commit 463cd7d0897bc359f73c847ac4bac02a854ac945
Author: Malte <malte@drabesch.de>
Date:   Sun Nov 10 20:15:43 2024 +0100

    create static sites/users from pillar

diff --git a/pillar.example b/pillar.example
new file mode 100644
index 0000000..5f8eb72
--- /dev/null
+++ b/pillar.example
@@ -0,0 +1,9 @@
+static_pages:
+  - site: app1.example.com
+    - ssh_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZlJ1
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZlJ2
+  - site: app2.example.com
+    - ssh_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZlJ3
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZlJ4
diff --git a/static_pages/init.sls b/static_pages/init.sls
new file mode 100644
index 0000000..cdbb67b
--- /dev/null
+++ b/static_pages/init.sls
@@ -0,0 +1,50 @@
+sftp_only_group_present:
+  group.present:
+    - name: sftponly
+
+www-data_group_present:
+  group.present:
+    - name: www-data
+
+
+{% for page in salt['pillar.get']('static_pages', []) %}
+{{ page.site }} user present:
+  user.present:
+    - name: {{ page.site }}
+    - home: /opt/static_pages/{{ page.site }}
+    - groups:
+      - sftponly
+      - www-data
+    - shell: /bin/false
+
+set_homdirectory_perms_{{ page.site }}:
+  file.directory:
+    - name: /opt/static_pages/{{ page.site }}
+    - user: {{ page.site }}
+    - group: {{ page.site }}
+    - mode: 755
+
+
+{{ page.site }} ssh public key present:
+  ssh_auth.present:
+    - user: {{ page.site }}
+    - config: '%h/.ssh/authorized_keys'
+    - names: {{ page.ssh_keys }}
+
+{% endfor %}
+
+sftp_only_config_present:
+  file.managed:
+    - name: /etc/ssh/sshd_config.d/sftp_only.conf
+    - source: salt://static_pages/sftp.config
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+
+project dir for static_pages:
+  file.directory:
+    - name: /opt/static_pages
+    - user: root
+    - group: root
+    - mode: 755
diff --git a/static_pages/sftp.config b/static_pages/sftp.config
new file mode 100644
index 0000000..04819f0
--- /dev/null
+++ b/static_pages/sftp.config
@@ -0,0 +1,6 @@
+Match group sftponly
+     ChrootDirectory /opt/static_pages
+     X11Forwarding no
+     AllowTcpForwarding no
+     AllowAgentForwarding no
+     ForceCommand internal-sftp -d /%u