diff --git a/pillar/fileserver.sls b/pillar/fileserver.sls new file mode 100644 index 0000000..8466ac5 --- /dev/null +++ b/pillar/fileserver.sls @@ -0,0 +1,4 @@ +ldap_auth: True +sftp_group: sftponly +sftp_chroot: /srv/sftp +ssh_customer_group: sshuser diff --git a/pillar/ldapclient.sls b/pillar/ldapclient.sls new file mode 100644 index 0000000..17693fc --- /dev/null +++ b/pillar/ldapclient.sls @@ -0,0 +1,2 @@ +ldap_base: dc=gva,dc=local +ldap_uris: ldap://172.16.3.3/ diff --git a/pillar/top.sls b/pillar/top.sls index 7159918..5182dfa 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -5,4 +5,9 @@ base: 'roles:gnuviechadmin.{{ role }}': - match: grain - gnuviechadmin.{{ role }} -{% endfor %} \ No newline at end of file +{% endfor %} +{% for role in ('fileserver', 'ldapclient') %} + 'roles:{{ role }}': + - match: grain + - {{ role }} +{% endfor %} diff --git a/states/fileserver/exports b/states/fileserver/exports new file mode 100644 index 0000000..8370fa3 --- /dev/null +++ b/states/fileserver/exports @@ -0,0 +1,14 @@ +# /etc/exports: the access control list for filesystems which may be exported +# to NFS clients. See exports(5). +# +# Example for NFSv2 and NFSv3: +# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) +# +# Example for NFSv4: +# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) +# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) +# + +/srv/nfs4 *(rw,async,fsid=root,crossmnt,no_subtree_check) +/srv/nfs4/web gvaweb.local(rw,async,no_root_squash,no_subtree_check) +/srv/nfs4/mail gvamail.local(rw,async,no_subtree_check) diff --git a/states/fileserver/init.sls b/states/fileserver/init.sls index e69de29..3728d3d 100644 --- a/states/fileserver/init.sls +++ b/states/fileserver/init.sls @@ -0,0 +1,107 @@ +base-dirs: + file.directory: + - names: + - /srv/nfs4 + - /srv/sftp + - user: root + - group: root + - mode: 0755 + +nfs4-dirs: + file.directory: + - names: + - /srv/nfs4/web + - /srv/nfs4/mail + - user: root + - group: root + - mode: 0751 + +/srv/nfs4/web: + mount.mounted: + - device: /home/www + - fstype: none + - opts: + - bind + - acl + - persist: True + - require: + - file: nfs4-dirs + +/srv/nfs4/mail: + mount.mounted: + - device: /home/mail + - fstype: none + - opts: + - bind + - acl + - persist: True + - require: + - file: nfs4-dirs + +/srv/sftp/home: + file.directory: + - user: root + - group: root + - mode: 0751 + mount.mounted: + - device: /home/mail + - fstype: none + - opts: + - bind + - acl + - persist: True + - require: + - file: /srv/sftp/home + +fileserver-packages: + pkg.installed: + - pkgs: + - nfs-kernel-server + - rssh + service.running: + - name: nfs-kernel-server + - require: + - pkg: fileserver-packages + - mount: /srv/nfs4/mail + - mount: /srv/nfs4/web + +/etc/exports: + file.managed: + - user: root + - group: root + - mode: 0644 + - source: salt://fileserver/exports + - watch_in: + - service: nfs-kernel-server + +{% if 'sftp_group' in pillar %} +/srv/sftp/authorized_keys: + file.directory: + - user: root + - group: root + - mode: 0701 +{% endif %} + +sshd: + pkg.installed: + - pkgs: + - openssh-server + - openssh-blacklist + - openssh-blacklist-extra + service.running: + - name: ssh + - require: + - pkg: sshd +{% if 'sftp_group' in pillar %} + - file: /srv/sftp/authorized_keys +{% endif %} + - watch: + - file: /etc/ssh/sshd_config + +/etc/ssh/sshd_config: + file.managed: + - source: salt://fileserver/sshd_config + - template: jinja + - user: root + - group: root + - mode: 0644 diff --git a/states/fileserver/sshd_config b/states/fileserver/sshd_config new file mode 100644 index 0000000..1b230f9 --- /dev/null +++ b/states/fileserver/sshd_config @@ -0,0 +1,104 @@ +# sshd configuration generated by salt state +# do not modify this file directly +# +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#{% for sshd_interface in grains['fqdn_ip4'] -%} +#ListenAddress {{ sshd_interface }} +#{% endfor %} +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +UseDNS no +{%- if 'sftp_group' in pillar %} + +Match Group {{ pillar['sftp_group'] }} + ForceCommand internal-sftp + ChrootDirectory {{ pillar['sftp_chroot'] }}%h + AuthorizedKeysFile /srv/sftp/authorized_keys/%u/keys + PasswordAuthentication yes +{%- endif %} +{%- if 'ssh_customer_group' in pillar %} + +Match Group {{ pillar['ssh_customer_group'] }} + PasswordAuthentication yes +{%- endif %} diff --git a/states/ldapclient/init.sls b/states/ldapclient/init.sls new file mode 100644 index 0000000..7d49bdd --- /dev/null +++ b/states/ldapclient/init.sls @@ -0,0 +1,33 @@ +ldapclient: + debconf.set: + - name: nslcd + - data: + 'nslcd/ldap-base': {'type': 'string', 'value': '{{ pillar.get("ldap_base") }}'} + 'nslcd/ldap-uris': {'type': 'string', 'value': '{{ pillar.get("ldap_uris") }}'} + pkg.installed: + - pkgs: + - ldap-utils + - nslcd + - libnss-ldapd +{% if 'ldap_auth' in pillar %} + - libpam-ldapd +{% endif %} + service.running: + - name: nslcd + - require: + - pkg: ldapclient + - debconf: nslcd + +libnss-ldapd-reconfigure: + cmd.wait: + - name: dpkg-reconfigure --frontend=noninteractive libnss-ldapd + - require: + - pkg: ldapclient + - watch: + - debconf: libnss-ldapd-debconf + +libnss-ldapd-debconf: + debconf.set: + - name: libnss-ldapd + - data: + 'libnss-ldapd/nsswitch': {'type': 'multiselect', 'value': 'group, passwd'} diff --git a/states/ldapserver/init.sls b/states/ldapserver/init.sls index 2a59f3e..94c1832 100644 --- a/states/ldapserver/init.sls +++ b/states/ldapserver/init.sls @@ -2,7 +2,7 @@ ldapserver-packages: debconf.set: - name: slapd - data: - 'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' } + 'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}'} 'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'} 'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'} pkg.installed: