From e500c425ec810aa2253201c444a487533f7c32fe Mon Sep 17 00:00:00 2001 From: root Date: Fri, 15 May 2020 19:49:32 -0400 Subject: [PATCH] add restic env, firewall --- firewall/defaults.yaml | 2 ++ firewall/files/iptables.jinja | 22 ++++++++++++++++++++++ firewall/init.sls | 20 ++++++++++++++++++++ firewall/map.jinja | 14 ++++++++++++++ icinga2/init.sls | 1 + {net => resolv}/files/hosts.jinja | 0 {net => resolv}/init.sls | 2 +- top.sls | 3 ++- users/files/{bashrc => bashrc.jinja} | 9 ++++++++- users/init.sls | 18 ++++++++++++++---- 10 files changed, 84 insertions(+), 7 deletions(-) create mode 100644 firewall/defaults.yaml create mode 100644 firewall/files/iptables.jinja create mode 100644 firewall/init.sls create mode 100644 firewall/map.jinja rename {net => resolv}/files/hosts.jinja (100%) rename {net => resolv}/init.sls (68%) rename users/files/{bashrc => bashrc.jinja} (88%) diff --git a/firewall/defaults.yaml b/firewall/defaults.yaml new file mode 100644 index 0000000..39f6614 --- /dev/null +++ b/firewall/defaults.yaml @@ -0,0 +1,2 @@ +ig_tcp: + 22: 'ssh' diff --git a/firewall/files/iptables.jinja b/firewall/files/iptables.jinja new file mode 100644 index 0000000..4574fe9 --- /dev/null +++ b/firewall/files/iptables.jinja @@ -0,0 +1,22 @@ +{% import_yaml 'firewall/defaults.yaml' as defaults -%} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%} +-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT +{% endfor -%} +{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%} +{% for tcp_port in ig_tcp_hosts.keys() -%} +{% for host, comment in ig_tcp_hosts[tcp_port].items() -%} +-A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT +{% endfor -%} +{% endfor -%} +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +-A INPUT -j DROP +-A FORWARD -j DROP +COMMIT diff --git a/firewall/init.sls b/firewall/init.sls new file mode 100644 index 0000000..c3a097b --- /dev/null +++ b/firewall/init.sls @@ -0,0 +1,20 @@ +{% from "firewall/map.jinja" import firewall %} + +iptables: + pkg.installed: + - pkgs: + - {{ firewall['pkg'] }} + file.managed: + - name: {{ firewall['cfg'] }} + - source: 'salt://firewall/files/iptables.jinja' + - template: jinja + service.running: + - name: {{ firewall['svc'] }} + - enable: True + - watch: + - file: iptables + +{% if firewall['remove'] is not none %} +{{ firewall['remove'] }}: + pkg.removed: [] +{% endif %} diff --git a/firewall/map.jinja b/firewall/map.jinja new file mode 100644 index 0000000..2b6a5bf --- /dev/null +++ b/firewall/map.jinja @@ -0,0 +1,14 @@ +{% set firewall = salt.grains.filter_by({ + 'Debian': { + 'pkg': 'iptables-persistent', + 'cfg': '/etc/iptables/rules.v4', + 'svc': 'netfilter-persistent', + 'remove': None, + }, + 'RedHat': { + 'pkg': 'iptables-services', + 'cfg': '/etc/sysconfig/iptables', + 'svc': 'iptables', + 'remove': 'firewalld', + } +}) %} diff --git a/icinga2/init.sls b/icinga2/init.sls index 798c107..0c91e2e 100644 --- a/icinga2/init.sls +++ b/icinga2/init.sls @@ -2,6 +2,7 @@ icinga_packages: pkg.installed: - pkgs: + - vim-icinga2 - icinga2 - icingaweb2 - icinga2-ido-mysql diff --git a/net/files/hosts.jinja b/resolv/files/hosts.jinja similarity index 100% rename from net/files/hosts.jinja rename to resolv/files/hosts.jinja diff --git a/net/init.sls b/resolv/init.sls similarity index 68% rename from net/init.sls rename to resolv/init.sls index 38dc56c..33ea969 100644 --- a/net/init.sls +++ b/resolv/init.sls @@ -1,7 +1,7 @@ /etc/hosts: file.managed: - - source: 'salt://net/files/hosts.jinja' + - source: 'salt://resolv/files/hosts.jinja' - template: jinja - user: root - group: root diff --git a/top.sls b/top.sls index 813004b..cb17463 100644 --- a/top.sls +++ b/top.sls @@ -7,7 +7,8 @@ - restic.client {% endif %} '*.keiran.us': - - net + - firewall + - resolv 'vps47492.inmotionhosting.com': - gitea 'kpi.keiran.us': diff --git a/users/files/bashrc b/users/files/bashrc.jinja similarity index 88% rename from users/files/bashrc rename to users/files/bashrc.jinja index fb4ff37..16dabd0 100644 --- a/users/files/bashrc +++ b/users/files/bashrc.jinja @@ -73,7 +73,14 @@ if [ $(id -u) -gt 0 ]; then alias fab='sudo fab' fi +if test -d ~/.local/bin; then + PATH="${PATH}:~/.local/bin" +fi + alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo' -# https://git.keiran.us/config-mgmt/puppet/raw/commit/09158fc579f5ee2c00f395971d8c986e3ec08788/modules/keir/files/bash/bashrc +{% if bashrc_user is defined and bashrc_user == 'root' and 'restic' in pillar %} +export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }} +export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }} +{% endif %} diff --git a/users/init.sls b/users/init.sls index 3fbe698..386696e 100644 --- a/users/init.sls +++ b/users/init.sls @@ -19,10 +19,13 @@ {% if salt.pillar.get('manage_root_bashrc', False) %} /root/.bashrc: file.managed: - - source: 'salt://users/files/bashrc' + - source: 'salt://users/files/bashrc.jinja' + - template: jinja - user: root - group: root - - mode: 0644 + - mode: 0640 + - context: + bashrc_user: root {% endif %} #/root/.ssh/config: @@ -35,6 +38,12 @@ # - require: # - file: /root/.ssh +{% for group in salt.pillar.get('sys_groups') %} +{{ group }}: + group.present: + - system: True +{% endfor %} + {% for user, data in salt.pillar.get('users', {}).items() %} {{ user }}_user: @@ -51,10 +60,11 @@ {% if data.get('manage_bashrc', False) %} /home/{{ user }}/.bashrc: file.managed: - - source: 'salt://users/files/bashrc' + - source: 'salt://users/files/bashrc.jinja' + - template: jinja - user: {{ user }} - group: {{ user }} - - mode: 0644 + - mode: 0640 - require: - user: {{ user }}_user {% endif %}