Add fileserver and ldapclient sls
This commit is contained in:
parent
1cf93b8f30
commit
b72b6c960d
8 changed files with 271 additions and 2 deletions
4
pillar/fileserver.sls
Normal file
4
pillar/fileserver.sls
Normal file
|
@ -0,0 +1,4 @@
|
|||
ldap_auth: True
|
||||
sftp_group: sftponly
|
||||
sftp_chroot: /srv/sftp
|
||||
ssh_customer_group: sshuser
|
2
pillar/ldapclient.sls
Normal file
2
pillar/ldapclient.sls
Normal file
|
@ -0,0 +1,2 @@
|
|||
ldap_base: dc=gva,dc=local
|
||||
ldap_uris: ldap://172.16.3.3/
|
|
@ -6,3 +6,8 @@ base:
|
|||
- match: grain
|
||||
- gnuviechadmin.{{ role }}
|
||||
{% endfor %}
|
||||
{% for role in ('fileserver', 'ldapclient') %}
|
||||
'roles:{{ role }}':
|
||||
- match: grain
|
||||
- {{ role }}
|
||||
{% endfor %}
|
||||
|
|
14
states/fileserver/exports
Normal file
14
states/fileserver/exports
Normal file
|
@ -0,0 +1,14 @@
|
|||
# /etc/exports: the access control list for filesystems which may be exported
|
||||
# to NFS clients. See exports(5).
|
||||
#
|
||||
# Example for NFSv2 and NFSv3:
|
||||
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
|
||||
#
|
||||
# Example for NFSv4:
|
||||
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
|
||||
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
|
||||
#
|
||||
|
||||
/srv/nfs4 *(rw,async,fsid=root,crossmnt,no_subtree_check)
|
||||
/srv/nfs4/web gvaweb.local(rw,async,no_root_squash,no_subtree_check)
|
||||
/srv/nfs4/mail gvamail.local(rw,async,no_subtree_check)
|
|
@ -0,0 +1,107 @@
|
|||
base-dirs:
|
||||
file.directory:
|
||||
- names:
|
||||
- /srv/nfs4
|
||||
- /srv/sftp
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0755
|
||||
|
||||
nfs4-dirs:
|
||||
file.directory:
|
||||
- names:
|
||||
- /srv/nfs4/web
|
||||
- /srv/nfs4/mail
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0751
|
||||
|
||||
/srv/nfs4/web:
|
||||
mount.mounted:
|
||||
- device: /home/www
|
||||
- fstype: none
|
||||
- opts:
|
||||
- bind
|
||||
- acl
|
||||
- persist: True
|
||||
- require:
|
||||
- file: nfs4-dirs
|
||||
|
||||
/srv/nfs4/mail:
|
||||
mount.mounted:
|
||||
- device: /home/mail
|
||||
- fstype: none
|
||||
- opts:
|
||||
- bind
|
||||
- acl
|
||||
- persist: True
|
||||
- require:
|
||||
- file: nfs4-dirs
|
||||
|
||||
/srv/sftp/home:
|
||||
file.directory:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0751
|
||||
mount.mounted:
|
||||
- device: /home/mail
|
||||
- fstype: none
|
||||
- opts:
|
||||
- bind
|
||||
- acl
|
||||
- persist: True
|
||||
- require:
|
||||
- file: /srv/sftp/home
|
||||
|
||||
fileserver-packages:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- nfs-kernel-server
|
||||
- rssh
|
||||
service.running:
|
||||
- name: nfs-kernel-server
|
||||
- require:
|
||||
- pkg: fileserver-packages
|
||||
- mount: /srv/nfs4/mail
|
||||
- mount: /srv/nfs4/web
|
||||
|
||||
/etc/exports:
|
||||
file.managed:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0644
|
||||
- source: salt://fileserver/exports
|
||||
- watch_in:
|
||||
- service: nfs-kernel-server
|
||||
|
||||
{% if 'sftp_group' in pillar %}
|
||||
/srv/sftp/authorized_keys:
|
||||
file.directory:
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0701
|
||||
{% endif %}
|
||||
|
||||
sshd:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- openssh-server
|
||||
- openssh-blacklist
|
||||
- openssh-blacklist-extra
|
||||
service.running:
|
||||
- name: ssh
|
||||
- require:
|
||||
- pkg: sshd
|
||||
{% if 'sftp_group' in pillar %}
|
||||
- file: /srv/sftp/authorized_keys
|
||||
{% endif %}
|
||||
- watch:
|
||||
- file: /etc/ssh/sshd_config
|
||||
|
||||
/etc/ssh/sshd_config:
|
||||
file.managed:
|
||||
- source: salt://fileserver/sshd_config
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0644
|
104
states/fileserver/sshd_config
Normal file
104
states/fileserver/sshd_config
Normal file
|
@ -0,0 +1,104 @@
|
|||
# sshd configuration generated by salt state
|
||||
# do not modify this file directly
|
||||
#
|
||||
# See the sshd_config(5) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
Port 22
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
#{% for sshd_interface in grains['fqdn_ip4'] -%}
|
||||
#ListenAddress {{ sshd_interface }}
|
||||
#{% endfor %}
|
||||
Protocol 2
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_dsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 1024
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin no
|
||||
StrictModes yes
|
||||
|
||||
RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication no
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Change to no to disable tunnelled clear text passwords
|
||||
PasswordAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
X11Forwarding no
|
||||
X11DisplayOffset 10
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
#Banner /etc/issue.net
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
UseDNS no
|
||||
{%- if 'sftp_group' in pillar %}
|
||||
|
||||
Match Group {{ pillar['sftp_group'] }}
|
||||
ForceCommand internal-sftp
|
||||
ChrootDirectory {{ pillar['sftp_chroot'] }}%h
|
||||
AuthorizedKeysFile /srv/sftp/authorized_keys/%u/keys
|
||||
PasswordAuthentication yes
|
||||
{%- endif %}
|
||||
{%- if 'ssh_customer_group' in pillar %}
|
||||
|
||||
Match Group {{ pillar['ssh_customer_group'] }}
|
||||
PasswordAuthentication yes
|
||||
{%- endif %}
|
33
states/ldapclient/init.sls
Normal file
33
states/ldapclient/init.sls
Normal file
|
@ -0,0 +1,33 @@
|
|||
ldapclient:
|
||||
debconf.set:
|
||||
- name: nslcd
|
||||
- data:
|
||||
'nslcd/ldap-base': {'type': 'string', 'value': '{{ pillar.get("ldap_base") }}'}
|
||||
'nslcd/ldap-uris': {'type': 'string', 'value': '{{ pillar.get("ldap_uris") }}'}
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- ldap-utils
|
||||
- nslcd
|
||||
- libnss-ldapd
|
||||
{% if 'ldap_auth' in pillar %}
|
||||
- libpam-ldapd
|
||||
{% endif %}
|
||||
service.running:
|
||||
- name: nslcd
|
||||
- require:
|
||||
- pkg: ldapclient
|
||||
- debconf: nslcd
|
||||
|
||||
libnss-ldapd-reconfigure:
|
||||
cmd.wait:
|
||||
- name: dpkg-reconfigure --frontend=noninteractive libnss-ldapd
|
||||
- require:
|
||||
- pkg: ldapclient
|
||||
- watch:
|
||||
- debconf: libnss-ldapd-debconf
|
||||
|
||||
libnss-ldapd-debconf:
|
||||
debconf.set:
|
||||
- name: libnss-ldapd
|
||||
- data:
|
||||
'libnss-ldapd/nsswitch': {'type': 'multiselect', 'value': 'group, passwd'}
|
|
@ -2,7 +2,7 @@ ldapserver-packages:
|
|||
debconf.set:
|
||||
- name: slapd
|
||||
- data:
|
||||
'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' }
|
||||
'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}'}
|
||||
'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
|
||||
'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
|
||||
pkg.installed:
|
||||
|
|
Loading…
Reference in a new issue