Add pillar and use it to configure the state #9
Conversation
Enable use of pillar in the state files that depend directly on the clients and vaults configuration. Note: the configuration of the SSH socket (SSH_VAULT_VM) currently limits the number of vault qubes to one. All the clients will be configured to use the vault that is defined first. The configuration file is identified as such and should be kept when the package is reinstalled.
Enable the use of those roles in the states that depend on them. At this point, the state is entirely defined by the configuration.
| split-ssh-role: | ||
| client-template: True |
There was a problem hiding this comment.
The split-ssh-role value must be a mapping to allow a qube to assume multiple roles. (For example, fedora-32 could be both the client-template and vault-template.)
When the value is not a mapping, the latter value overrides the earlier one when the different .sls files are merged by Salt. (I believe that is standard YAML behavior.)
| ## Load config | ||
| #{% load_yaml as config %} | ||
| #{% include 'split-ssh/config.yaml' %} | ||
| #{% endload %} | ||
| # |
There was a problem hiding this comment.
This template must yield valid YAML. A simple way to prevent the output of these Jinja statements and expressions from breaking the YAML is to comment them (#). These YAML comments do not affect the Jinja pre-processor.
| - split-ssh.vault-template | ||
| {% endif %} | ||
|
|
||
| {# The clients and vaults themselves won't be the same qubes (split-SSH) #} |
There was a problem hiding this comment.
These are Jinja comments because they wouldn't be of any use in the resulting YAML file.
| - split-ssh.clients | ||
| - split-ssh.vaults | ||
|
|
||
| {# Prevent duplicate keys error when client and vault templates are the same #} |
There was a problem hiding this comment.
Salt doesn't tolerate duplicate keys in mappings. That could happen if the list of vault templates were identical to the list of client templates (e.g. both share the same fedora-32 template, it is actually a common scenario). Conveniently, in that case both the vault-template and client-template roles can be assigned at once.
| @@ -25,6 +25,8 @@ make install DESTDIR=%{buildroot} | |||
| %files | |||
| %license LICENSE | |||
| %doc README.md | |||
| %config /srv/user_pillar/config.yaml | |||
There was a problem hiding this comment.
Allows the configuration file to be kept when the package is updated.
See http://ftp.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html
There was a problem hiding this comment.
For future reference: the correct path is /srv/user_pillar/split-ssh/config.yaml (oops 🙄) see f3ea644
| 'split-ssh-role:client-template': | ||
| - match: pillar |
There was a problem hiding this comment.
Assigning roles in the pillar allows to match qubes without relying on Salt grains.
| @@ -2,7 +2,7 @@ | |||
| # Ensure the SSH socket discoverability | |||
| # | |||
| # See /srv/salt/split-ssh in dom0 for details. | |||
| SSH_VAULT_VM="ssh-vault" | |||
| SSH_VAULT_VM="{{ pillar.split-ssh-vaults|first }}" | |||
There was a problem hiding this comment.
This is a current limitation: even if multiple vaults were defined in the configuration (/srv/user_pillar/config.yaml), all the clients would be configured to use the first vault in the list.
I didn't find any convenient way to specify which client should use which vault, and I am OK with this limitation until someone actually needs to use multiple vaults.
There was a problem hiding this comment.
For future reference: the correct syntax is (pillar.get('split-ssh-vaults') and the value must be made available in the clients for it to be accessible (in the top file: split-ssh/init.jinja). See f3ea644
| {% for vault in pillar.split-ssh-vault %} | ||
| {% for client in pillar.split-ssh-client %} | ||
| {{ client.name }} {{ vault.name }} ask | ||
| {% endfor %} | ||
| {% endfor %} |
There was a problem hiding this comment.
All clients can ask any of the vaults for SSH keys.
The default behavior (ask or allow) could be configured, but I don't see the need for now.
| @@ -5,4 +5,5 @@ | |||
| - mode: '0755' | |||
| - makedirs: True | |||
| - source: salt://split-ssh/policy/files/qubes.SSHAgent | |||
| - template: jinja | |||
There was a problem hiding this comment.
This is the default for file.managed, but I think being explicit makes it clearer.
Allows to define different names and settings for the vault or client(s) qubes.
This PR is a follow up on #8
See https://github.com/gonzalo-bulnes/qubes-mgmt-salt-user/discussions/2 and #5
ssh-clientssh-vaultMultiple custom vaults can be defined(out of scope)Closes #7
References