Add fileserver and ldapclient sls

This commit is contained in:
Jan Dittberner 2016-09-24 21:51:59 +02:00
parent 1cf93b8f30
commit b72b6c960d
8 changed files with 271 additions and 2 deletions

4
pillar/fileserver.sls Normal file
View file

@ -0,0 +1,4 @@
ldap_auth: True
sftp_group: sftponly
sftp_chroot: /srv/sftp
ssh_customer_group: sshuser

2
pillar/ldapclient.sls Normal file
View file

@ -0,0 +1,2 @@
ldap_base: dc=gva,dc=local
ldap_uris: ldap://172.16.3.3/

View file

@ -6,3 +6,8 @@ base:
- match: grain
- gnuviechadmin.{{ role }}
{% endfor %}
{% for role in ('fileserver', 'ldapclient') %}
'roles:{{ role }}':
- match: grain
- {{ role }}
{% endfor %}

14
states/fileserver/exports Normal file
View file

@ -0,0 +1,14 @@
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/srv/nfs4 *(rw,async,fsid=root,crossmnt,no_subtree_check)
/srv/nfs4/web gvaweb.local(rw,async,no_root_squash,no_subtree_check)
/srv/nfs4/mail gvamail.local(rw,async,no_subtree_check)

View file

@ -0,0 +1,107 @@
base-dirs:
file.directory:
- names:
- /srv/nfs4
- /srv/sftp
- user: root
- group: root
- mode: 0755
nfs4-dirs:
file.directory:
- names:
- /srv/nfs4/web
- /srv/nfs4/mail
- user: root
- group: root
- mode: 0751
/srv/nfs4/web:
mount.mounted:
- device: /home/www
- fstype: none
- opts:
- bind
- acl
- persist: True
- require:
- file: nfs4-dirs
/srv/nfs4/mail:
mount.mounted:
- device: /home/mail
- fstype: none
- opts:
- bind
- acl
- persist: True
- require:
- file: nfs4-dirs
/srv/sftp/home:
file.directory:
- user: root
- group: root
- mode: 0751
mount.mounted:
- device: /home/mail
- fstype: none
- opts:
- bind
- acl
- persist: True
- require:
- file: /srv/sftp/home
fileserver-packages:
pkg.installed:
- pkgs:
- nfs-kernel-server
- rssh
service.running:
- name: nfs-kernel-server
- require:
- pkg: fileserver-packages
- mount: /srv/nfs4/mail
- mount: /srv/nfs4/web
/etc/exports:
file.managed:
- user: root
- group: root
- mode: 0644
- source: salt://fileserver/exports
- watch_in:
- service: nfs-kernel-server
{% if 'sftp_group' in pillar %}
/srv/sftp/authorized_keys:
file.directory:
- user: root
- group: root
- mode: 0701
{% endif %}
sshd:
pkg.installed:
- pkgs:
- openssh-server
- openssh-blacklist
- openssh-blacklist-extra
service.running:
- name: ssh
- require:
- pkg: sshd
{% if 'sftp_group' in pillar %}
- file: /srv/sftp/authorized_keys
{% endif %}
- watch:
- file: /etc/ssh/sshd_config
/etc/ssh/sshd_config:
file.managed:
- source: salt://fileserver/sshd_config
- template: jinja
- user: root
- group: root
- mode: 0644

View file

@ -0,0 +1,104 @@
# sshd configuration generated by salt state
# do not modify this file directly
#
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#{% for sshd_interface in grains['fqdn_ip4'] -%}
#ListenAddress {{ sshd_interface }}
#{% endfor %}
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no
{%- if 'sftp_group' in pillar %}
Match Group {{ pillar['sftp_group'] }}
ForceCommand internal-sftp
ChrootDirectory {{ pillar['sftp_chroot'] }}%h
AuthorizedKeysFile /srv/sftp/authorized_keys/%u/keys
PasswordAuthentication yes
{%- endif %}
{%- if 'ssh_customer_group' in pillar %}
Match Group {{ pillar['ssh_customer_group'] }}
PasswordAuthentication yes
{%- endif %}

View file

@ -0,0 +1,33 @@
ldapclient:
debconf.set:
- name: nslcd
- data:
'nslcd/ldap-base': {'type': 'string', 'value': '{{ pillar.get("ldap_base") }}'}
'nslcd/ldap-uris': {'type': 'string', 'value': '{{ pillar.get("ldap_uris") }}'}
pkg.installed:
- pkgs:
- ldap-utils
- nslcd
- libnss-ldapd
{% if 'ldap_auth' in pillar %}
- libpam-ldapd
{% endif %}
service.running:
- name: nslcd
- require:
- pkg: ldapclient
- debconf: nslcd
libnss-ldapd-reconfigure:
cmd.wait:
- name: dpkg-reconfigure --frontend=noninteractive libnss-ldapd
- require:
- pkg: ldapclient
- watch:
- debconf: libnss-ldapd-debconf
libnss-ldapd-debconf:
debconf.set:
- name: libnss-ldapd
- data:
'libnss-ldapd/nsswitch': {'type': 'multiselect', 'value': 'group, passwd'}

View file

@ -2,7 +2,7 @@ ldapserver-packages:
debconf.set:
- name: slapd
- data:
'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' }
'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}'}
'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
pkg.installed: