config-mgmt/salt-states
0
0
Fork 0
Code Releases Activity

add restic env, firewall

Browse Source
This commit is contained in:
root
2020-05-15 19:49:32 -04:00
parent d41cfa1ac0
commit e500c425ec
10 changed files with 84 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
firewall/defaults.yaml Normal file
View File

@@ -0,0 +1,2 @@
ig_tcp:
22: 'ssh'

22
firewall/files/iptables.jinja Normal file
View File

@@ -0,0 +1,22 @@
{% import_yaml 'firewall/defaults.yaml' as defaults -%}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%}
-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
{% endfor -%}
{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%}
{% for tcp_port in ig_tcp_hosts.keys() -%}
{% for host, comment in ig_tcp_hosts[tcp_port].items() -%}
-A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
{% endfor -%}
{% endfor -%}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

20
firewall/init.sls Normal file
View File

@@ -0,0 +1,20 @@
{% from "firewall/map.jinja" import firewall %}
iptables:
pkg.installed:
- pkgs:
- {{ firewall['pkg'] }}
file.managed:
- name: {{ firewall['cfg'] }}
- source: 'salt://firewall/files/iptables.jinja'
- template: jinja
service.running:
- name: {{ firewall['svc'] }}
- enable: True
- watch:
- file: iptables
{% if firewall['remove'] is not none %}
{{ firewall['remove'] }}:
pkg.removed: []
{% endif %}

14
firewall/map.jinja Normal file
View File

@@ -0,0 +1,14 @@
{% set firewall = salt.grains.filter_by({
'Debian': {
'pkg': 'iptables-persistent',
'cfg': '/etc/iptables/rules.v4',
'svc': 'netfilter-persistent',
'remove': None,
},
'RedHat': {
'pkg': 'iptables-services',
'cfg': '/etc/sysconfig/iptables',
'svc': 'iptables',
'remove': 'firewalld',
}
}) %}

1
icinga2/init.sls
View File

@@ -2,6 +2,7 @@
icinga_packages: icinga_packages:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
- vim-icinga2
- icinga2 - icinga2
- icingaweb2 - icingaweb2
- icinga2-ido-mysql - icinga2-ido-mysql

0
net/files/hosts.jinja → resolv/files/hosts.jinja
View File

2
net/init.sls → resolv/init.sls
View File

@@ -1,7 +1,7 @@
/etc/hosts: /etc/hosts:
file.managed: file.managed:
- source: 'salt://net/files/hosts.jinja' - source: 'salt://resolv/files/hosts.jinja'
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root

3
top.sls
View File

@@ -7,7 +7,8 @@
- restic.client - restic.client
{% endif %} {% endif %}
'*.keiran.us': '*.keiran.us':
- net - firewall
- resolv
'vps47492.inmotionhosting.com': 'vps47492.inmotionhosting.com':
- gitea - gitea
'kpi.keiran.us': 'kpi.keiran.us':

9
users/files/bashrc → users/files/bashrc.jinja
View File

@@ -73,7 +73,14 @@ if [ $(id -u) -gt 0 ]; then
alias fab='sudo fab' alias fab='sudo fab'
fi fi
if test -d ~/.local/bin; then
PATH="${PATH}:~/.local/bin"
fi
alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo' alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
# https://git.keiran.us/config-mgmt/puppet/raw/commit/09158fc579f5ee2c00f395971d8c986e3ec08788/modules/keir/files/bash/bashrc {% if bashrc_user is defined and bashrc_user == 'root' and 'restic' in pillar %}
export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
{% endif %}

18
users/init.sls
View File

@@ -19,10 +19,13 @@
{% if salt.pillar.get('manage_root_bashrc', False) %} {% if salt.pillar.get('manage_root_bashrc', False) %}
/root/.bashrc: /root/.bashrc:
file.managed: file.managed:
- source: 'salt://users/files/bashrc' - source: 'salt://users/files/bashrc.jinja'
- template: jinja
- user: root - user: root
- group: root - group: root
- mode: 0644 - mode: 0640
- context:
bashrc_user: root
{% endif %} {% endif %}
#/root/.ssh/config: #/root/.ssh/config:
@@ -35,6 +38,12 @@
# - require: # - require:
# - file: /root/.ssh # - file: /root/.ssh
{% for group in salt.pillar.get('sys_groups') %}
{{ group }}:
group.present:
- system: True
{% endfor %}
{% for user, data in salt.pillar.get('users', {}).items() %} {% for user, data in salt.pillar.get('users', {}).items() %}
{{ user }}_user: {{ user }}_user:
@@ -51,10 +60,11 @@
{% if data.get('manage_bashrc', False) %} {% if data.get('manage_bashrc', False) %}
/home/{{ user }}/.bashrc: /home/{{ user }}/.bashrc:
file.managed: file.managed:
- source: 'salt://users/files/bashrc' - source: 'salt://users/files/bashrc.jinja'
- template: jinja
- user: {{ user }} - user: {{ user }}
- group: {{ user }} - group: {{ user }}
- mode: 0644 - mode: 0640
- require: - require:
- user: {{ user }}_user - user: {{ user }}_user
{% endif %} {% endif %}