Saltstack Official OpenSSH Formula

143 lines
4.3KB

  1. {%- set tplroot = tpldir.split('/')[0] %}
  2. {%- from tplroot ~ "/map.jinja" import mapdata with context %}
  3. {%- from tplroot ~ "/libtofs.jinja" import files_switch %}
  4. {%- set openssh = mapdata.openssh %}
  5. {%- set sshd_config = mapdata.sshd_config %}
  6. {%- set ssh_config = mapdata.ssh_config %}
  7. include:
  8. - openssh
  9. {%- if sshd_config %}
  10. sshd_config:
  11. file.managed:
  12. - name: {{ openssh.sshd_config }}
  13. {#- Preserve backward compatibility using the `if` below #}
  14. - source: {{ openssh.sshd_config_src if '://' in openssh.sshd_config_src
  15. else files_switch( [openssh.sshd_config_src],
  16. 'sshd_config'
  17. ) }}
  18. - template: jinja
  19. - context:
  20. sshd_config: {{ sshd_config | json }}
  21. - user: {{ openssh.sshd_config_user }}
  22. - group: {{ openssh.sshd_config_group }}
  23. - mode: {{ openssh.sshd_config_mode }}
  24. - check_cmd: {{ openssh.sshd_binary }} -t -f
  25. {%- if openssh.sshd_config_backup %}
  26. - backup: minion
  27. {%- endif %}
  28. - watch_in:
  29. - service: {{ openssh.service }}
  30. {%- endif %}
  31. {%- if ssh_config %}
  32. ssh_config:
  33. file.managed:
  34. - name: {{ openssh.ssh_config }}
  35. {#- Preserve backward compatibility using the `if` below #}
  36. - source: {{ openssh.ssh_config_src if '://' in openssh.ssh_config_src
  37. else files_switch( [openssh.ssh_config_src],
  38. 'ssh_config'
  39. ) }}
  40. - template: jinja
  41. - context:
  42. ssh_config: {{ ssh_config | json }}
  43. - user: {{ openssh.ssh_config_user }}
  44. - group: {{ openssh.ssh_config_group }}
  45. - mode: {{ openssh.ssh_config_mode }}
  46. {%- if openssh.ssh_config_backup %}
  47. - backup: minion
  48. {%- endif %}
  49. {%- endif %}
  50. {%- for keyType in openssh['host_key_algos'].split(',') %}
  51. {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
  52. {%- set keySize = openssh.get('generate_' ~ keyType ~ '_size', False) %}
  53. {%- if openssh.get('provide_' ~ keyType ~ '_keys', False) %}
  54. ssh_host_{{ keyType }}_key:
  55. file.managed:
  56. - name: {{ keyFile }}
  57. - contents_pillar: 'openssh:{{ keyType }}:private_key'
  58. - user: root
  59. - mode: 600
  60. {%- if sshd_config %}
  61. - require_in:
  62. - file: sshd_config
  63. {%- endif %}
  64. - watch_in:
  65. - service: {{ openssh.service }}
  66. ssh_host_{{ keyType }}_key.pub:
  67. file.managed:
  68. - name: {{ keyFile }}.pub
  69. - contents_pillar: 'openssh:{{ keyType }}:public_key'
  70. - user: root
  71. - mode: 600
  72. {%- if sshd_config %}
  73. - require_in:
  74. - file: sshd_config
  75. {%- endif %}
  76. - watch_in:
  77. - service: {{ openssh.service }}
  78. {%- elif openssh.get('generate_' ~ keyType ~ '_keys', False) %}
  79. {%- if keySize and openssh.get('enforce_' ~ keyType ~ '_size', False) %}
  80. ssh_remove_short_{{ keyType }}_key:
  81. cmd.run:
  82. - name: "rm -f {{ keyFile }} {{ keyFile }}.pub"
  83. - onlyif: "test -f {{ keyFile }}.pub && test `ssh-keygen -l -f {{ keyFile }}.pub 2>/dev/null | awk '{print $1}'` -lt {{ keySize }}"
  84. - require_in:
  85. - cmd: ssh_generate_host_{{ keyType }}_key
  86. {%- endif %}
  87. ssh_generate_host_{{ keyType }}_key:
  88. cmd.run:
  89. {%- set keySizePart = "-b {}".format(keySize) if keySize else "" %}
  90. - name: "rm {{ keyFile }}*; ssh-keygen -t {{ keyType }} {{ keySizePart }} -N '' -f {{ keyFile }}"
  91. - unless: "test -s {{ keyFile }}"
  92. - runas: root
  93. {%- if sshd_config %}
  94. - require_in:
  95. - file: sshd_config
  96. {%- endif %}
  97. - watch_in:
  98. - service: {{ openssh.service }}
  99. ssh_host_{{ keyType }}_key: # set permissions
  100. file.managed:
  101. - name: {{ keyFile }}
  102. - replace: false
  103. - mode: '0600'
  104. - require:
  105. - cmd: ssh_generate_host_{{ keyType }}_key
  106. {%- if sshd_config %}
  107. - require_in:
  108. - file: sshd_config
  109. {%- endif %}
  110. {%- elif openssh.get('absent_' ~ keyType ~ '_keys', False) %}
  111. ssh_host_{{ keyType }}_key:
  112. file.absent:
  113. - name: {{ keyFile }}
  114. - watch_in:
  115. - service: {{ openssh.service }}
  116. ssh_host_{{ keyType }}_key.pub:
  117. file.absent:
  118. - name: {{ keyFile }}.pub
  119. - watch_in:
  120. - service: {{ openssh.service }}
  121. {%- endif %}
  122. {%- endfor %}
  123. {%- if sshd_config.get('UsePrivilegeSeparation', '')|lower == 'yes' %}
  124. /var/run/sshd:
  125. file.directory:
  126. - user: root
  127. - mode: 755
  128. - require_in:
  129. - file: sshd_config
  130. - watch_in:
  131. - service: {{ openssh.service }}
  132. {%- endif %}