Ubuntu 20.04 support

salt/core/apt/files/99-connection-timeouts

@@ -0,0 +1,4 @@
+# Resolves timeouts to security.ubuntu.com
+# Tries 15 times, each for 1 minute.
+Acquire::http::Timeout "60";
+Acquire::Retries "15";

salt/core/apt.sls → salt/core/apt/init.sls

@@ -3,3 +3,7 @@
   file.replace:
     - pattern: "Prompt=lts"
     - repl: "Prompt=never"
+
+/etc/apt/apt.conf.d/99-connection-timeouts:
+  file.managed:
+    - source: salt://core/apt/files/99-connection-timeouts

salt/core/journald.sls

@@ -1,6 +1,6 @@
 /etc/systemd/journald.conf.d/customization.conf:
   file.managed:
-    - contents: | 
+    - contents: |
         [Journal]
         SystemMaxUse=1024M
     - user: root

salt/core/sshd/files/customization.conf

@@ -0,0 +1,3 @@
+PasswordAuthentication no
+PermitRootLogin without-password
+X11Forwarding no

salt/core/sshd.sls → salt/core/sshd/init.sls

@@ -1,9 +1,19 @@
 # We'll only be using SSH key authentication.
+{% if grains['osrelease'] >= '20.04' %}
+/etc/ssh/sshd_config.d/customization.conf:
+  file.managed:
+    - source: salt://core/sshd/files/customization.conf
+    - watch_in:
+      - service: ssh_service
+
+{% else %}
 disable password authentication:
   file.replace:
     - name: /etc/ssh/sshd_config
     - pattern: "^#?PasswordAuthentication .*"
     - repl: "PasswordAuthentication no"
+    - watch_in:
+      - service: ssh_service
 
 # The above "PasswordAuthentication no" technically disables root logins with passwords but we are explicitly setting "PermitRootLogin" as well for two reasons:
 # Firstly it adds an extra layer to the security if PasswordAuthentication is toggled back on.
@@ -13,21 +23,24 @@ force root ssh keys:
     - name: /etc/ssh/sshd_config
     - pattern: "^#?PermitRootLogin.*"
     - repl: "PermitRootLogin without-password"
+    - watch_in:
+      - service: ssh_service
 
 disable x11forwarding:
   file.replace:
     - name: /etc/ssh/sshd_config
     - pattern: "^#?X11Forwarding yes"
     - repl: "X11Forwarding no"
+    - watch_in:
+      - service: ssh_service
+{% endif %}
 
 # Restart the SSH service if the config changes.
 ssh_service:
   service.running:
     - name: ssh
     - enable: True
     - reload: True
-    - listen:
-      - file: /etc/ssh/sshd_config
 
 # Manage authorized keys for users with root access to all servers.
 root_authorized_keys:

salt/core/swap.sls

@@ -1,5 +1,5 @@
 {% if grains.mem_total > 32768 %}
-  {% set swap_size = grains.mem_total // 4 %}
+  {% set swap_size = [grains.mem_total // 4, 16384] | max %}
 {% elif grains.mem_total > 2048 %}
   {% set swap_size = grains.mem_total // 2 %}
 {% else %}
@@ -14,9 +14,11 @@
   {% set vm_swappiness = 40 %}
 {% endif %}
 
-{% set swap_path = "/swapfile" %}
+{% set swap_path = '/swapfile' %}
 
-# Create swap file and mount.
+# Some systems will have swap configured already, if it is sufficent then don't configure more.
+{% if swap_size > grains['swap_total'] %}
+# Create swap file and mount. Only runs if `swap_path` has not been created.
 {{ swap_path }}:
   cmd.run:
     - name: |
@@ -26,6 +28,7 @@
     - creates: {{ swap_path }}
   mount.swap:
     - persist: True
+{% endif %}
 
 # Set swappiness so that it is only used when memory is full.
 vm.swappiness:

salt/core/systemd/files/logind.conf

@@ -0,0 +1,2 @@
+[Login]
+RemoveIPC=no

salt/core/systemd/files/timesyncd.conf

@@ -0,0 +1,2 @@
+[Time]
+NTP=0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org

salt/core/systemd/logind.sls

@@ -0,0 +1,11 @@
+# Stop RemoveIPC killing all processes by a user when they log out.
+/etc/systemd/logind.conf.d/customization.conf:
+  file.managed:
+    - source: salt://core/systemd/files/logind.conf
+    - makedirs: True
+    - watch_in:
+      - service: systemd-logind
+
+systemd-logind:
+  service.running:
+    - name: systemd-logind

salt/core/systemd/ntp.sls

@@ -0,0 +1,37 @@
+# Configure an NTP service
+systemd-timesyncd:
+  {% if grains['osrelease'] >= '20.04' %}
+  # timesyncd is built into systemd on older Ubuntu releases.
+  pkg.installed:
+    - name: systemd-timesyncd
+  {% endif %}
+  service.running:
+    - name: systemd-timesyncd
+    - enable: True
+    {% if grains['osrelease'] >= '20.04' %}
+    - require:
+      - pkg: systemd-timesyncd
+    {% endif %}
+
+/etc/systemd/timesyncd.conf.d/customization.conf:
+  file.managed:
+    - source: salt://core/systemd/files/timesyncd.conf
+    - makedirs: True
+    - watch_in:
+      - service: systemd-timesyncd
+
+/etc/systemd/timesyncd.conf:
+  file.comment:
+    - regex: "^NTP="
+    - backup: False
+    - watch_in:
+      - service: systemd-timesyncd
+
+# Catch instances where ntp has been installed protecting against two NTP services running at once.
+ntp:
+  service.dead:
+    - enable: False
+
+# Set timezone to UTC.
+UTC:
+  timezone.system

salt/top.sls

@@ -12,11 +12,11 @@ base:
     - core.logrotate
     - core.mail
     - core.motd
-    - core.ntp
     - core.rsyslog
     - core.sshd
     - core.swap
-    - core.systemd
+    - core.systemd.logind
+    - core.systemd.ntp
 
   'cove-*':
     - cove

salt/yarn/init.sls

@@ -2,7 +2,7 @@
 yarn:
   pkgrepo.managed:
     - humanname: Yarn Official Repository
-    - name: deb https://dl.yarnpkg.com/debian/ stable main
+    - name: deb https://dl.yarnpkg.com/debian stable main
     - file: /etc/apt/sources.list.d/yarn.list
     - key_url: https://dl.yarnpkg.com/debian/pubkey.gpg
   pkg.installed: