Saltstack Official OpenSSH Formula

config.sls 3.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. {% from "openssh/map.jinja" import openssh with context %}
  2. include:
  3. - openssh
  4. {% if salt['pillar.get']('sshd_config', False) %}
  5. sshd_config:
  6. file.managed:
  7. - name: {{ openssh.sshd_config }}
  8. - source: {{ openssh.sshd_config_src }}
  9. - template: jinja
  10. - user: {{ openssh.sshd_config_user }}
  11. - group: {{ openssh.sshd_config_group }}
  12. - mode: {{ openssh.sshd_config_mode }}
  13. - check_cmd: {{ openssh.sshd_binary }} -t -f
  14. - watch_in:
  15. - service: {{ openssh.service }}
  16. {% endif %}
  17. {% if salt['pillar.get']('ssh_config', False) %}
  18. ssh_config:
  19. file.managed:
  20. - name: {{ openssh.ssh_config }}
  21. - source: {{ openssh.ssh_config_src }}
  22. - template: jinja
  23. - user: {{ openssh.ssh_config_user }}
  24. - group: {{ openssh.ssh_config_group }}
  25. - mode: {{ openssh.ssh_config_mode }}
  26. {% endif %}
  27. {%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
  28. {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
  29. {%- set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
  30. {%- if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}
  31. ssh_host_{{ keyType }}_key:
  32. file.managed:
  33. - name: {{ keyFile }}
  34. - contents_pillar: 'openssh:{{ keyType }}:private_key'
  35. - user: root
  36. - mode: 600
  37. - require_in:
  38. - file: sshd_config
  39. - watch_in:
  40. - service: {{ openssh.service }}
  41. ssh_host_{{ keyType }}_key.pub:
  42. file.managed:
  43. - name: {{ keyFile }}.pub
  44. - contents_pillar: 'openssh:{{ keyType }}:public_key'
  45. - user: root
  46. - mode: 600
  47. - require_in:
  48. - file: sshd_config
  49. - watch_in:
  50. - service: {{ openssh.service }}
  51. {%- elif salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %}
  52. {%- if keySize and salt['pillar.get']('openssh:enforce_' ~ keyType ~ '_size', False) %}
  53. ssh_remove_short_{{ keyType }}_key:
  54. cmd.run:
  55. - name: "rm -f {{ keyFile }} {{ keyFile }}.pub"
  56. - onlyif: "test -f {{ keyFile }}.pub && test `ssh-keygen -l -f {{ keyFile }}.pub 2>/dev/null | awk '{print $1}'` -lt {{ keySize }}"
  57. - require_in:
  58. - cmd: ssh_generate_host_{{ keyType }}_key
  59. {%- endif %}
  60. ssh_generate_host_{{ keyType }}_key:
  61. cmd.run:
  62. {%- set keySizePart = "-b {}".format(keySize) if keySize else "" %}
  63. - name: "rm {{ keyFile }}*; ssh-keygen -t {{ keyType }} {{ keySizePart }} -N '' -f {{ keyFile }}"
  64. - unless: "test -s {{ keyFile }}"
  65. - runas: root
  66. - require_in:
  67. - file: sshd_config
  68. - watch_in:
  69. - service: {{ openssh.service }}
  70. ssh_host_{{ keyType }}_key: # set permissions
  71. file.managed:
  72. - name: {{ keyFile }}
  73. - replace: false
  74. - mode: 0600
  75. - require:
  76. - cmd: ssh_generate_host_{{ keyType }}_key
  77. - require_in:
  78. - file: sshd_config
  79. {%- elif salt['pillar.get']('openssh:absent_' ~ keyType ~ '_keys', False) %}
  80. ssh_host_{{ keyType }}_key:
  81. file.absent:
  82. - name: {{ keyFile }}
  83. - watch_in:
  84. - service: {{ openssh.service }}
  85. ssh_host_{{ keyType }}_key.pub:
  86. file.absent:
  87. - name: {{ keyFile }}.pub
  88. - watch_in:
  89. - service: {{ openssh.service }}
  90. {%- endif %}
  91. {%- endfor %}
  92. {%- if salt['pillar.get']('sshd_config:UsePrivilegeSeparation', '')|lower == 'yes' %}
  93. /var/run/sshd:
  94. file.directory:
  95. - user: root
  96. - mode: 755
  97. - require_in:
  98. - file: sshd_config
  99. - watch_in:
  100. - service: {{ openssh.service }}
  101. {% endif %}