feat(TOFS): ssh sshd configs known_host and banner

Author: nb

openssh/banner.sls

@@ -1,14 +1,21 @@
-{% from "openssh/map.jinja" import openssh with context %}
+{% set tplroot = tpldir.split('/')[0] %}
+{% from tplroot ~ "/map.jinja" import openssh with context %}
+{% from tplroot ~ "/libtofs.jinja" import files_switch %}
 
 include:
   - openssh
 
 sshd_banner:
   file.managed:
     - name: {{ openssh.banner }}
-    {% if openssh.banner_string is defined %}
+{% if openssh.banner_string is defined %}
     - contents: {{ openssh.banner_string | yaml }}
-    {% else %}
-    - source: {{ openssh.banner_src }}
+{% else %}
+    # Preserve backward compatibility
+    - source: {{ openssh.banner_src
+                 if '://' in openssh.banner_src
+                 else files_switch( [openssh.banner_src],
+                                    'sshd_banner_file_managed'
+              ) }}
     - template: jinja
-    {% endif %}
+{% endif %}

openssh/config.sls

@@ -1,4 +1,7 @@
-{% from "openssh/map.jinja" import openssh, ssh_config, sshd_config with context %}
+{% set tplroot = tpldir.split('/')[0] %}
+{% from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %}
+{% from tplroot ~ "/libtofs.jinja" import files_switch %}
+
 
 include:
   - openssh
@@ -7,7 +10,12 @@ include:
 sshd_config:
   file.managed:
     - name: {{ openssh.sshd_config }}
-    - source: {{ openssh.sshd_config_src }}
+                  # Preserve backward compatibility
+    - source: {{ openssh.sshd_config_src
+                 if '://' in openssh.sshd_config_src
+                 else files_switch( [openssh.sshd_config_src],
+                                    'sshd_config_file_managed'
+              ) }}
     - template: jinja
     - user: {{ openssh.sshd_config_user }}
     - group: {{ openssh.sshd_config_group }}
@@ -24,7 +32,12 @@ sshd_config:
 ssh_config:
   file.managed:
     - name: {{ openssh.ssh_config }}
-    - source: {{ openssh.ssh_config_src }}
+              # Preserve backward compatibility
+    - source: {{ openssh.ssh_config_src
+                 if '://' in openssh.ssh_config_src
+                 else files_switch( [openssh.ssh_config_src],
+                                    'ssh_config_file_managed'
+              ) }}
     - template: jinja
     - user: {{ openssh.ssh_config_user }}
     - group: {{ openssh.ssh_config_group }}

openssh/defaults.yaml

@@ -3,19 +3,19 @@ default:
     sshd_enable: True
     sshd_binary: /usr/sbin/sshd
     sshd_config: /etc/ssh/sshd_config
-    sshd_config_src: salt://openssh/files/sshd_config
+    sshd_config_src: sshd_config # Default TOFS source filename
     sshd_config_user: root
     sshd_config_group: root
     sshd_config_mode: '644'
     sshd_config_backup: True
     ssh_config: /etc/ssh/ssh_config
-    ssh_config_src: salt://openssh/files/ssh_config
+    ssh_config_src: ssh_config # Default TOFS source filename
     ssh_config_user: root
     ssh_config_group: root
     ssh_config_mode: '644'
     ssh_config_backup: True
     banner: /etc/ssh/banner
-    banner_src: salt://openssh/files/banner
+    banner_src: banner # Default TOFS source filename
     ssh_known_hosts: /etc/ssh/ssh_known_hosts
     dig_pkg: dnsutils
     ssh_moduli: /etc/ssh/moduli

openssh/files/banner renamed to openssh/files/default/banner

@@ -1,4 +1,6 @@
-{% from "openssh/map.jinja" import openssh with context %}
+{% set tplroot = tpldir.split('/')[0] %}
+{% from tplroot ~ "/map.jinja" import openssh with context %}
+{% from tplroot ~ "/libtofs.jinja" import files_switch %}
 
 ensure dig is available:
   pkg.installed:
@@ -8,7 +10,9 @@ ensure dig is available:
 manage ssh_known_hosts file:
   file.managed:
     - name: {{ openssh.ssh_known_hosts }}
-    - source: salt://openssh/files/ssh_known_hosts
+    - source: {{ files_switch( ['ssh_known_hosts'],
+                               'ssh_known_hosts_file_managed'
+              ) }}
     - template: jinja
     - user: root
     - group: {{ openssh.ssh_config_group }}

openssh/files/fire_banner renamed to openssh/files/default/fire_banner

@@ -0,0 +1,101 @@
+{%- macro files_switch(source_files,
+                       lookup=None,
+                       default_files_switch=['id', 'os_family'],
+                       indent_width=6,
+                       v1_path_prefix='') %}
+  {#-
+    Returns a valid value for the "source" parameter of a "file.managed"
+    state function. This makes easier the usage of the Template Override and
+    Files Switch (TOFS) pattern.
+
+    Params:
+      * source_files: ordered list of files to look for
+      * lookup: key under '<tplroot>:tofs:source_files' to override
+        list of source files
+      * default_files_switch: if there's no config (e.g. pillar)
+        '<tplroot>:tofs:files_switch' this is the ordered list of grains to
+        use as selector switch of the directories under
+        "<path_prefix>/files"
+      * indent_witdh: indentation of the result value to conform to YAML
+      * v1_path_prefix: (deprecated) only used for injecting a path prefix into
+        the source, to support older TOFS configs
+
+    Example (based on a `tplroot` of `xxx`):
+
+    If we have a state:
+
+      Deploy configuration:
+        file.managed:
+          - name: /etc/yyy/zzz.conf
+          - source: {{ files_switch(['/etc/yyy/zzz.conf', '/etc/yyy/zzz.conf.jinja'],
+                                    lookup='Deploy configuration'
+                    ) }}
+          - template: jinja
+
+    In a minion with id=theminion and os_family=RedHat, it's going to be
+    rendered as:
+
+      Deploy configuration:
+        file.managed:
+          - name: /etc/yyy/zzz.conf
+          - source:
+            - salt://xxx/files/theminion/etc/yyy/zzz.conf
+            - salt://xxx/files/theminion/etc/yyy/zzz.conf.jinja
+            - salt://xxx/files/RedHat/etc/yyy/zzz.conf
+            - salt://xxx/files/RedHat/etc/yyy/zzz.conf.jinja
+            - salt://xxx/files/default/etc/yyy/zzz.conf
+            - salt://xxx/files/default/etc/yyy/zzz.conf.jinja
+          - template: jinja
+  #}
+  {#- Get the `tplroot` from `tpldir` #}
+  {%- set tplroot = tpldir.split('/')[0] %}
+  {%- set path_prefix = salt['config.get'](tplroot ~ ':tofs:path_prefix', tplroot) %}
+  {%- set files_dir = salt['config.get'](tplroot ~ ':tofs:dirs:files', 'files') %}
+  {%- set files_switch_list = salt['config.get'](
+      tplroot ~ ':tofs:files_switch',
+      default_files_switch
+  ) %}
+  {#- Lookup source_files (v2), files (v1), or fallback to source_files parameter #}
+  {%- set src_files = salt['config.get'](
+      tplroot ~ ':tofs:source_files:' ~ lookup,
+      salt['config.get'](
+          tplroot ~ ':tofs:files:' ~ lookup,
+          source_files
+      )
+  ) %}
+  {#- Only add to [''] when supporting older TOFS implementations #}
+  {%- set path_prefix_exts = [''] %}
+  {%- if v1_path_prefix != '' %}
+    {%- do path_prefix_exts.append(v1_path_prefix) %}
+  {%- endif %}
+  {%- for path_prefix_ext in path_prefix_exts %}
+    {%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %}
+    {#- For older TOFS implementation, use `files_switch` from the config #}
+    {#- Use the default, new method otherwise #}
+    {%- set fsl = salt['config.get'](
+        tplroot ~ path_prefix_ext|replace('/', ':') ~ ':files_switch',
+        files_switch_list
+    ) %}
+    {#- Append an empty value to evaluate as `default` in the loop below #}
+    {%- if '' not in fsl %}
+      {%- do fsl.append('') %}
+    {%- endif %}
+    {%- for fs in fsl %}
+      {%- for src_file in src_files %}
+        {%- if fs %}
+          {%- set fs_dir = salt['config.get'](fs, fs) %}
+        {%- else %}
+          {%- set fs_dir = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %}
+        {%- endif %}
+        {%- set url = [
+            '- salt:/',
+            path_prefix_inc_ext.strip('/'),
+            files_dir.strip('/'),
+            fs_dir.strip('/'),
+            src_file.strip('/'),
+        ] | select | join('/') %}
+{{ url | indent(indent_width, true) }}
+      {%- endfor %}
+    {%- endfor %}
+  {%- endfor %}
+{%- endmacro %}