path("../bundle", __FILE__) | |||
if File.file?(bundle_binstub) | |||
if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/ | |||
load(bundle_binstub) | |||
else | |||
abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run. | |||
Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.") | |||
end | |||
end | |||
require "rubygems" | |||
require "bundler/setup" | |||
load Gem.bin_path("test-kitchen", "kitchen") |
@@ -0,0 +1,3 @@ | |||
module.exports = { | |||
extends: ['@commitlint/config-conventional'], | |||
}; |
@@ -0,0 +1,159 @@ | |||
.. _contributing: | |||
How to contribute | |||
================= | |||
This document will eventually outline all aspects of guidance to make your contributing experience a fruitful and enjoyable one. | |||
What it already contains is information about *commit message formatting* and how that directly affects the numerous automated processes that are used for this repo. | |||
It also covers how to contribute to this *formula's documentation*. | |||
.. contents:: **Table of Contents** | |||
Overview | |||
-------- | |||
Submitting a pull request is more than just code! | |||
To achieve a quality product, the *tests* and *documentation* need to be updated as well. | |||
An excellent pull request will include these in the changes, wherever relevant. | |||
Commit message formatting | |||
------------------------- | |||
Since every type of change requires making Git commits, | |||
we will start by covering the importance of ensuring that all of your commit | |||
messages are in the correct format. | |||
Automation of multiple processes | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
This formula uses `semantic-release <https://github.com/semantic-release/semantic-release>`_ for automating numerous processes such as bumping the version number appropriately, creating new tags/releases and updating the changelog. | |||
The entire process relies on the structure of commit messages to determine the version bump, which is then used for the rest of the automation. | |||
Full details are available in the upstream docs regarding the `Angular Commit Message Conventions <https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#-git-commit-guidelines>`_. | |||
The key factor is that the first line of the commit message must follow this format: | |||
.. code-block:: | |||
type(scope): subject | |||
* E.g. ``docs(contributing): add commit message formatting instructions``. | |||
Besides the version bump, the changelog and release notes are formatted accordingly. | |||
So based on the example above: | |||
.. | |||
.. raw:: html | |||
<h3>Documentation</h3> | |||
* **contributing:** add commit message formatting instructions | |||
* The ``type`` translates into a ``Documentation`` sub-heading. | |||
* The ``(scope):`` will be shown in bold text without the brackets. | |||
* The ``subject`` follows the ``scope`` as standard text. | |||
Linting commit messages in Travis CI | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
This formula uses `commitlint <https://github.com/conventional-changelog/commitlint>`_ for checking commit messages during CI testing. | |||
This ensures that they are in accordance with the ``semantic-release`` settings. | |||
For more details about the default settings, refer back to the ``commitlint`` `reference rules <https://conventional-changelog.github.io/commitlint/#/reference-rules>`_. | |||
Relationship between commit type and version bump | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
This formula applies some customisations to the defaults, as outlined in the table below, | |||
based upon the `type <https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#type>`_ of the commit: | |||
.. list-table:: | |||
:name: commit-type-vs-version-bump | |||
:header-rows: 1 | |||
:stub-columns: 0 | |||
:widths: 1,2,3,1,1 | |||
* - Type | |||
- Heading | |||
- Description | |||
- Bump (default) | |||
- Bump (custom) | |||
* - ``build`` | |||
- Build System | |||
- Changes related to the build system | |||
- – | |||
- | |||
* - ``chore`` | |||
- – | |||
- Changes to the build process or auxiliary tools and libraries such as | |||
documentation generation | |||
- – | |||
- | |||
* - ``ci`` | |||
- Continuous Integration | |||
- Changes to the continuous integration configuration | |||
- – | |||
- | |||
* - ``docs`` | |||
- Documentation | |||
- Documentation only changes | |||
- – | |||
- 0.0.1 | |||
* - ``feat`` | |||
- Features | |||
- A new feature | |||
- 0.1.0 | |||
- | |||
* - ``fix`` | |||
- Bug Fixes | |||
- A bug fix | |||
- 0.0.1 | |||
- | |||
* - ``perf`` | |||
- Performance Improvements | |||
- A code change that improves performance | |||
- 0.0.1 | |||
- | |||
* - ``refactor`` | |||
- Code Refactoring | |||
- A code change that neither fixes a bug nor adds a feature | |||
- – | |||
- 0.0.1 | |||
* - ``revert`` | |||
- Reverts | |||
- A commit used to revert a previous commit | |||
- – | |||
- 0.0.1 | |||
* - ``style`` | |||
- Styles | |||
- Changes that do not affect the meaning of the code (white-space, | |||
formatting, missing semi-colons, etc.) | |||
- – | |||
- 0.0.1 | |||
* - ``test`` | |||
- Tests | |||
- Adding missing or correcting existing tests | |||
- – | |||
- 0.0.1 | |||
Use ``BREAKING CHANGE`` to trigger a ``major`` version change | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
Adding ``BREAKING CHANGE`` to the footer of the extended description of the commit message will **always** trigger a ``major`` version change, no matter which type has been used. | |||
This will be appended to the changelog and release notes as well. | |||
To preserve good formatting of these notes, the following format is prescribed: | |||
* ``BREAKING CHANGE: <explanation in paragraph format>.`` | |||
An example of that: | |||
.. code-block:: git | |||
... | |||
BREAKING CHANGE: With the removal of all of the `.sls` files under | |||
`template package`, this formula no longer supports the installation of | |||
packages. | |||
@@ -1,47 +1,78 @@ | |||
.. _readme: | |||
openssh | |||
======= | |||
|img_travis| |img_sr| | |||
.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/openssh-formula.svg?branch=master | |||
:alt: Travis CI Build Status | |||
:scale: 100% | |||
:target: https://travis-ci.com/saltstack-formulas/openssh-formula | |||
.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg | |||
:alt: Semantic Release | |||
:scale: 100% | |||
:target: https://github.com/semantic-release/semantic-release | |||
Install and configure an openssh server. | |||
.. note:: | |||
.. contents:: **Table of Contents** | |||
General notes | |||
------------- | |||
See the full `SaltStack Formulas installation and usage instructions | |||
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_. | |||
If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section | |||
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_. | |||
If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``, | |||
which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_. | |||
See the full `Salt Formulas installation and usage instructions | |||
<http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_. | |||
See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details. | |||
Contributing to this repo | |||
------------------------- | |||
**Commit message formatting is significant!!** | |||
Please see :ref:`How to contribute <CONTRIBUTING>` for more details. | |||
Available states | |||
================ | |||
---------------- | |||
.. contents:: | |||
:local: | |||
:local: | |||
``openssh`` | |||
----------- | |||
^^^^^^^^^^^ | |||
Installs the ``openssh`` server package and service. | |||
``openssh.auth`` | |||
----------- | |||
^^^^^^^^^^^^^^^^ | |||
Manages SSH certificates for users. | |||
``openssh.auth_map`` | |||
----------- | |||
^^^^^^^^^^^^^^^^^^^^ | |||
Same functionality as openssh.auth but with a simplified Pillar syntax. | |||
Plays nicely with `Pillarstack | |||
<https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.stack.html>`_. | |||
``openssh.banner`` | |||
------------------ | |||
^^^^^^^^^^^^^^^^^^ | |||
Installs a banner that users see when SSH-ing in. | |||
``openssh.client`` | |||
------------------ | |||
^^^^^^^^^^^^^^^^^^ | |||
Installs the openssh client package. | |||
``openssh.config`` | |||
------------------ | |||
^^^^^^^^^^^^^^^^^^ | |||
Installs the ssh daemon configuration file included in this formula | |||
(under "openssh/files"). This configuration file is populated | |||
@@ -52,7 +83,7 @@ It is highly recommended ``PermitRootLogin`` is added to pillar | |||
so root login will be disabled. | |||
``openssh.config_ini`` | |||
---------------------- | |||
^^^^^^^^^^^^^^^^^^^^^^ | |||
Version of managing ``sshd_config`` that uses the | |||
`ini_managed.option_present <https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ini_manage.html>`_ | |||
@@ -62,7 +93,7 @@ distribution. | |||
``openssh.known_hosts`` | |||
----------------------- | |||
^^^^^^^^^^^^^^^^^^^^^^^ | |||
Manages ``/etc/ssh/ssh_known_hosts`` and fills it with the | |||
public SSH host keys of your minions (collected via the Salt mine) | |||
@@ -182,6 +213,52 @@ To **include localhost** and local IP addresses (``127.0.0.1`` and ``::1``) use | |||
include_localhost: True | |||
``openssh.moduli`` | |||
----------------------- | |||
^^^^^^^^^^^^^^^^^^ | |||
Manages the system wide ``/etc/ssh/moduli`` file. | |||
Testing | |||
------- | |||
Linux testing is done with ``kitchen-salt``. | |||
Requirements | |||
^^^^^^^^^^^^ | |||
* Ruby | |||
* Docker | |||
.. code-block:: bash | |||
$ gem install bundler | |||
$ bundle install | |||
$ bin/kitchen test [platform] | |||
Where ``[platform]`` is the platform name defined in ``kitchen.yml``, | |||
e.g. ``debian-9-2019-2-py3``. | |||
``bin/kitchen converge`` | |||
^^^^^^^^^^^^^^^^^^^^^^^^ | |||
Creates the docker instance and runs the ``template`` main state, ready for testing. | |||
``bin/kitchen verify`` | |||
^^^^^^^^^^^^^^^^^^^^^^ | |||
Runs the ``inspec`` tests on the actual instance. | |||
``bin/kitchen destroy`` | |||
^^^^^^^^^^^^^^^^^^^^^^^ | |||
Removes the docker instance. | |||
``bin/kitchen test`` | |||
^^^^^^^^^^^^^^^^^^^^ | |||
Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``. | |||
``bin/kitchen login`` | |||
^^^^^^^^^^^^^^^^^^^^^ | |||
Gives you SSH access to the instance for manual testing. | |||
@@ -39,7 +39,7 @@ Using SaltStack is a simple and effective way to implement configuration managem | |||
To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. | |||
There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/spsoit/nginx-formula/blob/81de880fe0276dd9488ffa15bc78944c0fc2b919/nginx/ng/files/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. | |||
There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/saltstack-formulas/nginx-formula/blob/f74254c07e188bd448eaf1c5f9c802d78c4c005e/nginx/files/default/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. | |||
In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. | |||
@@ -325,6 +325,7 @@ We can simplify the ``conf.sls`` with the new ``files_switch`` macro to use in t | |||
* This uses ``config.get``, searching for ``ntp:tofs:source_files:Configure NTP`` to determine the list of template files to use. | |||
* If this returns a result, the default of ``['/etc/ntp.conf.jinja']`` will be appended to it. | |||
* If this does not yield any results, the default of ``['/etc/ntp.conf.jinja']`` will be used. | |||
In ``libtofs.jinja``, we define this new macro ``files_switch``. | |||
@@ -426,7 +427,6 @@ The list of ``source_files`` can be given: | |||
tofs: | |||
source_files: | |||
Configure NTP: | |||
- '/etc/ntp.conf.jinja' | |||
- '/etc/ntp.conf_alt.jinja' | |||
Resulting in: | |||
@@ -434,10 +434,85 @@ Resulting in: | |||
.. code-block:: sls | |||
- source: | |||
- salt://ntp/files/theminion/etc/ntp.conf.jinja | |||
- salt://ntp/files/theminion/etc/ntp.conf_alt.jinja | |||
- salt://ntp/files/Debian/etc/ntp.conf.jinja | |||
- salt://ntp/files/theminion/etc/ntp.conf.jinja | |||
- salt://ntp/files/Debian/etc/ntp.conf_alt.jinja | |||
- salt://ntp/files/default/etc/ntp.conf.jinja | |||
- salt://ntp/files/Debian/etc/ntp.conf.jinja | |||
- salt://ntp/files/default/etc/ntp.conf_alt.jinja | |||
- salt://ntp/files/default/etc/ntp.conf.jinja | |||
Note: This does *not* override the default value. | |||
Rather, the value from the pillar/config is prepended to the default. | |||
Using sub-directories for ``components`` | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
If your formula is composed of several components, you may prefer to provides files under sub-directories, like in the `systemd-formula <https://github.com/saltstack-formulas/systemd-formula>`_. | |||
.. code-block:: | |||
/srv/saltstack/systemd-formula/ | |||
systemd/ | |||
init.sls | |||
libtofs.jinja | |||
map.jinja | |||
networkd/ | |||
init.sls | |||
files/ | |||
default/ | |||
network/ | |||
99-default.link | |||
resolved/ | |||
init.sls | |||
files/ | |||
default/ | |||
resolved.conf | |||
timesyncd/ | |||
init.sls | |||
files/ | |||
Arch/ | |||
resolved.conf | |||
Debian/ | |||
resolved.conf | |||
default/ | |||
resolved.conf | |||
Ubuntu/ | |||
resolved.conf | |||
For example, the following ``formula.component.config`` SLS: | |||
.. code-block:: sls | |||
{%- from "formula/libtofs.jinja" import files_switch with context %} | |||
formula configuration file: | |||
file.managed: | |||
- name: /etc/formula.conf | |||
- user: root | |||
- group: root | |||
- mode: 644 | |||
- template: jinja | |||
- source: {{ files_switch(['formula.conf'], | |||
lookup='formula', | |||
use_subpath=True | |||
) | |||
}} | |||
will be rendered on a ``Debian`` minion named ``salt-formula.ci.local`` as: | |||
.. code-block:: sls | |||
formula configuration file: | |||
file.managed: | |||
- name: /etc/formula.conf | |||
- user: root | |||
- group: root | |||
- mode: 644 | |||
- template: jinja | |||
- source: | |||
- salt://formula/component/files/salt-formula.ci.local/formula.conf | |||
- salt://formula/component/files/Debian/formula.conf | |||
- salt://formula/component/files/default/formula.conf | |||
- salt://formula/files/salt-formula.ci.local/formula.conf | |||
- salt://formula/files/Debian/formula.conf | |||
- salt://formula/files/default/formula.conf |
@@ -1,3 +1,5 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
driver: | |||
name: vagrant |
@@ -0,0 +1,167 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
# For help on this file's format, see https://kitchen.ci/ | |||
driver: | |||
name: docker | |||
use_sudo: false | |||
privileged: true | |||
run_command: /lib/systemd/systemd | |||
# Make sure the platforms listed below match up with | |||
# the `env.matrix` instances defined in `.travis.yml` | |||
platforms: | |||
## SALT `develop` | |||
- name: debian-10-develop-py3 | |||
driver: | |||
image: netmanagers/salt-develop-py3:debian-10 | |||
provision_command: | |||
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com | |||
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop | |||
- name: ubuntu-1804-develop-py3 | |||
driver: | |||
image: netmanagers/salt-develop-py3:ubuntu-18.04 | |||
provision_command: | |||
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com | |||
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop | |||
- name: centos-7-develop-py3 | |||
driver: | |||
image: netmanagers/salt-develop-py3:centos-7 | |||
provision_command: | |||
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com | |||
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop | |||
- name: fedora-30-develop-py3 | |||
driver: | |||
image: netmanagers/salt-develop-py3:fedora-30 | |||
provision_command: | |||
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com | |||
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop | |||
- name: opensuse-leap-15-develop-py3 | |||
driver: | |||
image: netmanagers/salt-develop-py3:opensuse-leap-15 | |||
provision_command: | |||
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com | |||
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop | |||
run_command: /usr/lib/systemd/systemd | |||
# Workaround to avoid intermittent failures on `opensuse-leap-15`: | |||
# => SCP did not finish successfully (255): (Net::SCP::Error) | |||
transport: | |||
max_ssh_sessions: 1 | |||
- name: amazonlinux-2-develop-py2 | |||
driver: | |||
image: netmanagers/salt-develop-py2:amazonlinux-2 | |||
provision_command: | |||
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com | |||
- sh bootstrap-salt.sh -XdPbfrq -x python2 git develop | |||
## SALT `2019.2` | |||
- name: debian-9-2019-2-py3 | |||
driver: | |||
image: netmanagers/salt-2019.2-py3:debian-9 | |||
- name: ubuntu-1804-2019-2-py3 | |||
driver: | |||
image: netmanagers/salt-2019.2-py3:ubuntu-18.04 | |||
- name: centos-7-2019-2-py3 | |||
driver: | |||
image: netmanagers/salt-2019.2-py3:centos-7 | |||
- name: fedora-30-2019-2-py3 | |||
driver: | |||
image: netmanagers/salt-2019.2-py3:fedora-30 | |||
- name: opensuse-leap-15-2019-2-py3 | |||
driver: | |||
image: netmanagers/salt-2019.2-py3:opensuse-leap-15 | |||
run_command: /usr/lib/systemd/systemd | |||
# Workaround to avoid intermittent failures on `opensuse-leap-15`: | |||
# => SCP did not finish successfully (255): (Net::SCP::Error) | |||
transport: | |||
max_ssh_sessions: 1 | |||
- name: amazonlinux-2-2019-2-py2 | |||
driver: | |||
image: netmanagers/salt-2019.2-py2:amazonlinux-2 | |||
## SALT `2018.3` | |||
- name: debian-9-2018-3-py2 | |||
driver: | |||
image: netmanagers/salt-2018.3-py2:debian-9 | |||
- name: ubuntu-1604-2018-3-py2 | |||
driver: | |||
image: netmanagers/salt-2018.3-py2:ubuntu-16.04 | |||
- name: centos-7-2018-3-py2 | |||
driver: | |||
image: netmanagers/salt-2018.3-py2:centos-7 | |||
- name: fedora-29-2018-3-py2 | |||
driver: | |||
image: netmanagers/salt-2018.3-py2:fedora-29 | |||
- name: opensuse-leap-15-2018-3-py2 | |||
driver: | |||
image: netmanagers/salt-2018.3-py2:opensuse-leap-15 | |||
run_command: /usr/lib/systemd/systemd | |||
# Workaround to avoid intermittent failures on `opensuse-leap-15`: | |||
# => SCP did not finish successfully (255): (Net::SCP::Error) | |||
transport: | |||
max_ssh_sessions: 1 | |||
- name: amazonlinux-2-2018-3-py2 | |||
driver: | |||
image: netmanagers/salt-2018.3-py2:amazonlinux-2 | |||
## SALT `2017.7` | |||
- name: debian-8-2017-7-py2 | |||
driver: | |||
image: netmanagers/salt-2017.7-py2:debian-8 | |||
- name: ubuntu-1604-2017-7-py2 | |||
driver: | |||
image: netmanagers/salt-2017.7-py2:ubuntu-16.04 | |||
- name: centos-6-2017-7-py2 | |||
driver: | |||
image: netmanagers/salt-2017.7-py2:centos-6 | |||
run_command: /sbin/init | |||
- name: fedora-29-2017-7-py2 | |||
driver: | |||
image: netmanagers/salt-2017.7-py2:fedora-29 | |||
- name: opensuse-leap-15-2017-7-py2 | |||
driver: | |||
image: netmanagers/salt-2017.7-py2:opensuse-leap-15 | |||
run_command: /usr/lib/systemd/systemd | |||
# Workaround to avoid intermittent failures on `opensuse-leap-15`: | |||
# => SCP did not finish successfully (255): (Net::SCP::Error) | |||
transport: | |||
max_ssh_sessions: 1 | |||
- name: amazonlinux-2-2017-7-py2 | |||
driver: | |||
image: netmanagers/salt-2017.7-py2:amazonlinux-2 | |||
provisioner: | |||
name: salt_solo | |||
log_level: info | |||
salt_install: none | |||
require_chef: false | |||
formula: openssh | |||
salt_copy_filter: | |||
- .kitchen | |||
- .git | |||
verifier: | |||
# https://www.inspec.io/ | |||
name: inspec | |||
sudo: true | |||
# cli, documentation, html, progress, json, json-min, json-rspec, junit | |||
reporter: | |||
- cli | |||
suites: | |||
- name: default | |||
provisioner: | |||
state_top: | |||
base: | |||
'*': | |||
- openssh | |||
pillars: | |||
top.sls: | |||
base: | |||
'*': | |||
- openssh | |||
pillars_from_files: | |||
openssh.sls: test/salt/pillar/default.sls | |||
verifier: | |||
inspec_tests: | |||
- path: test/integration/default |
@@ -1,30 +1,33 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
default: | |||
openssh: | |||
sshd_enable: True | |||
sshd_enable: true | |||
sshd_binary: /usr/sbin/sshd | |||
sshd_config: /etc/ssh/sshd_config | |||
sshd_config_src: sshd_config # Default TOFS source filename | |||
sshd_config_src: sshd_config # Default TOFS source filename | |||
sshd_config_user: root | |||
sshd_config_group: root | |||
sshd_config_mode: '644' | |||
sshd_config_backup: True | |||
sshd_config_backup: true | |||
ssh_config: /etc/ssh/ssh_config | |||
ssh_config_src: ssh_config # Default TOFS source filename | |||
ssh_config_src: ssh_config # Default TOFS source filename | |||
ssh_config_user: root | |||
ssh_config_group: root | |||
ssh_config_mode: '644' | |||
ssh_config_backup: True | |||
ssh_config_backup: true | |||
banner: /etc/ssh/banner | |||
banner_src: banner # Default TOFS source filename | |||
banner_src: banner # Default TOFS source filename | |||
ssh_known_hosts: /etc/ssh/ssh_known_hosts | |||
ssh_known_hosts_src: ssh_known_hosts # Default TOFS source filename | |||
ssh_known_hosts_src: ssh_known_hosts # Default TOFS source filename | |||
dig_pkg: dnsutils | |||
ssh_moduli: /etc/ssh/moduli | |||
root_group: root | |||
# Prevent merge of array; always override values | |||
host_key_algos: ecdsa,ed25519,rsa | |||
# To manage/remove DSA: | |||
#host_key_algos: dsa,ecdsa,ed25519,rsa | |||
# host_key_algos: dsa,ecdsa,ed25519,rsa | |||
sshd_config: {} | |||
ssh_config: {} |
@@ -2,7 +2,7 @@ | |||
lookup=None, | |||
default_files_switch=['id', 'os_family'], | |||
indent_width=6, | |||
v1_path_prefix='') %} | |||
use_subpath=False) %} | |||
{#- | |||
Returns a valid value for the "source" parameter of a "file.managed" | |||
state function. This makes easier the usage of the Template Override and | |||
@@ -10,15 +10,15 @@ | |||
Params: | |||
* source_files: ordered list of files to look for | |||
* lookup: key under '<tplroot>:tofs:source_files' to override | |||
* lookup: key under '<tplroot>:tofs:source_files' to prepend to the | |||
list of source files | |||
* default_files_switch: if there's no config (e.g. pillar) | |||
'<tplroot>:tofs:files_switch' this is the ordered list of grains to | |||
use as selector switch of the directories under | |||
"<path_prefix>/files" | |||
* indent_witdh: indentation of the result value to conform to YAML | |||
* v1_path_prefix: (deprecated) only used for injecting a path prefix into | |||
the source, to support older TOFS configs | |||
* use_subpath: defaults to `False` but if set, lookup the source file | |||
recursively from the current state directory up to `tplroot` | |||
Example (based on a `tplroot` of `xxx`): | |||
@@ -55,20 +55,24 @@ | |||
tplroot ~ ':tofs:files_switch', | |||
default_files_switch | |||
) %} | |||
{#- Lookup source_files (v2), files (v1), or fallback to source_files parameter #} | |||
{#- Lookup source_files (v2), files (v1), or fallback to an empty list #} | |||
{%- set src_files = salt['config.get']( | |||
tplroot ~ ':tofs:source_files:' ~ lookup, | |||
salt['config.get']( | |||
tplroot ~ ':tofs:files:' ~ lookup, | |||
source_files | |||
) | |||
salt['config.get'](tplroot ~ ':tofs:files:' ~ lookup, []) | |||
) %} | |||
{#- Append the default source_files #} | |||
{%- set src_files = src_files + source_files %} | |||
{#- Only add to [''] when supporting older TOFS implementations #} | |||
{%- set path_prefix_exts = [''] %} | |||
{%- if v1_path_prefix != '' %} | |||
{%- do path_prefix_exts.append(v1_path_prefix) %} | |||
{%- if use_subpath and tplroot != tpldir %} | |||
{#- Walk directory tree to find {{ files_dir }} #} | |||
{%- set subpath_parts = tpldir.lstrip(tplroot).lstrip('/').split('/') %} | |||
{%- for path in subpath_parts %} | |||
{%- set subpath = subpath_parts[0:loop.index] | join('/') %} | |||
{%- do path_prefix_exts.append('/' ~ subpath) %} | |||
{%- endfor %} | |||
{%- endif %} | |||
{%- for path_prefix_ext in path_prefix_exts %} | |||
{%- for path_prefix_ext in path_prefix_exts|reverse %} | |||
{%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %} | |||
{#- For older TOFS implementation, use `files_switch` from the config #} | |||
{#- Use the default, new method otherwise #} | |||
@@ -83,18 +87,25 @@ | |||
{%- for fs in fsl %} | |||
{%- for src_file in src_files %} | |||
{%- if fs %} | |||
{%- set fs_dir = salt['config.get'](fs, fs) %} | |||
{%- set fs_dirs = salt['config.get'](fs, fs) %} | |||
{%- else %} | |||
{%- set fs_dir = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %} | |||
{%- set fs_dirs = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %} | |||
{%- endif %} | |||
{#- Force the `config.get` lookup result as a list where necessary #} | |||
{#- since we need to also handle grains that are lists #} | |||
{%- if fs_dirs is string %} | |||
{%- set fs_dirs = [fs_dirs] %} | |||
{%- endif %} | |||
{%- set url = [ | |||
'- salt:/', | |||
path_prefix_inc_ext.strip('/'), | |||
files_dir.strip('/'), | |||
fs_dir.strip('/'), | |||
src_file.strip('/'), | |||
] | select | join('/') %} | |||
{%- for fs_dir in fs_dirs %} | |||
{%- set url = [ | |||
'- salt:/', | |||
path_prefix_inc_ext.strip('/'), | |||
files_dir.strip('/'), | |||
fs_dir.strip('/'), | |||
src_file.strip('/'), | |||
] | select | join('/') %} | |||
{{ url | indent(indent_width, true) }} | |||
{%- endfor %} | |||
{%- endfor %} | |||
{%- endfor %} | |||
{%- endfor %} |
@@ -1,3 +1,6 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
Arch: | |||
openssh: | |||
server: openssh |
@@ -1,3 +1,6 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
Ubuntu-18.04: {} | |||
CentOS-6: | |||
openssh: |
@@ -1 +1,4 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
FreeBSD: {} |
@@ -1,3 +1,6 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
sshd_config: | |||
# This keyword is totally optional | |||
ConfigBanner: | | |||
@@ -41,7 +44,7 @@ sshd_config: | |||
UsePAM: 'yes' | |||
UseDNS: 'yes' | |||
# set as string | |||
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' | |||
# AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' | |||
# or set as list | |||
AllowUsers: | |||
- vader@10.0.0.1 | |||
@@ -49,20 +52,20 @@ sshd_config: | |||
- sidious | |||
- luke | |||
# set as string | |||
DenyUsers: 'yoda chewbaca@112.10.21.1' | |||
# DenyUsers: 'yoda chewbaca@112.10.21.1' | |||
# or set as list | |||
DenyUsers: | |||
- yoda | |||
- chewbaca@112.10.21.1 | |||
# set as string | |||
AllowGroups: 'wheel staff imperial' | |||
# AllowGroups: 'wheel staff imperial' | |||
# or set as list | |||
AllowGroups: | |||
- wheel | |||
- staff | |||
- imperial | |||
# set as string | |||
DenyGroups: 'rebel' | |||
# DenyGroups: 'rebel' | |||
# or set as list | |||
DenyGroups: | |||
- rebel | |||
@@ -73,8 +76,8 @@ sshd_config: | |||
Group: sftpusers | |||
options: | |||
ChrootDirectory: /sftp-chroot/%u | |||
X11Forwarding: no | |||
AllowTcpForwarding: no | |||
X11Forwarding: 'no' | |||
AllowTcpForwarding: 'no' | |||
ForceCommand: internal-sftp | |||
# Supports complex compound matches in Match criteria. For example, be able | |||
# to match against multiple Users for a given Match, or be able to match | |||
@@ -108,13 +111,15 @@ sshd_config: | |||
options: | |||
ChrootDirectory: /ex/%u | |||
# yamllint disable rule:line-length | |||
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. | |||
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list. | |||
# The configuration given in the example below is based on: | |||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html | |||
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' | |||
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |||
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |||
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' | |||
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |||
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |||
# yamllint enable rule:line-length | |||
KexAlgorithms: | |||
- 'curve25519-sha256@libssh.org' | |||
- 'diffie-hellman-group-exchange-sha256' | |||
@@ -141,15 +146,15 @@ sshd_config: | |||
ssh_config: | |||
Hosts: | |||
'*': | |||
StrictHostKeyChecking: no | |||
ForwardAgent: no | |||
ForwardX11: no | |||
RhostsRSAAuthentication: no | |||
RSAAuthentication: yes | |||
PasswordAuthentication: yes | |||
HostbasedAuthentication: no | |||
GSSAPIAuthentication: no | |||
GSSAPIDelegateCredentials: no | |||
StrictHostKeyChecking: 'no' | |||
ForwardAgent: 'no' | |||
ForwardX11: 'no' | |||
RhostsRSAAuthentication: 'no' | |||
RSAAuthentication: 'yes' | |||
PasswordAuthentication: 'yes' | |||
HostbasedAuthentication: 'no' | |||
GSSAPIAuthentication: 'no' | |||
GSSAPIDelegateCredentials: 'no' | |||
BatchMode: 'yes' | |||
CheckHostIP: 'yes' | |||
AddressFamily: 'any' | |||
@@ -162,6 +167,7 @@ ssh_config: | |||
TunnelDevice: 'any:any' | |||
PermitLocalCommand: 'no' | |||
VisualHostKey: 'no' | |||
# yamllint disable rule:line-length | |||
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. | |||
# WARNING! Please make sure you understand the implications of the below | |||
# settings. The examples provided below might break your connection to older / | |||
@@ -169,9 +175,10 @@ ssh_config: | |||
# The configuration given in the example below is based on: | |||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html | |||
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list. | |||
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' | |||
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |||
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |||
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' | |||
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |||
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |||
# yamllint enable rule:line-length | |||
KexAlgorithms: | |||
- 'curve25519-sha256@libssh.org' | |||
- 'diffie-hellman-group-exchange-sha256' | |||
@@ -207,19 +214,19 @@ openssh: | |||
auth: | |||
joe-valid-ssh-key-desktop: | |||
- user: joe | |||
present: True | |||
present: true | |||
enc: ssh-rsa | |||
comment: main key - desktop | |||
source: salt://ssh_keys/joe.desktop.pub | |||
joe-valid-ssh-key-notebook: | |||
- user: joe | |||
present: True | |||
present: true | |||
enc: ssh-rsa | |||
comment: main key - notebook | |||
source: salt://ssh_keys/joe.netbook.pub | |||
joe-non-valid-ssh-key: | |||
- user: joe | |||
present: False | |||
present: false | |||
enc: ssh-rsa | |||
comment: obsolete key - removed | |||
source: salt://ssh_keys/joe.no-valid.pub | |||
@@ -235,11 +242,11 @@ openssh: | |||
joe.netbook: | |||
options: [] # see salt.states.ssh_auth.present | |||
joe.no-valid: | |||
present: False | |||
present: false | |||
generate_dsa_keys: False | |||
absent_dsa_keys: False | |||
provide_dsa_keys: False | |||
generate_dsa_keys: false | |||
absent_dsa_keys: false | |||
provide_dsa_keys: false | |||
dsa: | |||
private_key: | | |||
-----BEGIN DSA PRIVATE KEY----- | |||
@@ -248,9 +255,9 @@ openssh: | |||
public_key: | | |||
ssh-dss NOT_DEFINED | |||
generate_ecdsa_keys: False | |||
absent_ecdsa_keys: False | |||
provide_ecdsa_keys: False | |||
generate_ecdsa_keys: false | |||
absent_ecdsa_keys: false | |||
provide_ecdsa_keys: false | |||
ecdsa: | |||
private_key: | | |||
-----BEGIN EC PRIVATE KEY----- | |||
@@ -259,12 +266,12 @@ openssh: | |||
public_key: | | |||
ecdsa-sha2-nistp256 NOT_DEFINED | |||
generate_rsa_keys: False | |||
generate_rsa_keys: false | |||
generate_rsa_size: 4096 | |||
# Will remove the old key if it is to short and generate a new one. | |||
enforce_rsa_size: False | |||
absent_rsa_keys: False | |||
provide_rsa_keys: False | |||
enforce_rsa_size: false | |||
absent_rsa_keys: false | |||
provide_rsa_keys: false | |||
rsa: | |||
private_key: | | |||
-----BEGIN RSA PRIVATE KEY----- | |||
@@ -273,9 +280,9 @@ openssh: | |||
public_key: | | |||
ssh-rsa NOT_DEFINED | |||
generate_ed25519_keys: False | |||
absent_ed25519_keys: False | |||
provide_ed25519_keys: False | |||
generate_ed25519_keys: false | |||
absent_ed25519_keys: false | |||
provide_ed25519_keys: false | |||
ed25519: | |||
private_key: | | |||
-----BEGIN OPENSSH PRIVATE KEY----- | |||
@@ -301,16 +308,16 @@ openssh: | |||
# Includes short hostnames derived from the FQDN | |||
# (host.example.test -> host) | |||
# (Deactivated by default, because there can be collisions!) | |||
hostnames: False | |||
#hostnames: | |||
hostnames: false | |||
# hostnames: | |||
# Restrict wich hosts you want to use via their hostname | |||
# (i.e. ssh user@host instead of ssh user@host.example.com) | |||
# target: '*' # Defaults to "*.{{ grains['domain']}}" | |||
# tgt_type: 'glob' | |||
# To activate the defaults you can just set an empty dict. | |||
#hostnames: {} | |||
# Include localhost, 127.0.0.1 and ::1 (default: False) | |||
include_localhost: False | |||
# hostnames: {} | |||
# Include localhost, 127.0.0.1 and ::1 (default: false) | |||
include_localhost: false | |||
# Host keys fetched via salt-ssh | |||
salt_ssh: | |||
# The salt-ssh user | |||
@@ -330,6 +337,7 @@ openssh: | |||
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' | |||
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' | |||
# yamllint disable rule:line-length | |||
# specify DH parameters (see /etc/ssh/moduli) | |||
moduli: | | |||
# Time Type Tests Tries Size Generator Modulus | |||
@@ -337,9 +345,10 @@ openssh: | |||
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB | |||
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 | |||
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F | |||
# yamllint enable rule:line-length | |||
# ALTERNATIVELY, specify the location of the moduli file. Examples: | |||
#moduli_source: http://some.server.somewhere/salt/moduli | |||
#moduli_source: salt://files/ssh/moduli | |||
# moduli_source: http://some.server.somewhere/salt/moduli | |||
# moduli_source: salt://files/ssh/moduli | |||
# If moduli is specified, moduli_source will be ignored. | |||
# Also, a proper hash file *must* be included in the same path. E.g.: | |||
# http://some.server.somewhere/salt/moduli.hash | |||
@@ -351,7 +360,7 @@ mine_functions: | |||
public_ssh_host_keys: | |||
mine_function: cmd.run | |||
cmd: cat /etc/ssh/ssh_host_*_key.pub | |||
python_shell: True | |||
python_shell: true | |||
public_ssh_hostname: | |||
mine_function: grains.get | |||
key: id |
@@ -0,0 +1,30 @@ | |||
#!/bin/sh | |||
############################################################################### | |||
# (A) Update `FORMULA` with `${nextRelease.version}` | |||
############################################################################### | |||
sed -i -e "s_^\(version:\).*_\1 ${1}_" FORMULA | |||
############################################################################### | |||
# (B) Use `m2r` to convert automatically produced `.md` docs to `.rst` | |||
############################################################################### | |||
# Install `m2r` | |||
sudo -H pip install m2r | |||
# Copy and then convert the `.md` docs | |||
cp *.md docs/ | |||
cd docs/ | |||
m2r --overwrite *.md | |||
# Change excess `H1` headings to `H2` in converted `CHANGELOG.rst` | |||
sed -i -e '/^=.*$/s/=/-/g' CHANGELOG.rst | |||
sed -i -e '1,4s/-/=/g' CHANGELOG.rst | |||
# Use for debugging output, when required | |||
# cat AUTHORS.rst | |||
# cat CHANGELOG.rst | |||
# Return back to the main directory | |||
cd .. |
@@ -0,0 +1,18 @@ | |||
// No release is triggered for the types commented out below. | |||
// Commits using these types will be incorporated into the next release. | |||
// | |||
// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`. | |||
module.exports = [ | |||
{breaking: true, release: 'major'}, | |||
// {type: 'build', release: 'patch'}, | |||
// {type: 'chore', release: 'patch'}, | |||
// {type: 'ci', release: 'patch'}, | |||
{type: 'docs', release: 'patch'}, | |||
{type: 'feat', release: 'minor'}, | |||
{type: 'fix', release: 'patch'}, | |||
{type: 'perf', release: 'patch'}, | |||
{type: 'refactor', release: 'patch'}, | |||
{type: 'revert', release: 'patch'}, | |||
{type: 'style', release: 'patch'}, | |||
{type: 'test', release: 'patch'}, | |||
]; |
@@ -0,0 +1,106 @@ | |||
module.exports = { | |||
branch: 'master', | |||
plugins: [ | |||
['@semantic-release/commit-analyzer', { | |||
preset: 'angular', | |||
releaseRules: './release-rules.js', | |||
}], | |||
'@semantic-release/release-notes-generator', | |||
['@semantic-release/changelog', { | |||
changelogFile: 'CHANGELOG.md', | |||
changelogTitle: '# Changelog', | |||
}], | |||
['@semantic-release/exec', { | |||
prepareCmd: 'sh ./pre-commit_semantic-release.sh ${nextRelease.version}', | |||
}], | |||
['@semantic-release/git', { | |||
assets: ['*.md', 'docs/*.rst', 'FORMULA'], | |||
}], | |||
'@semantic-release/github', | |||
], | |||
generateNotes: { | |||
preset: 'angular', | |||
writerOpts: { | |||
// Required due to upstream bug preventing all types being displayed. | |||
// Bug: https://github.com/conventional-changelog/conventional-changelog/issues/317 | |||
// Fix: https://github.com/conventional-changelog/conventional-changelog/pull/410 | |||
transform: (commit, context) => { | |||
const issues = [] | |||
commit.notes.forEach(note => { | |||
note.title = `BREAKING CHANGES` | |||
}) | |||
// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`. | |||
if (commit.type === `feat`) { | |||
commit.type = `Features` | |||
} else if (commit.type === `fix`) { | |||
commit.type = `Bug Fixes` | |||
} else if (commit.type === `perf`) { | |||
commit.type = `Performance Improvements` | |||
} else if (commit.type === `revert`) { | |||
commit.type = `Reverts` | |||
} else if (commit.type === `docs`) { | |||
commit.type = `Documentation` | |||
} else if (commit.type === `style`) { | |||
commit.type = `Styles` | |||
} else if (commit.type === `refactor`) { | |||
commit.type = `Code Refactoring` | |||
} else if (commit.type === `test`) { | |||
commit.type = `Tests` | |||
} else if (commit.type === `build`) { | |||
commit.type = `Build System` | |||
// } else if (commit.type === `chore`) { | |||
// commit.type = `Maintenance` | |||
} else if (commit.type === `ci`) { | |||
commit.type = `Continuous Integration` | |||
} else { | |||
return | |||
} | |||
if (commit.scope === `*`) { | |||
commit.scope = `` | |||
} | |||
if (typeof commit.hash === `string`) { | |||
commit.hash = commit.hash.substring(0, 7) | |||
} | |||
if (typeof commit.subject === `string`) { | |||
let url = context.repository | |||
? `${context.host}/${context.owner}/${context.repository}` | |||
: context.repoUrl | |||
if (url) { | |||
url = `${url}/issues/` | |||
// Issue URLs. | |||
commit.subject = commit.subject.replace(/#([0-9]+)/g, (_, issue) => { | |||
issues.push(issue) | |||
return `[#${issue}](${url}${issue})` | |||
}) | |||
} | |||
if (context.host) { | |||
// User URLs. | |||
commit.subject = commit.subject.replace(/\B@([a-z0-9](?:-?[a-z0-9/]){0,38})/g, (_, username) => { | |||
if (username.includes('/')) { | |||
return `@${username}` | |||
} | |||
return `[@${username}](${context.host}/${username})` | |||
}) | |||
} | |||
} | |||
// remove references that already appear in the subject | |||
commit.references = commit.references.filter(reference => { | |||
if (issues.indexOf(reference.issue) === -1) { | |||
return true | |||
} | |||
return false | |||
}) | |||
return commit | |||
}, | |||
}, | |||
}, | |||
}; |
@@ -0,0 +1,50 @@ | |||
# InSpec Profile: `default` | |||
This shows the implementation of the `default` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md). | |||
## Verify a profile | |||
InSpec ships with built-in features to verify a profile structure. | |||
```bash | |||
$ inspec check default | |||
Summary | |||
------- | |||
Location: default | |||
Profile: profile | |||
Controls: 4 | |||
Timestamp: 2019-06-24T23:09:01+00:00 | |||
Valid: true | |||
Errors | |||
------ | |||
Warnings | |||
-------- | |||
``` | |||
## Execute a profile | |||
To run all **supported** controls on a local machine use `inspec exec /path/to/profile`. | |||
```bash | |||
$ inspec exec default | |||
.. | |||
Finished in 0.0025 seconds (files took 0.12449 seconds to load) | |||
8 examples, 0 failures | |||
``` | |||
## Execute a specific control from a profile | |||
To run one control from the profile use `inspec exec /path/to/profile --controls name`. | |||
```bash | |||
$ inspec exec default --controls package | |||
. | |||
Finished in 0.0025 seconds (files took 0.12449 seconds to load) | |||
1 examples, 0 failures | |||
``` | |||
See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb). |
@@ -0,0 +1,17 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
name: default | |||
title: openssh formula | |||
maintainer: SaltStack Formulas | |||
license: Apache-2.0 | |||
summary: Verify that the openssh formula is setup and configured correctly | |||
supports: | |||
- platform-name: debian | |||
- platform-name: ubuntu | |||
- platform-name: centos | |||
- platform-name: fedora | |||
- platform-name: opensuse | |||
- platform-name: suse | |||
- platform-name: freebsd | |||
- platform-name: amazon |
@@ -0,0 +1,395 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
sshd_config: | |||
# This keyword is totally optional | |||
ConfigBanner: | | |||
# Alternative banner for the config file | |||
# (Indented) hash signs lose their special meaning here | |||
# and the lines will be written as-is. | |||
Port: 22 | |||
Protocol: 2 | |||
HostKey: | |||
- /etc/ssh/ssh_host_rsa_key | |||
- /etc/ssh/ssh_host_dsa_key | |||
- /etc/ssh/ssh_host_ecdsa_key | |||
- /etc/ssh/ssh_host_ed25519_key | |||
UsePrivilegeSeparation: 'sandbox' | |||
SyslogFacility: AUTH | |||
LogLevel: INFO | |||
ClientAliveInterval: 0 | |||
ClientAliveCountMax: 3 | |||
LoginGraceTime: 120 | |||
PermitRootLogin: 'yes' | |||
PasswordAuthentication: 'no' | |||
StrictModes: 'yes' | |||
MaxAuthTries: 6 | |||
MaxSessions: 10 | |||
PubkeyAuthentication: 'yes' | |||
AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys' | |||
AuthorizedKeysCommandUser: 'nobody' | |||
IgnoreRhosts: 'yes' | |||
HostbasedAuthentication: 'no' | |||
PermitEmptyPasswords: 'no' | |||
ChallengeResponseAuthentication: 'no' | |||
AuthenticationMethods: 'publickey,keyboard-interactive' | |||
AuthorizedKeysFile: '%h/.ssh/authorized_keys' | |||
X11Forwarding: 'no' | |||
X11DisplayOffset: 10 | |||
PrintMotd: 'yes' | |||
PrintLastLog: 'yes' | |||
TCPKeepAlive: 'yes' | |||
AcceptEnv: "LANG LC_*" | |||
Subsystem: "sftp /usr/lib/openssh/sftp-server" | |||
UsePAM: 'yes' | |||
UseDNS: 'yes' | |||
# set as string | |||
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' | |||
# # or set as list | |||
# AllowUsers: | |||
# - vader@10.0.0.1 | |||
# - maul@evil.com | |||
# - sidious | |||
# - luke | |||
# # set as string | |||
# DenyUsers: 'yoda chewbaca@112.10.21.1' | |||
# or set as list | |||
DenyUsers: | |||
- yoda | |||
- chewbaca@112.10.21.1 | |||
# # set as string | |||
# AllowGroups: 'wheel staff imperial' | |||
# or set as list | |||
AllowGroups: | |||
- wheel | |||
- staff | |||
- imperial | |||
# set as string | |||
DenyGroups: 'rebel' | |||
# # or set as list | |||
# DenyGroups: | |||
# - rebel | |||
# - badcompany | |||
matches: | |||
sftp_chroot: | |||
type: | |||
Group: sftpusers | |||
options: | |||
ChrootDirectory: /sftp-chroot/%u | |||
X11Forwarding: 'no' | |||
AllowTcpForwarding: 'no' | |||
ForceCommand: internal-sftp | |||
# Supports complex compound matches in Match criteria. For example, be able | |||
# to match against multiple Users for a given Match, or be able to match | |||
# against address ranges. Or Groups. Or any combination thereof. | |||
# | |||
# Support for matching users can take one of several different appearances | |||
# in pillar data: | |||
match_1: | |||
type: | |||
User: one_user | |||
options: | |||
ChrootDirectory: /ex/%u | |||
match_2: | |||
type: | |||
User: | |||
- jim | |||
- bob | |||
- sally | |||
options: | |||
ChrootDirectory: /ex/%u | |||
# Note the syntax of match_3. By using empty dicts for each user, we can | |||
# leverage Salt's pillar mergine. If we use simple lists, we cannot do | |||
# this; Salt can't merge simple lists, because it doesn't know what order | |||
# they ought to be in. | |||
match_3: | |||
type: | |||
User: | |||
jim: ~ | |||
bob: ~ | |||
sally: ~ | |||
options: | |||
ChrootDirectory: /ex/%u | |||
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. | |||
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list. | |||
# The configuration given in the example below is based on: | |||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html | |||
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' | |||
# yamllint disable rule:line-length | |||
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |||
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |||
# yamllint enable rule:line-length | |||
KexAlgorithms: | |||
- 'curve25519-sha256@libssh.org' | |||
- 'diffie-hellman-group-exchange-sha256' | |||
Ciphers: | |||
- 'chacha20-poly1305@openssh.com' | |||
- 'aes256-gcm@openssh.com' | |||
- 'aes128-gcm@openssh.com' | |||
- 'aes256-ctr' | |||
- 'aes192-ctr' | |||
- 'aes128-ctr' | |||
MACs: | |||
- 'hmac-sha2-512-etm@openssh.com' | |||
- 'hmac-sha2-256-etm@openssh.com' | |||
- 'umac-128-etm@openssh.com' | |||
- 'hmac-sha2-512' | |||
- 'hmac-sha2-256' | |||
- 'umac-128@openssh.com' | |||
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config | |||
# pillar will overwrite the defaults of your distribution's SSH client. This | |||
# will also force the default configuration for all the SSH clients on the | |||
# machine. This can break SSH connections with servers using older versions of | |||
# openssh. Please make sure you understand the implication of different settings | |||
ssh_config: | |||
Hosts: | |||
'*': | |||
StrictHostKeyChecking: 'no' | |||
ForwardAgent: 'no' | |||
ForwardX11: 'no' | |||
RhostsRSAAuthentication: 'no' | |||
RSAAuthentication: 'yes' | |||
PasswordAuthentication: 'yes' | |||
HostbasedAuthentication: 'no' | |||
GSSAPIAuthentication: 'no' | |||
GSSAPIDelegateCredentials: 'no' | |||
BatchMode: 'yes' | |||
CheckHostIP: 'yes' | |||
AddressFamily: 'any' | |||
ConnectTimeout: 0 | |||
IdentityFile: '~/.ssh/id_rsa' | |||
Port: 22 | |||
Protocol: 2 | |||
Cipher: '3des' | |||
Tunnel: 'no' | |||
TunnelDevice: 'any:any' | |||
PermitLocalCommand: 'no' | |||
VisualHostKey: 'no' | |||
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. | |||
# WARNING! Please make sure you understand the implications of the below | |||
# settings. The examples provided below might break your connection to older / | |||
# legacy openssh servers. | |||
# The configuration given in the example below is based on: | |||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html | |||
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list. | |||
# yamllint disable rule:line-length | |||
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' | |||
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |||
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |||
# yamllint enable rule:line-length | |||
KexAlgorithms: | |||
- 'curve25519-sha256@libssh.org' | |||
- 'diffie-hellman-group-exchange-sha256' | |||
- 'diffie-hellman-group-exchange-sha1' | |||
- 'diffie-hellman-group14-sha1' | |||
Ciphers: | |||
- 'chacha20-poly1305@openssh.com' | |||
- 'aes256-gcm@openssh.com' | |||
- 'aes128-gcm@openssh.com' | |||
- 'aes256-ctr' | |||
- 'aes192-ctr' | |||
- 'aes128-ctr' | |||
MACs: | |||
- 'hmac-sha2-512-etm@openssh.com' | |||
- 'hmac-sha2-256-etm@openssh.com' | |||
- 'umac-128-etm@openssh.com' | |||
- 'hmac-sha2-512' | |||
- 'hmac-sha2-256' | |||
- 'umac-128@openssh.com' | |||
openssh: | |||
# Instead of adding a custom banner file you can set it in pillar | |||
banner_string: | | |||
Welcome to {{ grains['id'] }}! | |||
# Set installed package version | |||
server_version: latest | |||
client_version: latest | |||
# Controls if SSHD should be enabled/started | |||
sshd_enable: true | |||
auth: | |||
joe-valid-ssh-key-desktop: | |||
- user: joe | |||
present: true | |||
enc: ssh-rsa | |||
comment: main key - desktop | |||
source: salt://ssh_keys/joe.desktop.pub | |||
joe-valid-ssh-key-notebook: | |||
- user: joe | |||
present: true | |||
enc: ssh-rsa | |||
comment: main key - notebook | |||
source: salt://ssh_keys/joe.netbook.pub | |||
joe-non-valid-ssh-key: | |||
- user: joe | |||
present: false | |||
enc: ssh-rsa | |||
comment: obsolete key - removed | |||
source: salt://ssh_keys/joe.no-valid.pub | |||
# Maps users to source files | |||
# Designed to play nice with ext_pillar | |||
# salt.states.ssh_auth: If source is set, comment and enc will be ignored | |||
auth_map: | |||
personal_keys: # store name | |||
source: salt://ssh_keys | |||
users: | |||
joe: | |||
joe.desktop: {} | |||
joe.netbook: | |||
options: [] # see salt.states.ssh_auth.present | |||
joe.no-valid: | |||
present: false | |||
generate_dsa_keys: false | |||
absent_dsa_keys: false | |||
provide_dsa_keys: false | |||
dsa: | |||
private_key: | | |||
-----BEGIN DSA PRIVATE KEY----- | |||
NOT_DEFINED | |||
-----END DSA PRIVATE KEY----- | |||
public_key: | | |||
ssh-dss NOT_DEFINED | |||
generate_ecdsa_keys: false | |||
absent_ecdsa_keys: false | |||
provide_ecdsa_keys: false | |||
ecdsa: | |||
private_key: | | |||
-----BEGIN EC PRIVATE KEY----- | |||
NOT_DEFINED | |||
-----END EC PRIVATE KEY----- | |||
public_key: | | |||
ecdsa-sha2-nistp256 NOT_DEFINED | |||
generate_rsa_keys: false | |||
generate_rsa_size: 4096 | |||
# Will remove the old key if it is to short and generate a new one. | |||
enforce_rsa_size: false | |||
absent_rsa_keys: false | |||
provide_rsa_keys: false | |||
rsa: | |||
private_key: | | |||
-----BEGIN RSA PRIVATE KEY----- | |||
NOT_DEFINED | |||
-----END RSA PRIVATE KEY----- | |||
public_key: | | |||
ssh-rsa NOT_DEFINED | |||
generate_ed25519_keys: false | |||
absent_ed25519_keys: false | |||
provide_ed25519_keys: false | |||
ed25519: | |||
private_key: | | |||
-----BEGIN OPENSSH PRIVATE KEY----- | |||
NOT_DEFINED | |||
-----END OPENSSH PRIVATE KEY----- | |||
public_key: | | |||
ssh-ed25519 NOT_DEFINED | |||
known_hosts: | |||
# The next 2 settings restrict the set of minions that will be added in | |||
# the generated ssh_known_hosts files (the default is to match all minions) | |||
target: '*' | |||
tgt_type: 'glob' | |||
# Name of mining functions used to gather public keys and hostnames | |||
# (the default values are shown here) | |||
mine_keys_function: public_ssh_host_keys | |||
mine_hostname_function: public_ssh_hostname | |||
# List of DNS entries also pointing to our managed machines and that we want | |||
# to inject in our generated ssh_known_hosts file | |||
aliases: | |||
- cname-to-minion.example.org | |||
- alias.example.org | |||
# Includes short hostnames derived from the FQDN | |||
# (host.example.test -> host) | |||
# (Deactivated by default, because there can be collisions!) | |||
hostnames: false | |||
# hostnames: | |||
# Restrict wich hosts you want to use via their hostname | |||
# (i.e. ssh user@host instead of ssh user@host.example.com) | |||
# target: '*' # Defaults to "*.{{ grains['domain']}}" | |||
# tgt_type: 'glob' | |||
# To activate the defaults you can just set an empty dict. | |||
# hostnames: {} | |||
# Include localhost, 127.0.0.1 and ::1 (default: false) | |||
include_localhost: false | |||
# Host keys fetched via salt-ssh | |||
salt_ssh: | |||
# The salt-ssh user | |||
user: salt-master | |||
# specify public host names of a minion | |||
public_ssh_host_names: | |||
minion.id: | |||
- minion.id | |||
- alias.of.minion.id | |||
# specify public host keys of a minion | |||
public_ssh_host_keys: | |||
minion.id: | | |||
ssh-rsa [...] | |||
ssh-ed25519 [...] | |||
# Here you can list keys for hosts which are not among your minions: | |||
static: | |||
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' | |||
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' | |||
# specify DH parameters (see /etc/ssh/moduli) | |||
# yamllint disable rule:line-length | |||
moduli: | | |||
# Time Type Tests Tries Size Generator Modulus | |||
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 | |||
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB | |||
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 | |||
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F | |||
# yamllint enable rule:line-length | |||
# ALTERNATIVELY, specify the location of the moduli file. Examples: | |||
# moduli_source: http://some.server.somewhere/salt/moduli | |||
# moduli_source: salt://files/ssh/moduli | |||
# If moduli is specified, moduli_source will be ignored. | |||
# Also, a proper hash file *must* be included in the same path. E.g.: | |||
# http://some.server.somewhere/salt/moduli.hash | |||
# salt://files/ssh/moduli.hash | |||
# These will be automatically referenced to by the ssh_moduli state. | |||
# Required for openssh.known_hosts | |||
mine_functions: | |||
public_ssh_host_keys: | |||
mine_function: cmd.run | |||
cmd: cat /etc/ssh/ssh_host_*_key.pub | |||
python_shell: true | |||
public_ssh_hostname: | |||
mine_function: grains.get | |||
key: id | |||
tofs: | |||
# The files_switch key serves as a selector for alternative | |||
# directories under the formula files directory. See TOFS pattern | |||
# doc for more info. | |||
# Note: Any value not evaluated by `config.get` will be used literally. | |||
# This can be used to set custom paths, as many levels deep as required. | |||
# files_switch: | |||
# - any/path/can/be/used/here | |||
# - id | |||
# - role | |||
# - osfinger | |||
# - os | |||
# - os_family | |||
# All aspects of path/file resolution are customisable using the options below. | |||
# This is unnecessary in most cases; there are sensible defaults. | |||
# path_prefix: template_alt | |||
# dirs: | |||
# files: files_alt | |||
# default: default_alt | |||
source_files: | |||
manage ssh_known_hosts file: | |||
- alt_ssh_known_hosts | |||
sshd_config: | |||
- alt_sshd_config | |||
ssh_config: | |||
- alt_ssh_config | |||
sshd_banner: | |||
- fire_banner |