ExternalMirrors
/
openssh-formula
mirror of https://github.com/saltstack-formulas/openssh-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 27 Wiki Activity
Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
260 Commits
3 Branches
Tree: cf3b048230
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cf3b048230'
${ noResults }
openssh-formula/openssh/config.sls

127 lines
3.7KB
Raw Blame History 

  1. {% from "openssh/map.jinja" import openssh with context %}

  2. 

  3. {%- set manage_sshd_config = salt['pillar.get']('sshd_config', False) %}

  4. 

  5. include:

  6.   - openssh

  7. 

  8. {% if manage_sshd_config %}

  9. sshd_config:

  10.   file.managed:

  11.     - name: {{ openssh.sshd_config }}

  12.     - source: {{ openssh.sshd_config_src }}

  13.     - template: jinja

  14.     - user: {{ openssh.sshd_config_user }}

  15.     - group: {{ openssh.sshd_config_group }}

  16.     - mode: {{ openssh.sshd_config_mode }}

  17.     - check_cmd: {{ openssh.sshd_binary }} -t -f

  18.     {%- if openssh.sshd_config_backup  %}

  19.     - backup: minion

  20.     {%- endif %}

  21.     - watch_in:

  22.       - service: {{ openssh.service }}

  23. {% endif %}

  24. 

  25. {% if salt['pillar.get']('ssh_config', False) %}

  26. ssh_config:

  27.   file.managed:

  28.     - name: {{ openssh.ssh_config }}

  29.     - source: {{ openssh.ssh_config_src }}

  30.     - template: jinja

  31.     - user: {{ openssh.ssh_config_user }}

  32.     - group: {{ openssh.ssh_config_group }}

  33.     - mode: {{ openssh.ssh_config_mode }}

  34.     {%- if openssh.ssh_config_backup  %}

  35.     - backup: minion

  36.     {%- endif %}

  37. {% endif %}

  38. 

  39. {%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}

  40. {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}

  41. {%-   set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}

  42. {%-   if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}

  43. ssh_host_{{ keyType }}_key:

  44.   file.managed:

  45.     - name: {{ keyFile }}

  46.     - contents_pillar: 'openssh:{{ keyType }}:private_key'

  47.     - user: root

  48.     - mode: 600

  49.     {%- if manage_sshd_config %}

  50.     - require_in:

  51.       - file: sshd_config

  52.     {%- endif %}

  53.     - watch_in:

  54.       - service: {{ openssh.service }}

  55. 

  56. ssh_host_{{ keyType }}_key.pub:

  57.   file.managed:

  58.     - name: {{ keyFile }}.pub

  59.     - contents_pillar: 'openssh:{{ keyType }}:public_key'

  60.     - user: root

  61.     - mode: 600

  62.     {%- if manage_sshd_config %}

  63.     - require_in:

  64.       - file: sshd_config

  65.     {%- endif %}

  66.     - watch_in:

  67.       - service: {{ openssh.service }}

  68. {%-   elif salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %}

  69. {%-     if keySize and salt['pillar.get']('openssh:enforce_' ~ keyType ~ '_size', False) %}

  70. ssh_remove_short_{{ keyType }}_key:

  71.   cmd.run:

  72.     - name: "rm -f {{ keyFile }} {{ keyFile }}.pub"

  73.     - onlyif: "test -f {{ keyFile }}.pub && test `ssh-keygen -l -f {{ keyFile }}.pub 2>/dev/null | awk '{print $1}'` -lt {{ keySize }}"

  74.     - require_in:

  75.         - cmd: ssh_generate_host_{{ keyType }}_key

  76. {%-     endif %}

  77. ssh_generate_host_{{ keyType }}_key:

  78.   cmd.run:

  79.     {%- set keySizePart = "-b {}".format(keySize) if keySize else "" %}

  80.     - name: "rm {{ keyFile }}*; ssh-keygen -t {{ keyType }} {{ keySizePart }} -N '' -f {{ keyFile }}"

  81.     - unless: "test -s {{ keyFile }}"

  82.     - runas: root

  83.     {%- if manage_sshd_config %}

  84.     - require_in:

  85.       - file: sshd_config

  86.     {%- endif %}

  87.     - watch_in:

  88.       - service: {{ openssh.service }}

  89. 

  90. ssh_host_{{ keyType }}_key:  # set permissions

  91.   file.managed:

  92.     - name: {{ keyFile }}

  93.     - replace: false

  94.     - mode: 0600

  95.     - require:

  96.       - cmd: ssh_generate_host_{{ keyType }}_key

  97.     {%- if manage_sshd_config %}

  98.     - require_in:

  99.       - file: sshd_config

  100.     {%- endif %}

  101. 

  102. {%-   elif salt['pillar.get']('openssh:absent_' ~ keyType ~ '_keys', False) %}

  103. ssh_host_{{ keyType }}_key:

  104.   file.absent:

  105.     - name: {{ keyFile }}

  106.     - watch_in:

  107.       - service: {{ openssh.service }}

  108. 

  109. ssh_host_{{ keyType }}_key.pub:

  110.   file.absent:

  111.     - name: {{ keyFile }}.pub

  112.     - watch_in:

  113.       - service: {{ openssh.service }}

  114. {%-   endif %}

  115. {%- endfor %}

  116. 

  117. {%- if salt['pillar.get']('sshd_config:UsePrivilegeSeparation', '')|lower == 'yes' %}

  118. /var/run/sshd:

  119.   file.directory:

  120.     - user: root

  121.     - mode: 755

  122.     - require_in:

  123.       - file: sshd_config

  124.     - watch_in:

  125.       - service: {{ openssh.service }}

  126. {% endif %}