feat(TOFS): ssh sshd configs known_host and banner

openssh/banner.sls

@@ -1,14 +1,20 @@
-{% from "openssh/map.jinja" import openssh with context %}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import openssh with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch %}
 
 include:
   - openssh
 
 sshd_banner:
   file.managed:
     - name: {{ openssh.banner }}
-    {% if openssh.banner_string is defined %}
+    {%- if openssh.banner_string is defined %}
     - contents: {{ openssh.banner_string | yaml }}
-    {% else %}
-    - source: {{ openssh.banner_src }}
+    {%- else %}
+    {#- Preserve backward compatibility using the `if` below #}
+    - source: {{ openssh.banner_src if '://' in openssh.banner_src
+                 else files_switch( [openssh.banner_src],
+                                    'sshd_banner'
+              ) }}
     - template: jinja
-    {% endif %}
+    {%- endif %}

openssh/config.sls

@@ -1,13 +1,20 @@
-{% from "openssh/map.jinja" import openssh, ssh_config, sshd_config with context %}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch %}
+
 
 include:
   - openssh
 
-{% if sshd_config %}
+{%- if sshd_config %}
 sshd_config:
   file.managed:
     - name: {{ openssh.sshd_config }}
-    - source: {{ openssh.sshd_config_src }}
+    {#- Preserve backward compatibility using the `if` below #}
+    - source: {{ openssh.sshd_config_src if '://' in openssh.sshd_config_src
+                 else files_switch( [openssh.sshd_config_src],
+                                    'sshd_config'
+              ) }}
     - template: jinja
     - user: {{ openssh.sshd_config_user }}
     - group: {{ openssh.sshd_config_group }}
@@ -18,21 +25,25 @@ sshd_config:
     {%- endif %}
     - watch_in:
       - service: {{ openssh.service }}
-{% endif %}
+{%- endif %}
 
-{% if ssh_config %}
+{%- if ssh_config %}
 ssh_config:
   file.managed:
     - name: {{ openssh.ssh_config }}
-    - source: {{ openssh.ssh_config_src }}
+    {#- Preserve backward compatibility using the `if` below #}
+    - source: {{ openssh.ssh_config_src if '://' in openssh.ssh_config_src
+                 else files_switch( [openssh.ssh_config_src],
+                                    'ssh_config'
+              ) }}
     - template: jinja
     - user: {{ openssh.ssh_config_user }}
     - group: {{ openssh.ssh_config_group }}
     - mode: {{ openssh.ssh_config_mode }}
     {%- if openssh.ssh_config_backup  %}
     - backup: minion
     {%- endif %}
-{% endif %}
+{%- endif %}
 
 {%- for keyType in openssh['host_key_algos'].split(',') %}
 {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
@@ -121,4 +132,4 @@ ssh_host_{{ keyType }}_key.pub:
       - file: sshd_config
     - watch_in:
       - service: {{ openssh.service }}
-{% endif %}
+{%- endif %}

openssh/defaults.yaml

@@ -3,20 +3,21 @@ default:
     sshd_enable: True
     sshd_binary: /usr/sbin/sshd
     sshd_config: /etc/ssh/sshd_config
-    sshd_config_src: salt://openssh/files/sshd_config
+    sshd_config_src: sshd_config # Default TOFS source filename
     sshd_config_user: root
     sshd_config_group: root
     sshd_config_mode: '644'
     sshd_config_backup: True
     ssh_config: /etc/ssh/ssh_config
-    ssh_config_src: salt://openssh/files/ssh_config
+    ssh_config_src: ssh_config # Default TOFS source filename
     ssh_config_user: root
     ssh_config_group: root
     ssh_config_mode: '644'
     ssh_config_backup: True
     banner: /etc/ssh/banner
-    banner_src: salt://openssh/files/banner
+    banner_src: banner # Default TOFS source filename
     ssh_known_hosts: /etc/ssh/ssh_known_hosts
+    ssh_known_hosts_src: ssh_known_hosts # Default TOFS source filename
     dig_pkg: dnsutils
     ssh_moduli: /etc/ssh/moduli
     root_group: root

openssh/known_hosts.sls

@@ -1,4 +1,6 @@
-{% from "openssh/map.jinja" import openssh with context %}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import openssh with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch %}
 
 ensure dig is available:
   pkg.installed:
@@ -8,7 +10,9 @@ ensure dig is available:
 manage ssh_known_hosts file:
   file.managed:
     - name: {{ openssh.ssh_known_hosts }}
-    - source: salt://openssh/files/ssh_known_hosts
+    - source: {{ files_switch( [openssh.ssh_known_hosts_src],
+                               'manage ssh_known_hosts file'
+              ) }}
     - template: jinja
     - user: root
     - group: {{ openssh.ssh_config_group }}

openssh/libtofs.jinja

@@ -0,0 +1,101 @@
+{%- macro files_switch(source_files,
+                       lookup=None,
+                       default_files_switch=['id', 'os_family'],
+                       indent_width=6,
+                       v1_path_prefix='') %}
+  {#-
+    Returns a valid value for the "source" parameter of a "file.managed"
+    state function. This makes easier the usage of the Template Override and
+    Files Switch (TOFS) pattern.
+
+    Params:
+      * source_files: ordered list of files to look for
+      * lookup: key under '<tplroot>:tofs:source_files' to override
+        list of source files
+      * default_files_switch: if there's no config (e.g. pillar)
+        '<tplroot>:tofs:files_switch' this is the ordered list of grains to
+        use as selector switch of the directories under
+        "<path_prefix>/files"
+      * indent_witdh: indentation of the result value to conform to YAML
+      * v1_path_prefix: (deprecated) only used for injecting a path prefix into
+        the source, to support older TOFS configs
+
+    Example (based on a `tplroot` of `xxx`):
+
+    If we have a state:
+
+      Deploy configuration:
+        file.managed:
+          - name: /etc/yyy/zzz.conf
+          - source: {{ files_switch(['/etc/yyy/zzz.conf', '/etc/yyy/zzz.conf.jinja'],
+                                    lookup='Deploy configuration'
+                    ) }}
+          - template: jinja
+
+    In a minion with id=theminion and os_family=RedHat, it's going to be
+    rendered as:
+
+      Deploy configuration:
+        file.managed:
+          - name: /etc/yyy/zzz.conf
+          - source:
+            - salt://xxx/files/theminion/etc/yyy/zzz.conf
+            - salt://xxx/files/theminion/etc/yyy/zzz.conf.jinja
+            - salt://xxx/files/RedHat/etc/yyy/zzz.conf
+            - salt://xxx/files/RedHat/etc/yyy/zzz.conf.jinja
+            - salt://xxx/files/default/etc/yyy/zzz.conf
+            - salt://xxx/files/default/etc/yyy/zzz.conf.jinja
+          - template: jinja
+  #}
+  {#- Get the `tplroot` from `tpldir` #}
+  {%- set tplroot = tpldir.split('/')[0] %}
+  {%- set path_prefix = salt['config.get'](tplroot ~ ':tofs:path_prefix', tplroot) %}
+  {%- set files_dir = salt['config.get'](tplroot ~ ':tofs:dirs:files', 'files') %}
+  {%- set files_switch_list = salt['config.get'](
+      tplroot ~ ':tofs:files_switch',
+      default_files_switch
+  ) %}
+  {#- Lookup source_files (v2), files (v1), or fallback to source_files parameter #}
+  {%- set src_files = salt['config.get'](
+      tplroot ~ ':tofs:source_files:' ~ lookup,
+      salt['config.get'](
+          tplroot ~ ':tofs:files:' ~ lookup,
+          source_files
+      )
+  ) %}
+  {#- Only add to [''] when supporting older TOFS implementations #}
+  {%- set path_prefix_exts = [''] %}
+  {%- if v1_path_prefix != '' %}
+    {%- do path_prefix_exts.append(v1_path_prefix) %}
+  {%- endif %}
+  {%- for path_prefix_ext in path_prefix_exts %}
+    {%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %}
+    {#- For older TOFS implementation, use `files_switch` from the config #}
+    {#- Use the default, new method otherwise #}
+    {%- set fsl = salt['config.get'](
+        tplroot ~ path_prefix_ext|replace('/', ':') ~ ':files_switch',
+        files_switch_list
+    ) %}
+    {#- Append an empty value to evaluate as `default` in the loop below #}
+    {%- if '' not in fsl %}
+      {%- do fsl.append('') %}
+    {%- endif %}
+    {%- for fs in fsl %}
+      {%- for src_file in src_files %}
+        {%- if fs %}
+          {%- set fs_dir = salt['config.get'](fs, fs) %}
+        {%- else %}
+          {%- set fs_dir = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %}
+        {%- endif %}
+        {%- set url = [
+            '- salt:/',
+            path_prefix_inc_ext.strip('/'),
+            files_dir.strip('/'),
+            fs_dir.strip('/'),
+            src_file.strip('/'),
+        ] | select | join('/') %}
+{{ url | indent(indent_width, true) }}
+      {%- endfor %}
+    {%- endfor %}
+  {%- endfor %}
+{%- endmacro %}

pillar.example

@@ -355,3 +355,32 @@ mine_functions:
   public_ssh_hostname:
     mine_function: grains.get
     key: id
+
+  tofs:
+    # The files_switch key serves as a selector for alternative
+    # directories under the formula files directory. See TOFS pattern
+    # doc for more info.
+    # Note: Any value not evaluated by `config.get` will be used literally.
+    # This can be used to set custom paths, as many levels deep as required.
+    # files_switch:
+    #   - any/path/can/be/used/here
+    #   - id
+    #   - role
+    #   - osfinger
+    #   - os
+    #   - os_family
+    # All aspects of path/file resolution are customisable using the options below.
+    # This is unnecessary in most cases; there are sensible defaults.
+    # path_prefix: template_alt
+    # dirs:
+    #   files: files_alt
+    #   default: default_alt
+    source_files:
+      manage ssh_known_hosts file:
+        - alt_ssh_known_hosts
+      sshd_config:
+        - alt_sshd_config
+      ssh_config:
+        - alt_ssh_config
+      sshd_banner:
+        - fire_banner