Page MenuHomeDevCentral
Files F3768475

No OneTemporary
Actions

View Options

diff --git a/map.jinja b/map.jinja
index 524c6ae..437fee6 100644
--- a/map.jinja
+++ b/map.jinja
@@ -1,144 +1,163 @@
{% set dirs = salt['grains.filter_by']({
'Debian': {
'etc': '/etc',
'bin': '/usr/bin',
'include': '/usr/include',
'lib': '/usr/lib',
'man': '/usr/share/man',
'sbin': '/usr/sbin',
},
'FreeBSD' : {
'etc': '/usr/local/etc',
'bin': '/usr/local/bin',
'include': '/usr/local/include',
'lib': '/usr/local/lib',
'man': '/usr/local/man',
'sbin': '/usr/local/sbin',
},
}, default='Debian') %}
{% set services = salt['grains.filter_by']({
'Debian': {
'manager': 'systemd',
},
'FreeBSD' : {
'manager': 'rc',
},
}, default='Debian') %}
{% set shells = salt['grains.filter_by']({
'Debian': {
'bash': '/bin/bash',
'fish': '/usr/bin/fish',
'tcsh': '/usr/bin/tcsh',
'zsh': '/bin/zsh',
},
'FreeBSD' : {
'bash': '/usr/local/bin/bash',
'fish': '/usr/local/bin/fish',
'tcsh': '/bin/tcsh',
'zsh': '/usr/local/bin/zsh',
},
}, default='Debian') %}
{% set paths = salt['grains.filter_by']({
'FreeBSD': {
'sftp': '/usr/libexec/sftp-server',
},
'Debian': {
'sftp': '/usr/lib/openssh/sftp-server',
},
'RedHat': {
'sftp': '/usr/libexec/openssh/sftp-server',
},
'Arch': {
'sftp': '/usr/lib/ssh/sftp-server',
},
}, default='FreeBSD') %}
{% set packages_prefixes = salt['grains.filter_by']({
'Debian': {
'php': 'php7.1-',
'python2': '',
'python3': 'python3-',
},
'RedHat': {
'python2': 'python2-',
'python3': 'python3-',
},
'FreeBSD' : {
'php': 'php71-',
'python2': 'py27-',
'python3': 'py36-',
'rubygem': 'rubygem-',
},
}, default='Debian') %}
{% set packages = salt['grains.filter_by']({
'Debian' : {
'ag': 'silversearcher-ag',
'aspell-fr': 'aspell-fr',
'aspell-en': 'aspell-en',
'certbot': 'certbot',
'composer': 'composer',
'cppunit': 'libcppunit-dev',
'emacs': 'emacs-nox',
'mariadb': 'mariadb-server',
'node': 'nodejs',
'pear': 'php-pear',
'phpcs': 'php-codesniffer',
'phpunit': 'phpunit',
'sphinx': 'python3-sphinx',
'tcltls': 'tcl-tls',
'tdom': 'tdom',
'varnish': 'varnish',
'verbiste': 'verbiste',
},
'RedHat': {
'ag': 'the_silver_searcher',
'aspell-fr': 'aspell-fr',
'certbot': 'python2-certbot',
'cppunit': 'cppunit-devel',
'emacs': 'emacs-nox',
'exiftool': 'perl-Image-ExifTool',
'mariadb': 'mariadb-server',
'node': 'nodejs',
'pear': 'php-pear',
'phpcs': 'php-pear-PHP-CodeSniffer',
'sphinx': 'python3-sphinx',
'tcltls': 'tcltls',
'varnish': 'varnish',
},
'Arch': {
'ag': 'the_silver_searcher',
'aspell-fr': 'aspell-fr',
'certbot': 'certbot',
'cppunit': 'cppunit',
'emacs': 'emacs-nox',
'mariadb': 'mariadb',
'sphinx': 'python-sphinx',
'tcltls': 'tcltls',
'varnish': 'varnish',
},
'FreeBSD' : {
'ag': 'the_silver_searcher',
'aspell-fr': 'fr-aspell',
'aspell-en': 'en-aspell',
'boost': 'boost-all',
'certbot': 'py27-certbot',
'composer': 'php-composer',
'cppunit': 'cppunit',
'emacs': 'emacs-nox11',
'exiftool': 'p5-Image-ExifTool-devel',
'mariadb': 'mariadb101-server',
'node': 'node',
'pear': 'pear',
'phpcs': 'pear-PHP_CodeSniffer',
'phpunit': 'phpunit6',
'sphinx': 'py36-sphinx',
'tcltls': 'tcltls',
'tdom': 'tDOM',
'varnish': 'varnish5',
'verbiste': 'fr-verbiste',
},
}, default='Debian') %}
+
+{# -------------------------------------------------------------
+ Capabilities of OS and distributions
+
+ :: MOTD-printed-at-login
+ Login mechanism, through PAM or dotfiles,
+ prints the MOTD when a session is opened.
+
+ When at False, OpenSSH will take care of it.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #}
+
+{% set capabilities = salt['grains.filter_by']({
+ 'Debian': {
+ 'MOTD-printed-at-login': True,
+ },
+ 'FreeBSD' : {
+ 'MOTD-printed-at-login': False,
+ },
+}, default='Debian') %}
diff --git a/roles/core/sshd/files/sshd_config b/roles/core/sshd/files/sshd_config
index d4e5dc3..62d1c5c 100644
--- a/roles/core/sshd/files/sshd_config
+++ b/roles/core/sshd/files/sshd_config
@@ -1,32 +1,32 @@
# -------------------------------------------------------------
# OpenSSH configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-02-28
# License: Trivial work, not eligible to copyright
# Source file: roles/core/sshd/files/sshd_config
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
# Nasqueron servers authentication should only occur through SSH keys
# but PAM can offer extra capabilities if needed like OTP.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
# Misc options
-PrintMotd no
+PrintMotd {{ "yes" if print_motd else "no" }}
AcceptEnv LANG LC_*
# SFTP
Subsystem sftp {{ sftp }}
diff --git a/roles/core/sshd/init.sls b/roles/core/sshd/init.sls
index b8cc88b..0009da2 100644
--- a/roles/core/sshd/init.sls
+++ b/roles/core/sshd/init.sls
@@ -1,35 +1,36 @@
# -------------------------------------------------------------
# Salt — OpenSSH configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-02-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-{% from "map.jinja" import paths with context %}
+{% from "map.jinja" import paths, capabilities with context %}
# -------------------------------------------------------------
# OpenSSH
# -------------------------------------------------------------
/etc/ssh/sshd_config:
file.managed:
- source: salt://roles/core/sshd/files/sshd_config
- template: jinja
- context:
sftp: {{ paths.sftp }}
+ print_motd: {{ not capabilities['MOTD-printed-at-login'] }}
# -------------------------------------------------------------
# PAM
# -------------------------------------------------------------
# T1194 - Debian offers a nologin pam module avoiding people
# to log in when /run/nologin exists. OS can pop this file,
# for example at shutdown time or when systemd boot hasn't
# finished.
pam_disable_nologin:
file.comment:
- name: /etc/pam.d/sshd
- regex: ^account.*pam_nologin\.so
- backup: None

File Metadata

Mime Type
text/x-diff
Expires
Mon, Nov 25, 08:11 (1 d, 12 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259815
Default Alt Text
(7 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator