From 3d68e5cac9725d5cbbe920f3ce3d88f9c07cd8e2 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 27 Oct 2024 02:53:37 +0200 Subject: [PATCH] initial commit --- docker/init.sls | 19 +++++++ minion/init.sls | 17 ++++++ ssh/files/sshd_config | 121 ++++++++++++++++++++++++++++++++++++++++++ ssh/init.sls | 17 ++++++ sudo/init.sls | 37 +++++++++++++ top.sls | 7 +++ users/init.sls | 66 +++++++++++++++++++++++ 7 files changed, 284 insertions(+) create mode 100644 docker/init.sls create mode 100644 minion/init.sls create mode 100644 ssh/files/sshd_config create mode 100644 ssh/init.sls create mode 100644 sudo/init.sls create mode 100644 top.sls create mode 100644 users/init.sls diff --git a/docker/init.sls b/docker/init.sls new file mode 100644 index 0000000..65be33a --- /dev/null +++ b/docker/init.sls @@ -0,0 +1,19 @@ +# /srv/salt/docker/init.sls + +docker_packages: + pkg.installed: + - pkgs: + - docker + - docker-openrc + - docker-cli-compose + +docker_service: + service.running: + - name: docker + - enable: True + - require: + - pkg: docker_packages + +docker_group: + group.present: + - name: docker diff --git a/minion/init.sls b/minion/init.sls new file mode 100644 index 0000000..e062097 --- /dev/null +++ b/minion/init.sls @@ -0,0 +1,17 @@ +# Manage minion configuration +/etc/salt/minion.d/id.conf: + file.managed: + - user: root + - group: root + - mode: 644 + - contents: | + # Managed by Salt + id: {{ grains['nodename'] }} + +# Ensure salt-minion service is enabled +salt-minion: + service.running: + - enable: True + - watch: + - file: /etc/salt/minion.d/id.conf + diff --git a/ssh/files/sshd_config b/ssh/files/sshd_config new file mode 100644 index 0000000..3eeab02 --- /dev/null +++ b/ssh/files/sshd_config @@ -0,0 +1,121 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# Include configuration snippets before processing this file to allow the +# snippets to override directives set in this file. +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication yes +PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM yes + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp internal-sftp + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/ssh/init.sls b/ssh/init.sls new file mode 100644 index 0000000..3c5134d --- /dev/null +++ b/ssh/init.sls @@ -0,0 +1,17 @@ + +# Manage SSH daemon configuration +sshd_config: + file.managed: + - name: /etc/ssh/sshd_config + - source: salt://ssh/files/sshd_config + - mode: 600 + - user: root + - group: root + +# Ensure SSH service is running and restarts if config changes +sshd_service: + service.running: + - name: sshd + - enable: True + - watch: + - file: sshd_config diff --git a/sudo/init.sls b/sudo/init.sls new file mode 100644 index 0000000..3066753 --- /dev/null +++ b/sudo/init.sls @@ -0,0 +1,37 @@ +# /srv/salt/sudo/init.sls + +# Ensure sudo package is installed (required for Alpine) +sudo_pkg: + pkg.installed: + - name: sudo + +# Create the sudo group +sudo_group: + group.present: + - name: sudo + - require: + - pkg: sudo_pkg + +# Configure sudoers to allow sudo group +/etc/sudoers.d/sudo-group: + file.managed: + - user: root + - group: root + - mode: 440 + - contents: | + # Allow members of group sudo to execute any command + %sudo ALL=(ALL:ALL) ALL + - check_cmd: /usr/sbin/visudo -c -f + - require: + - pkg: sudo_pkg + +# Ensure sudoers.d is included +ensure_sudoers_includedir: + file.replace: + - name: /etc/sudoers + - pattern: '^#@includedir /etc/sudoers.d$' + - repl: '@includedir /etc/sudoers.d' + - append_if_not_found: True + - require: + - pkg: sudo_pkg + diff --git a/top.sls b/top.sls new file mode 100644 index 0000000..6e31cb7 --- /dev/null +++ b/top.sls @@ -0,0 +1,7 @@ +base: + '*': + - users + - ssh + - sudo + - docker + diff --git a/users/init.sls b/users/init.sls new file mode 100644 index 0000000..6a35340 --- /dev/null +++ b/users/init.sls @@ -0,0 +1,66 @@ +# /srv/salt/users/init.sls + +{% set ssh_public_key = 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+sKpcREOUjwMMSzEWAso6830wbOi8kUxqpuXWw5gHr' %} + +menno_user: + user.present: + - name: menno + - shell: /bin/bash + - home: /home/menno + - createhome: True + - groups: + - sudo + - docker + - require: + - sls: sudo + - sls: docker + +menno_ssh_dir: + file.directory: + - name: /home/menno/.ssh + - user: menno + - group: menno + - mode: 700 + - makedirs: True + - require: + - user: menno_user + +root_ssh_dir: + file.directory: + - name: /root/.ssh + - user: root + - group: root + - mode: 700 + - makedirs: True + +menno_authorized_keys: + file.managed: + - name: /home/menno/.ssh/authorized_keys + - user: menno + - group: menno + - mode: 600 + - require: + - file: menno_ssh_dir + +root_authorized_keys: + file.managed: + - name: /root/.ssh/authorized + - user: root + - group: root + - mode: 600 + - require: + - file: root_ssh_dir + +add_ssh_key: + file.append: + - name: /home/menno/.ssh/authorized_keys + - text: {{ ssh_public_key }} + - require: + - file: menno_authorized_keys + +add_ssh_key_to_root: + file.append: + - name: /root/.ssh/authorized_keys + - text: {{ ssh_public_key }} + - require: + - file: menno_authorized_keys