diff --git a/apt/init.sls b/apt/init.sls index fdb5228e..1aad0a7a 100644 --- a/apt/init.sls +++ b/apt/init.sls @@ -2,7 +2,12 @@ # APT # {% set site_slug = salt['pillar.get']("netbox:site:slug") %} + +{% if grains.os == 'Ubuntu' and grains.osmajorrelease >= 24 %} +/etc/apt/sources.list.d/ubuntu.sources: +{% else %} /etc/apt/sources.list: +{% endif %} file.managed: - source: - salt://apt/sources.list.{{ grains.os }}.{{ grains.oscodename }}.{{ site_slug }} diff --git a/docker/init.sls b/docker/init.sls index c81a59f9..3fee8f78 100644 --- a/docker/init.sls +++ b/docker/init.sls @@ -26,6 +26,7 @@ docker-pkgs: - docker-ce - docker-ce-cli - containerd.io + - docker-compose-plugin - require: - pkgrepo: docker-repo @@ -52,8 +53,5 @@ docker-pkgs: } /usr/local/bin/docker-compose: - file.managed: - - source: https://github.com/docker/compose/releases/download/v2.5.0/docker-compose-linux-x86_64 - - source_hash: 6296d17268c77a7159f57f04ed26dd2989f909c58cca4d44d1865f28bd27dd67 - - mode: "0755" + file.absent {% endif %} diff --git a/ff_base/init.sls b/ff_base/init.sls index b45dd75f..3bdeda96 100644 --- a/ff_base/init.sls +++ b/ff_base/init.sls @@ -17,7 +17,7 @@ ffmuc_packages: - ethtool - mtr-tiny - lldpd - - mlocate + - plocate - sysstat - dnsutils - curl diff --git a/influxdb/init.sls b/influxdb/init.sls index edabe109..5f158a63 100644 --- a/influxdb/init.sls +++ b/influxdb/init.sls @@ -8,7 +8,7 @@ influx-db-repo-key: influx-db-repo: pkgrepo.managed: - - name: deb [signed-by=/usr/share/keyrings/influxdb-keyring.gpg] https://repos.influxdata.com/{{ grains.lsb_distrib_id | lower }} {{ grains.oscodename }} stable + - name: deb [signed-by=/usr/share/keyrings/influxdb-keyring.gpg] https://repos.influxdata.com/{{ grains.lsb_distrib_id | lower }} stable main - file: /etc/apt/sources.list.d/influxdb.list - clean_file: True - require: diff --git a/ssh/init.sls b/ssh/init.sls index c8b7e1cd..c6510b59 100644 --- a/ssh/init.sls +++ b/ssh/init.sls @@ -18,11 +18,11 @@ ssh: /etc/ssh/sshd_config: file.managed: - source: - - salt://ssh/sshd_config.{{ grains.os }}.{{ grains.oscodename }} - salt://ssh/sshd_config - user: root - group: root - mode: "0644" + - template: jinja - watch_in: - service: ssh diff --git a/ssh/sshd_config b/ssh/sshd_config index ad733bef..6912016c 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -1,9 +1,7 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ - # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where @@ -39,7 +37,7 @@ PermitRootLogin prohibit-password PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none @@ -60,7 +58,11 @@ PasswordAuthentication no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) +{%- if grains.os == 'Ubuntu' and grains.osmajorrelease >= 24 %} +KbdInteractiveAuthentication no +{%- else %} ChallengeResponseAuthentication no +{%- endif %} # Kerberos options #KerberosAuthentication no @@ -76,13 +78,13 @@ ChallengeResponseAuthentication no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and +# be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass +# PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +# and KbdInteractiveAuthentication to 'no'. UsePAM yes AllowAgentForwarding no @@ -100,7 +102,7 @@ PermitUserEnvironment yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no -#PidFile /var/run/sshd.pid +#PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none @@ -113,11 +115,11 @@ PermitUserEnvironment yes AcceptEnv LANG LC_* # override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/systemd-networkd/init.sls b/systemd-networkd/init.sls index ad040949..596a5f1a 100644 --- a/systemd-networkd/init.sls +++ b/systemd-networkd/init.sls @@ -84,9 +84,15 @@ vxlan-fdb-fill.service: {% endif %}{# 'nextgen-gateway' in role #} disable_netplan: - file.managed: - - name: /etc/netplan/01-netcfg.yaml - - source: salt://systemd-networkd/files/netplan.conf + file.managed: + - name: /etc/netplan/01-netcfg.yaml + - source: salt://systemd-networkd/files/netplan.conf + +disable_netplan_generator: + file.symlink: + - name: /usr/lib/systemd/system-generators/netplan + - target: /dev/null + - force: True systemd-networkd: service.running: diff --git a/telegraf/files/in_gateway-modules.conf b/telegraf/files/in_gateway-modules.conf index b709b031..651b0ae4 100644 --- a/telegraf/files/in_gateway-modules.conf +++ b/telegraf/files/in_gateway-modules.conf @@ -28,8 +28,8 @@ dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"] "meet.ffmuc.net", "docker04.ov.ffmuc.net", "docker07.ov.ffmuc.net", - "guardian-muc01.ffmuc.net", - "guardian-vie01.ffmuc.net", + "guardian-muc01.ext.ffmuc.net", + "guardian-vie01.ext.ffmuc.net", "webfrontend03.ext.ffmuc.net", "webfrontend04.ext.ffmuc.net", "webfrontend05.ext.ffmuc.net", diff --git a/telegraf/init.sls b/telegraf/init.sls index 9ae3c0ee..1335e73c 100644 --- a/telegraf/init.sls +++ b/telegraf/init.sls @@ -8,23 +8,22 @@ {# There is data available so we think telegraf should be installed #} {% set role = salt['pillar.get']('netbox:role:name') %} -influxdb-repo-key: +influx-db-repo-key: cmd.run: - name: "curl https://repos.influxdata.com/influxdata-archive_compat.key | gpg --batch --yes --dearmor -o /usr/share/keyrings/influxdb-keyring.gpg" -influxdb-repo: +influx-db-repo: pkgrepo.managed: - - humanname: Jitsi Repo - - name: deb [signed-by=/usr/share/keyrings/influxdb-keyring.gpg] https://repos.influxdata.com/{{ grains.lsb_distrib_id | lower }} {{ grains.oscodename }} stable + - name: deb [signed-by=/usr/share/keyrings/influxdb-keyring.gpg] https://repos.influxdata.com/{{ grains.lsb_distrib_id | lower }} stable main - file: /etc/apt/sources.list.d/influxdb.list - clean_file: True - require: - - cmd: influxdb-repo-key + - cmd: influx-db-repo-key telegraf: pkg.installed: - require: - - pkgrepo: influxdb-repo + - pkgrepo: influx-db-repo service.running: - enable: True - running: True