Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

103 lines
4.1KB

  1. {#
  2. # vi:syntax=jinja
  3. #}
  4. {#- Generates one known_hosts entry per given key #}
  5. {%- macro known_host_entry(host, host_names, keys, include_localhost) %}
  6. {#- Get IPv4 and IPv6 addresses from the DNS #}
  7. {%- set ip4 = salt['dig.A'](host) -%}
  8. {%- set ip6 = salt['dig.AAAA'](host) -%}
  9. {#- The host names to use are to be found within the dict 'host_names'. #}
  10. {#- If there are none, the host is used directly. #}
  11. {%- set names = host_names.get(host, host) -%}
  12. {%- set names = [names] if names is string else names %}
  13. {%- if include_localhost and host == grains['id'] %}
  14. {%- do names.append('localhost') %}
  15. {%- do names.append('127.0.0.1') %}
  16. {%- do names.append('::1') %}
  17. {%- endif -%}
  18. {#- Extract the hostname from the FQDN and add it to the names. #}
  19. {%- if use_hostnames is iterable -%}
  20. {%- for name in names | sort -%}
  21. {%- if salt["match.{}".format(hostnames_tgt_type)](hostnames_target, minion_id=name) -%}
  22. {%- set hostname = name.split('.')|first -%}
  23. {%- if hostname not in names -%}
  24. {%- do names.append(hostname) -%}
  25. {%- endif -%}
  26. {%- endif -%}
  27. {%- endfor -%}
  28. {%- endif -%}
  29. {#- Append IP addresses and aliases (if they are not already present) #}
  30. {%- for ip in (ip4 + ip6)|sort -%}
  31. {%- do names.append(ip) -%}
  32. {%- for alias in aliases_ips.get(ip, []) -%}
  33. {%- if alias not in names -%}
  34. {%- do names.append(alias) -%}
  35. {%- endif -%}
  36. {%- endfor -%}
  37. {%- endfor -%}
  38. {#- Write one line per key; join the names together #}
  39. {%- for line in keys.split('\n') -%}
  40. {%- if line -%}
  41. {{ ','.join(names) }} {{ line }}
  42. {% endif -%}
  43. {%- endfor -%}
  44. {%- endmacro -%}
  45. {#- Pre-fetch pillar data #}
  46. {%- set target = salt['pillar.get']('openssh:known_hosts:target', "*.{}".format(grains['domain'])) -%}
  47. {%- set tgt_type = salt['pillar.get']('openssh:known_hosts:tgt_type', 'glob') -%}
  48. {%- set keys_function = salt['pillar.get']('openssh:known_hosts:mine_keys_function', 'public_ssh_host_keys') -%}
  49. {%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%}
  50. {%- set use_hostnames = salt['pillar.get']('openssh:known_hosts:hostnames', False) -%}
  51. {%- set hostnames_target_default = '*' if grains['domain'] == '' else "*.{}".format(grains['domain']) -%}
  52. {%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
  53. {%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}
  54. {%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%}
  55. {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
  56. in the SSH known_hosts entry -#}
  57. {%- set aliases = salt['pillar.get']('openssh:known_hosts:aliases', []) -%}
  58. {%- set aliases_ips = {} -%}
  59. {%- for alias in aliases -%}
  60. {%- for ip in salt['dig.A'](alias) + salt['dig.AAAA'](alias) -%}
  61. {%- do aliases_ips.setdefault(ip, []).append(alias) -%}
  62. {%- endfor -%}
  63. {%- endfor -%}
  64. {#- Salt Mine #}
  65. {%- set host_keys = salt['mine.get'](target, keys_function, tgt_type=tgt_type) -%}
  66. {%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%}
  67. {#- Salt SSH (if any) #}
  68. {%- for minion_id, minion_host_keys in salt['pillar.get'](
  69. 'openssh:known_hosts:salt_ssh:public_ssh_host_keys',
  70. {}
  71. ).items() -%}
  72. {%- if salt["match.{}".format(tgt_type)](target, minion_id=minion_id) -%}
  73. {% do host_keys.update({minion_id: minion_host_keys}) %}
  74. {%- endif -%}
  75. {%- endfor -%}
  76. {%- for minion_id, minion_host_names in salt['pillar.get'](
  77. 'openssh:known_hosts:salt_ssh:public_ssh_host_names',
  78. {}
  79. ).items() -%}
  80. {%- if salt["match.{}".format(tgt_type)](target, minion_id=minion_id) -%}
  81. {% do host_names.update({minion_id: minion_host_names}) %}
  82. {%- endif -%}
  83. {%- endfor %}
  84. {#- Static Pillar data #}
  85. {%- do host_keys.update(salt['pillar.get']('openssh:known_hosts:static',
  86. {}).items()) -%}
  87. {#- Loop over targetted minions -#}
  88. {%- for host, keys in host_keys| dictsort -%}
  89. {{ known_host_entry(host, host_names, keys, include_localhost) }}
  90. {%- endfor -%}