add new state for benchmark minion (#624)

JacobCoffee · web-flow · commit 52303b5fc28f · 2025-12-12T19:47:05.000-06:00
diff --git a/salt/benchmarks/configs/sshd-hardening.conf b/salt/benchmarks/configs/sshd-hardening.conf
@@ -0,0 +1,17 @@
+# Forbid any root SSH login
+PermitRootLogin no
+
+# Only allow public key auth for all users
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+
+# Restrict who can SSH in - allow PSF users and system admins
+AllowGroups psf-users sudo admin
+
+# Where to read user keys from
+AuthorizedKeysFile .ssh/authorized_keys
+
+# Keep PAM enabled for account/session modules (e.g., limits)
+UsePAM yes
diff --git a/salt/benchmarks/init.sls b/salt/benchmarks/init.sls
@@ -0,0 +1,13 @@
+/etc/ssh/sshd_config.d/99-hardening.conf:
+  file.managed:
+    - source: salt://benchmarks/configs/sshd-hardening.conf
+    - user: root
+    - group: root
+    - mode: "0644"
+
+ssh-reload-benchmarks:
+  service.running:
+    - name: ssh
+    - reload: True
+    - watch:
+      - file: /etc/ssh/sshd_config.d/99-hardening.conf
diff --git a/salt/top.sls b/salt/top.sls
@@ -36,6 +36,10 @@ base:
     - pgbouncer
     - buildbot
 
+  'benchmarks':
+    - match: nodegroup
+    - benchmarks
+
   'cdn-logs':
     - match: nodegroup
     - cdn-logs
