Add fileserver and ldapclient sls

pillar/fileserver.sls

@@ -0,0 +1,4 @@
+ldap_auth: True
+sftp_group: sftponly
+sftp_chroot: /srv/sftp
+ssh_customer_group: sshuser

pillar/ldapclient.sls

@@ -0,0 +1,2 @@
+ldap_base: dc=gva,dc=local
+ldap_uris: ldap://172.16.3.3/

pillar/top.sls

@@ -5,4 +5,9 @@ base:
   'roles:gnuviechadmin.{{ role }}':
     - match: grain
     - gnuviechadmin.{{ role }}
-{% endfor %}
+{% endfor %}
+{% for role in ('fileserver', 'ldapclient') %}
+  'roles:{{ role }}':
+    - match: grain
+    - {{ role }}
+{% endfor %}

states/fileserver/exports

@@ -0,0 +1,14 @@
+# /etc/exports: the access control list for filesystems which may be exported
+#		to NFS clients.  See exports(5).
+#
+# Example for NFSv2 and NFSv3:
+# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
+#
+# Example for NFSv4:
+# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
+# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
+#
+
+/srv/nfs4       *(rw,async,fsid=root,crossmnt,no_subtree_check)
+/srv/nfs4/web   gvaweb.local(rw,async,no_root_squash,no_subtree_check)
+/srv/nfs4/mail  gvamail.local(rw,async,no_subtree_check)

states/fileserver/init.sls

@@ -0,0 +1,107 @@
+base-dirs:
+  file.directory:
+    - names:
+      - /srv/nfs4
+      - /srv/sftp
+    - user: root
+    - group: root
+    - mode: 0755
+
+nfs4-dirs:
+  file.directory:
+    - names:
+      - /srv/nfs4/web
+      - /srv/nfs4/mail
+    - user: root
+    - group: root
+    - mode: 0751
+
+/srv/nfs4/web:
+  mount.mounted:
+    - device: /home/www
+    - fstype: none
+    - opts:
+      - bind
+      - acl
+    - persist: True
+    - require:
+      - file: nfs4-dirs
+
+/srv/nfs4/mail:
+  mount.mounted:
+    - device: /home/mail
+    - fstype: none
+    - opts:
+      - bind
+      - acl
+    - persist: True
+    - require:
+      - file: nfs4-dirs
+
+/srv/sftp/home:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0751
+  mount.mounted:
+    - device: /home/mail
+    - fstype: none
+    - opts:
+      - bind
+      - acl
+    - persist: True
+    - require:
+      - file: /srv/sftp/home
+
+fileserver-packages:
+  pkg.installed:
+    - pkgs:
+      - nfs-kernel-server
+      - rssh
+  service.running:
+    - name: nfs-kernel-server
+    - require:
+      - pkg: fileserver-packages
+      - mount: /srv/nfs4/mail
+      - mount: /srv/nfs4/web
+
+/etc/exports:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://fileserver/exports
+    - watch_in:
+      - service: nfs-kernel-server
+
+{% if 'sftp_group' in pillar %}
+/srv/sftp/authorized_keys:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0701
+{% endif %}
+
+sshd:
+  pkg.installed:
+    - pkgs:
+      - openssh-server
+      - openssh-blacklist
+      - openssh-blacklist-extra
+  service.running:
+    - name: ssh
+    - require:
+      - pkg: sshd
+{% if 'sftp_group' in pillar %}
+      - file: /srv/sftp/authorized_keys
+{% endif %}
+    - watch:
+      - file: /etc/ssh/sshd_config
+
+/etc/ssh/sshd_config:
+  file.managed:
+    - source: salt://fileserver/sshd_config
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 0644

states/fileserver/sshd_config

@@ -0,0 +1,104 @@
+# sshd configuration generated by salt state
+# do not modify this file directly
+#
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#{% for sshd_interface in grains['fqdn_ip4'] -%}
+#ListenAddress {{ sshd_interface }}
+#{% endfor %}
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+UseDNS no
+{%- if 'sftp_group' in pillar %}
+
+Match Group {{ pillar['sftp_group'] }}
+    ForceCommand internal-sftp
+    ChrootDirectory {{ pillar['sftp_chroot'] }}%h
+    AuthorizedKeysFile /srv/sftp/authorized_keys/%u/keys
+    PasswordAuthentication yes
+{%- endif %}
+{%- if 'ssh_customer_group' in pillar %}
+
+Match Group {{ pillar['ssh_customer_group'] }}
+    PasswordAuthentication yes
+{%- endif %}

states/ldapclient/init.sls

@@ -0,0 +1,33 @@
+ldapclient:
+  debconf.set:
+    - name: nslcd
+    - data:
+        'nslcd/ldap-base': {'type': 'string', 'value': '{{ pillar.get("ldap_base") }}'}
+        'nslcd/ldap-uris': {'type': 'string', 'value': '{{ pillar.get("ldap_uris") }}'}
+  pkg.installed:
+    - pkgs:
+      - ldap-utils
+      - nslcd
+      - libnss-ldapd
+{% if 'ldap_auth' in pillar %}
+      - libpam-ldapd
+{% endif %}
+  service.running:
+    - name: nslcd
+    - require:
+      - pkg: ldapclient
+      - debconf: nslcd
+
+libnss-ldapd-reconfigure:
+  cmd.wait:
+    - name: dpkg-reconfigure --frontend=noninteractive libnss-ldapd
+    - require:
+      - pkg: ldapclient
+    - watch:
+      - debconf: libnss-ldapd-debconf
+
+libnss-ldapd-debconf:
+  debconf.set:
+    - name: libnss-ldapd
+    - data:
+        'libnss-ldapd/nsswitch': {'type': 'multiselect', 'value': 'group, passwd'}

states/ldapserver/init.sls

@@ -2,7 +2,7 @@ ldapserver-packages:
   debconf.set:
     - name: slapd
     - data:
-        'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' }
+        'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}'}
         'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
         'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
   pkg.installed: