Browse Source

Changed expr_form to tgt_type for deprecation reasons. (#122)

master
Mario Fritschen 7 years ago
parent
commit
e665450ed4
3 changed files with 13 additions and 13 deletions
  1. +1
    -1
      README.rst
  2. +5
    -5
      openssh/files/ssh_known_hosts
  3. +7
    -7
      pillar.example

+ 1
- 1
README.rst View File

Manages the site-wide ssh_known_hosts file and fills it with the Manages the site-wide ssh_known_hosts file and fills it with the
public SSH host keys of all minions. You can restrict the set of minions public SSH host keys of all minions. You can restrict the set of minions
whose keys are listed by using the pillar data ``openssh:known_hosts:target`` whose keys are listed by using the pillar data ``openssh:known_hosts:target``
and ``openssh:known_hosts:expr_form`` (those fields map directly to the
and ``openssh:known_hosts:tgt_type`` (those fields map directly to the
corresponding attributes of the ``mine.get`` function). corresponding attributes of the ``mine.get`` function).


The Salt mine is used to share the public SSH host keys, you must thus The Salt mine is used to share the public SSH host keys, you must thus

+ 5
- 5
openssh/files/ssh_known_hosts View File

{#- Extract the hostname from the FQDN and add it to the names. #} {#- Extract the hostname from the FQDN and add it to the names. #}
{%- if use_hostnames is iterable -%} {%- if use_hostnames is iterable -%}
{%- for name in names | sort -%} {%- for name in names | sort -%}
{%- if salt["match.{}".format(hostnames_expr_form)](hostnames_target, minion_id=name) -%}
{%- if salt["match.{}".format(hostnames_tgt_type)](hostnames_target, minion_id=name) -%}
{%- set hostname = name.split('.')|first -%} {%- set hostname = name.split('.')|first -%}
{%- if hostname not in names -%} {%- if hostname not in names -%}
{%- do names.append(hostname) -%} {%- do names.append(hostname) -%}


{#- Pre-fetch pillar data #} {#- Pre-fetch pillar data #}
{%- set target = salt['pillar.get']('openssh:known_hosts:target', '*') -%} {%- set target = salt['pillar.get']('openssh:known_hosts:target', '*') -%}
{%- set expr_form = salt['pillar.get']('openssh:known_hosts:expr_form', 'glob') -%}
{%- set tgt_type = salt['pillar.get']('openssh:known_hosts:tgt_type', 'glob') -%}
{%- set keys_function = salt['pillar.get']('openssh:known_hosts:mine_keys_function', 'public_ssh_host_keys') -%} {%- set keys_function = salt['pillar.get']('openssh:known_hosts:mine_keys_function', 'public_ssh_host_keys') -%}
{%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%} {%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%}
{%- set use_hostnames = salt['pillar.get']('openssh:known_hosts:hostnames', False) -%} {%- set use_hostnames = salt['pillar.get']('openssh:known_hosts:hostnames', False) -%}
{%- set hostnames_target_default = '*' if grains['domain'] == '' else "*.{}".format(grains['domain']) -%} {%- set hostnames_target_default = '*' if grains['domain'] == '' else "*.{}".format(grains['domain']) -%}
{%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%} {%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
{%- set hostnames_expr_form = salt['pillar.get']('openssh:known_hosts:hostnames:expr_form', 'glob') -%}
{%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}


{#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
in the SSH known_hosts entry -#} in the SSH known_hosts entry -#}
{%- endfor -%} {%- endfor -%}


{#- Loop over targetted minions -#} {#- Loop over targetted minions -#}
{%- set host_keys = salt['mine.get'](target, keys_function, expr_form=expr_form) -%}
{%- set host_names = salt['mine.get'](target, hostname_function, expr_form=expr_form) -%}
{%- set host_keys = salt['mine.get'](target, keys_function, tgt_type=tgt_type) -%}
{%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%}
{%- for host, keys in host_keys|dictsort -%} {%- for host, keys in host_keys|dictsort -%}
{{ known_host_entry(host, host_names, keys) }} {{ known_host_entry(host, host_names, keys) }}
{%- endfor -%} {%- endfor -%}

+ 7
- 7
pillar.example View File

# set as string # set as string
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
# or set as list # or set as list
AllowUsers:
- vader@10.0.0.1
- maul@evil.com
- sidious
AllowUsers:
- vader@10.0.0.1
- maul@evil.com
- sidious
- luke - luke
# set as string
# set as string
DenyUsers: 'yoda chewbaca@112.10.21.1' DenyUsers: 'yoda chewbaca@112.10.21.1'
# or set as list # or set as list
DenyUsers: DenyUsers:
# The next 2 settings restrict the set of minions that will be added in # The next 2 settings restrict the set of minions that will be added in
# the generated ssh_known_hosts files (the default is to match all minions) # the generated ssh_known_hosts files (the default is to match all minions)
target: '*' target: '*'
expr_form: 'glob'
tgt_type: 'glob'
# Name of mining functions used to gather public keys and hostnames # Name of mining functions used to gather public keys and hostnames
# (the default values are shown here) # (the default values are shown here)
mine_keys_function: public_ssh_host_keys mine_keys_function: public_ssh_host_keys
# Restrict wich hosts you want to use via their hostname # Restrict wich hosts you want to use via their hostname
# (i.e. ssh user@host instead of ssh user@host.example.com) # (i.e. ssh user@host instead of ssh user@host.example.com)
# target: '*' # Defaults to "*.{}".format(grains['domain']) with a fallback to '*' # target: '*' # Defaults to "*.{}".format(grains['domain']) with a fallback to '*'
# expr_form: 'glob'
# tgt_type: 'glob'
# To activate the defaults you can just set an empty dict. # To activate the defaults you can just set an empty dict.
#hostnames: {} #hostnames: {}



Loading…
Cancel
Save