init
This commit is contained in:
commit
afde75508f
5 changed files with 82 additions and 0 deletions
5
README.md
Normal file
5
README.md
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Basics Formula
|
||||
|
||||
Salt formula that sets up some basics, like firewall and ssh.
|
||||
|
||||
This is heavily WIP and missing some important things.
|
||||
33
basics/firewall.sls
Normal file
33
basics/firewall.sls
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
ufw not installed:
|
||||
pkg.removed:
|
||||
- name: ufw
|
||||
|
||||
firewalld installed:
|
||||
pkg.installed:
|
||||
- name: firewalld
|
||||
|
||||
firewalld service running:
|
||||
service.running:
|
||||
- name: firewalld
|
||||
|
||||
fail2ban installed:
|
||||
pkg.installed:
|
||||
- name: fail2ban
|
||||
|
||||
fail2ban service running:
|
||||
service.running:
|
||||
- name: fail2ban
|
||||
|
||||
firewalld public zone setup:
|
||||
firewalld.present:
|
||||
- name: public
|
||||
- block_icmp:
|
||||
- echo-reply
|
||||
- echo-request
|
||||
- default: True
|
||||
- masquerade: True
|
||||
- ports:
|
||||
{% for port, protocol in salt['pillar.get']('basics:firewall:ports').items() %}
|
||||
- {{ port }}/{{ protocol }}
|
||||
{% endfor %}
|
||||
|
||||
13
basics/init.sls
Normal file
13
basics/init.sls
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
include:
|
||||
{% if pillar.basics.firewall is defined %}
|
||||
- .firewall
|
||||
{% endif %}
|
||||
{% if pillar.basics.ssh is defined %}
|
||||
- .ssh
|
||||
{% endif %}
|
||||
|
||||
Make sure all packages are up to date:
|
||||
pkg.uptodate:
|
||||
- refresh: True
|
||||
|
||||
|
||||
16
basics/ssh/init.sls
Normal file
16
basics/ssh/init.sls
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
ssh server installed:
|
||||
pkg.installed:
|
||||
- name: openssh-server
|
||||
|
||||
sshd config file is present:
|
||||
file.managed:
|
||||
- name: /etc/ssh/sshd_config
|
||||
- source: salt://basics/ssh/sshd_config.jinja
|
||||
- template: jinja
|
||||
|
||||
restart sshd service on config file change:
|
||||
module.run:
|
||||
- service.restart:
|
||||
- name: sshd
|
||||
- onchanges:
|
||||
- file: /etc/ssh/sshd_config
|
||||
15
basics/ssh/sshd_config.jinja
Normal file
15
basics/ssh/sshd_config.jinja
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
Port {{ salt['pillar.get']('basics:ssh:port', 22) }}
|
||||
PermitRootLogin {{ salt['pillar.get']('basics:ssh:permit_root_login', 'yes') }}
|
||||
MaxSessions 1
|
||||
PubkeyAuthentication {{ salt['pillar.get']('basics:ssh:pubkey_authentication', 'yes') }}
|
||||
HostbasedAuthentication no
|
||||
IgnoreRhosts yes
|
||||
PasswordAuthentication {{ salt['pillar.get']('basics:ssh:password_authentication', 'no') }}
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
AllowTcpForwarding {{ salt['pillar.get']('basics:ssh:allow_tcp_forwarding', 'no') }}
|
||||
X11Forwarding {{ salt['pillar.get']('basics:ssh:x11_forwarding', 'no') }}
|
||||
PrintMotd no
|
||||
MaxStartups 5:50:30
|
||||
AcceptEnv LANG LC_*
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
Loading…
Reference in a new issue