From 68ff1a4dcffafdcf79a33486fc9a01530e4070d4 Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:00:37 -0500 Subject: [PATCH 01/11] add nacl formula --- formulas/class/nacl/prod.sls | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 formulas/class/nacl/prod.sls diff --git a/formulas/class/nacl/prod.sls b/formulas/class/nacl/prod.sls new file mode 100644 index 000000000..42c1d7e45 --- /dev/null +++ b/formulas/class/nacl/prod.sls @@ -0,0 +1,19 @@ +include: + +### Previously Executed States ### + +### Common States ### + + - /states/system/timezone + - /states/system/rsyslog + +### Network Configuration States ### + + - /apps/ipsec/install-atlas + - /apps/ipsec/configure-atlas + +### Disk Configuration States ### + +### Application States ### + +### Status Configuration Changes ### -- GitLab From 97f9e3737aa83a415237b2023b889ff9f88e4c43 Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:09:18 -0500 Subject: [PATCH 02/11] add nacl formula --- formulas/class/nacl/prod.sls | 68 +++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 17 deletions(-) diff --git a/formulas/class/nacl/prod.sls b/formulas/class/nacl/prod.sls index 42c1d7e45..f3a007cd2 100644 --- a/formulas/class/nacl/prod.sls +++ b/formulas/class/nacl/prod.sls @@ -1,19 +1,53 @@ include: -### Previously Executed States ### - -### Common States ### - - - /states/system/timezone - - /states/system/rsyslog - -### Network Configuration States ### - - - /apps/ipsec/install-atlas - - /apps/ipsec/configure-atlas - -### Disk Configuration States ### - -### Application States ### - -### Status Configuration Changes ### +{% if grains['reboot_required'] == true %} + + - /system/common/reboot + +{% else %} + +{% if (grains['status'] == 'preprov') or (grains['status'] == 'prov') or (grains['status'] == 'preprod') or (grains['status'] == 'prod') %} + - /formulas/common/cloud-prov +{% endif %} + +{% if (grains['status'] == 'prov') or (grains['status'] == 'preprod') or (grains['status'] == 'prod') %} + - /apps/ipsec/install-nacl +{% endif %} + +{% if (grains['status'] == 'preprod') or (grains['status'] == 'prod') %} + - /apps/ipsec/configure-nacl +{% endif %} + +{% if grains['status'] == 'preprov' %} +upgrade_status_to_prov: + grains.present: + - name: status + - value: prov + - force: true + - require: + - sls: /formulas/common/cloud-prov +{% endif %} + +{% if grains['status'] == 'prov' %} +upgrade_status_to_preprod: + grains.present: + - name: status + - value: preprod + - force: true + - require: + - sls: /formulas/common/cloud-prov + - sls: /apps/ipsec/install-nacl +{% endif %} + +{% if (grains['status'] == 'preprod') or (grains['status'] == 'prod') %} +upgrade_status_to_prod: + grains.present: + - name: status + - value: prod + - force: true + - require: + - sls: /formulas/common/cloud-prov + - sls: /apps/ipsec/install-nacl + - sls: /apps/ipsec/configure-nacl +{% endif %} +{% endif %} -- GitLab From f7b406b2f65f405f50a022ee179d6c520c365073 Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:24:11 -0500 Subject: [PATCH 03/11] add nacl ipsec configs --- apps/ipsec/files/nacl-ipsec.conf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 apps/ipsec/files/nacl-ipsec.conf diff --git a/apps/ipsec/files/nacl-ipsec.conf b/apps/ipsec/files/nacl-ipsec.conf new file mode 100644 index 000000000..2249487c9 --- /dev/null +++ b/apps/ipsec/files/nacl-ipsec.conf @@ -0,0 +1,22 @@ +config setup + +conn usacys-site-to-site + left=96.27.143.4 + leftsubnet=10.10.0.0/22,10.10.4.0/22,192.168.240.0/22 + leftid = cerberus.bbh.cyberschool.army.mil + right=cybbh.space + rightsubnet=192.168.200.248,192.168.200.248 + rightid = nacl.cybbh.space + ike=aes256-sha256-modp4096! + esp=aes256gcm128-sha256,aes256gcm128-sha512,aes256gcm96-sha256,aes256gcm96-sha512,aes256gcm64-sha256,aes256gcm64-sha512! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=clear + auto=start + leftauth = psk + rightauth = psk + +include /var/lib/strongswan/ipsec.conf.inc -- GitLab From bfefc5163a110892ad775f83c5331078eab1085f Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:25:05 -0500 Subject: [PATCH 04/11] update pillar nacl --- apps/ipsec/files/nacl-ipsec.secrets | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 apps/ipsec/files/nacl-ipsec.secrets diff --git a/apps/ipsec/files/nacl-ipsec.secrets b/apps/ipsec/files/nacl-ipsec.secrets new file mode 100644 index 000000000..de7dfc37a --- /dev/null +++ b/apps/ipsec/files/nacl-ipsec.secrets @@ -0,0 +1,3 @@ +cerberus.bbh.cyberschool.army.mil nacl.cybbh.space : PSK '{{ nacl_ipsec_secret }}' + +include /var/lib/strongswan/ipsec.secrets.inc -- GitLab From a6699284491c3c60bf0baeaacd59278a990e60e8 Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:25:32 -0500 Subject: [PATCH 05/11] add hash --- apps/ipsec/files/hash | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 apps/ipsec/files/hash diff --git a/apps/ipsec/files/hash b/apps/ipsec/files/hash new file mode 100644 index 000000000..d2fd44585 --- /dev/null +++ b/apps/ipsec/files/hash @@ -0,0 +1,2 @@ +0a7d86ada00ad5ee294927332fb196b38537e0815659a8b688f2562b356c4f690a2b27593e8f1114dc7929e42d09d6e44b5010243185e1b04c389e39d1f9bc23 *nacl-ipsec.conf +5a81cab9e56ccdfb1ba4165bef9daee76fbd90fe55e3ad6aa491689f0c4b3e5f6af0b8032fe3a19fe74ec6731a87a04e259023d5ba617ec17e3730518174b5d0 *nacl-ipsec.secrets -- GitLab From fdf9bc04ccbbe03483ef737f620ed6204bbeab28 Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:26:17 -0500 Subject: [PATCH 06/11] add nacl install --- apps/ipsec/install-nacl | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 apps/ipsec/install-nacl diff --git a/apps/ipsec/install-nacl b/apps/ipsec/install-nacl new file mode 100644 index 000000000..619a330a0 --- /dev/null +++ b/apps/ipsec/install-nacl @@ -0,0 +1,3 @@ +install_strongswan: + pkg.installed: + - name: strongswan -- GitLab From c01aed9559fa21daef7066040dae3428b0b60f2c Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 11:26:51 -0500 Subject: [PATCH 07/11] add nacl configs --- apps/ipsec/configure-nacl | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 apps/ipsec/configure-nacl diff --git a/apps/ipsec/configure-nacl b/apps/ipsec/configure-nacl new file mode 100644 index 000000000..25e821de5 --- /dev/null +++ b/apps/ipsec/configure-nacl @@ -0,0 +1,22 @@ +include: + - /apps/ipsec/install-nacl + +/etc/ipsec.secrets: + file.managed: + - source: salt://apps/ipsec/files/nacl-ipsec.secrets + - source_hash: salt://apps/ipsec/files/hash + - template: jinja + - defaults: + nacl_ipsec_secret: {{ pillar['nacl_ipsec_secret'] }} + - sls: /apps/ipsec/install-nacl + +/etc/ipsec.conf: + file.managed: + - source: salt://apps/ipsec/files/nacl-ipsec.conf + - source_hash: salt://apps/ipsec/files/hash + +strongswan: + service.running: + - watch: + - /etc/ipsec.conf + - /etc/ipsec.secrets -- GitLab From 81b6fdab49872320c37da3a55cf8e3e033d9913a Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 13:39:24 -0500 Subject: [PATCH 08/11] add saltstack extension --- apps/ipsec/configure-nacl.sls | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 apps/ipsec/configure-nacl.sls diff --git a/apps/ipsec/configure-nacl.sls b/apps/ipsec/configure-nacl.sls new file mode 100644 index 000000000..25e821de5 --- /dev/null +++ b/apps/ipsec/configure-nacl.sls @@ -0,0 +1,22 @@ +include: + - /apps/ipsec/install-nacl + +/etc/ipsec.secrets: + file.managed: + - source: salt://apps/ipsec/files/nacl-ipsec.secrets + - source_hash: salt://apps/ipsec/files/hash + - template: jinja + - defaults: + nacl_ipsec_secret: {{ pillar['nacl_ipsec_secret'] }} + - sls: /apps/ipsec/install-nacl + +/etc/ipsec.conf: + file.managed: + - source: salt://apps/ipsec/files/nacl-ipsec.conf + - source_hash: salt://apps/ipsec/files/hash + +strongswan: + service.running: + - watch: + - /etc/ipsec.conf + - /etc/ipsec.secrets -- GitLab From 51c1eb31f909682bf15bc44562c1e9c8c747686a Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 13:40:13 -0500 Subject: [PATCH 09/11] add saltstack extension --- apps/ipsec/install-nacl.sls | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 apps/ipsec/install-nacl.sls diff --git a/apps/ipsec/install-nacl.sls b/apps/ipsec/install-nacl.sls new file mode 100644 index 000000000..619a330a0 --- /dev/null +++ b/apps/ipsec/install-nacl.sls @@ -0,0 +1,3 @@ +install_strongswan: + pkg.installed: + - name: strongswan -- GitLab From 47428993ce6ca0d0a49c1dd7a8d8634a96620595 Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Thu, 22 Feb 2018 14:24:23 -0500 Subject: [PATCH 10/11] remove wrong file extensions --- apps/ipsec/configure-nacl | 22 ---------------------- apps/ipsec/install-nacl | 3 --- 2 files changed, 25 deletions(-) delete mode 100644 apps/ipsec/configure-nacl delete mode 100644 apps/ipsec/install-nacl diff --git a/apps/ipsec/configure-nacl b/apps/ipsec/configure-nacl deleted file mode 100644 index 25e821de5..000000000 --- a/apps/ipsec/configure-nacl +++ /dev/null @@ -1,22 +0,0 @@ -include: - - /apps/ipsec/install-nacl - -/etc/ipsec.secrets: - file.managed: - - source: salt://apps/ipsec/files/nacl-ipsec.secrets - - source_hash: salt://apps/ipsec/files/hash - - template: jinja - - defaults: - nacl_ipsec_secret: {{ pillar['nacl_ipsec_secret'] }} - - sls: /apps/ipsec/install-nacl - -/etc/ipsec.conf: - file.managed: - - source: salt://apps/ipsec/files/nacl-ipsec.conf - - source_hash: salt://apps/ipsec/files/hash - -strongswan: - service.running: - - watch: - - /etc/ipsec.conf - - /etc/ipsec.secrets diff --git a/apps/ipsec/install-nacl b/apps/ipsec/install-nacl deleted file mode 100644 index 619a330a0..000000000 --- a/apps/ipsec/install-nacl +++ /dev/null @@ -1,3 +0,0 @@ -install_strongswan: - pkg.installed: - - name: strongswan -- GitLab From 8e9f82b5fe2dcaba7ac825112b1d2f1376ea1dec Mon Sep 17 00:00:00 2001 From: kjefferson <kyle.w.jefferson.ctr@mail.mil> Date: Wed, 28 Feb 2018 09:34:58 -0500 Subject: [PATCH 11/11] add nacl to top file --- top.sls | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/top.sls b/top.sls index 21e33bde1..7a17be256 100644 --- a/top.sls +++ b/top.sls @@ -9,7 +9,7 @@ base: '*cybbh.space': - formulas/common/cloud-preprov -### Run all nodes in preprov status through the prov state; apply the prov status if and +### Run all nodes in preprov status through the prov state; apply the prov status if and ### only if the prov state for the node class succeeds. ### Core Classes @@ -109,3 +109,7 @@ base: 'P@status:(preprov|prov|preprod|prod) and E@^(register)': - match: compound - formulas/class/public/register + + 'P@status:(preprov|prov|preprod|prod) and E@^(nacl)': + - match: compound + - formulas/class/nacl/prod -- GitLab