Saltstack Official OpenSSH Formula

136 line
4.1KB

  1. {%- set tplroot = tpldir.split('/')[0] %}
  2. {%- from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %}
  3. {%- from tplroot ~ "/libtofs.jinja" import files_switch %}
  4. include:
  5. - openssh
  6. {%- if sshd_config %}
  7. sshd_config:
  8. file.managed:
  9. - name: {{ openssh.sshd_config }}
  10. {#- Preserve backward compatibility using the `if` below #}
  11. - source: {{ openssh.sshd_config_src if '://' in openssh.sshd_config_src
  12. else files_switch( [openssh.sshd_config_src],
  13. 'sshd_config'
  14. ) }}
  15. - template: jinja
  16. - user: {{ openssh.sshd_config_user }}
  17. - group: {{ openssh.sshd_config_group }}
  18. - mode: {{ openssh.sshd_config_mode }}
  19. - check_cmd: {{ openssh.sshd_binary }} -t -f
  20. {%- if openssh.sshd_config_backup %}
  21. - backup: minion
  22. {%- endif %}
  23. - watch_in:
  24. - service: {{ openssh.service }}
  25. {%- endif %}
  26. {%- if ssh_config %}
  27. ssh_config:
  28. file.managed:
  29. - name: {{ openssh.ssh_config }}
  30. {#- Preserve backward compatibility using the `if` below #}
  31. - source: {{ openssh.ssh_config_src if '://' in openssh.ssh_config_src
  32. else files_switch( [openssh.ssh_config_src],
  33. 'ssh_config'
  34. ) }}
  35. - template: jinja
  36. - user: {{ openssh.ssh_config_user }}
  37. - group: {{ openssh.ssh_config_group }}
  38. - mode: {{ openssh.ssh_config_mode }}
  39. {%- if openssh.ssh_config_backup %}
  40. - backup: minion
  41. {%- endif %}
  42. {%- endif %}
  43. {%- for keyType in openssh['host_key_algos'].split(',') %}
  44. {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
  45. {%- set keySize = openssh.get('generate_' ~ keyType ~ '_size', False) %}
  46. {%- if openssh.get('provide_' ~ keyType ~ '_keys', False) %}
  47. ssh_host_{{ keyType }}_key:
  48. file.managed:
  49. - name: {{ keyFile }}
  50. - contents_pillar: 'openssh:{{ keyType }}:private_key'
  51. - user: root
  52. - mode: 600
  53. {%- if sshd_config %}
  54. - require_in:
  55. - file: sshd_config
  56. {%- endif %}
  57. - watch_in:
  58. - service: {{ openssh.service }}
  59. ssh_host_{{ keyType }}_key.pub:
  60. file.managed:
  61. - name: {{ keyFile }}.pub
  62. - contents_pillar: 'openssh:{{ keyType }}:public_key'
  63. - user: root
  64. - mode: 600
  65. {%- if sshd_config %}
  66. - require_in:
  67. - file: sshd_config
  68. {%- endif %}
  69. - watch_in:
  70. - service: {{ openssh.service }}
  71. {%- elif openssh.get('generate_' ~ keyType ~ '_keys', False) %}
  72. {%- if keySize and openssh.get('enforce_' ~ keyType ~ '_size', False) %}
  73. ssh_remove_short_{{ keyType }}_key:
  74. cmd.run:
  75. - name: "rm -f {{ keyFile }} {{ keyFile }}.pub"
  76. - onlyif: "test -f {{ keyFile }}.pub && test `ssh-keygen -l -f {{ keyFile }}.pub 2>/dev/null | awk '{print $1}'` -lt {{ keySize }}"
  77. - require_in:
  78. - cmd: ssh_generate_host_{{ keyType }}_key
  79. {%- endif %}
  80. ssh_generate_host_{{ keyType }}_key:
  81. cmd.run:
  82. {%- set keySizePart = "-b {}".format(keySize) if keySize else "" %}
  83. - name: "rm {{ keyFile }}*; ssh-keygen -t {{ keyType }} {{ keySizePart }} -N '' -f {{ keyFile }}"
  84. - unless: "test -s {{ keyFile }}"
  85. - runas: root
  86. {%- if sshd_config %}
  87. - require_in:
  88. - file: sshd_config
  89. {%- endif %}
  90. - watch_in:
  91. - service: {{ openssh.service }}
  92. ssh_host_{{ keyType }}_key: # set permissions
  93. file.managed:
  94. - name: {{ keyFile }}
  95. - replace: false
  96. - mode: '0600'
  97. - require:
  98. - cmd: ssh_generate_host_{{ keyType }}_key
  99. {%- if sshd_config %}
  100. - require_in:
  101. - file: sshd_config
  102. {%- endif %}
  103. {%- elif openssh.get('absent_' ~ keyType ~ '_keys', False) %}
  104. ssh_host_{{ keyType }}_key:
  105. file.absent:
  106. - name: {{ keyFile }}
  107. - watch_in:
  108. - service: {{ openssh.service }}
  109. ssh_host_{{ keyType }}_key.pub:
  110. file.absent:
  111. - name: {{ keyFile }}.pub
  112. - watch_in:
  113. - service: {{ openssh.service }}
  114. {%- endif %}
  115. {%- endfor %}
  116. {%- if sshd_config.get('UsePrivilegeSeparation', '')|lower == 'yes' %}
  117. /var/run/sshd:
  118. file.directory:
  119. - user: root
  120. - mode: 755
  121. - require_in:
  122. - file: sshd_config
  123. - watch_in:
  124. - service: {{ openssh.service }}
  125. {%- endif %}