From a7a199e577e5c124705fa86047de66e9212a0bf9 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Fri, 12 Dec 2025 18:14:55 -0600
Subject: [PATCH 1/2] add new state for benchmark minion

---
 salt/benchmarks/init.sls | 13 +++++++++++++
 salt/top.sls             |  4 ++++
 2 files changed, 17 insertions(+)
 create mode 100644 salt/benchmarks/init.sls

diff --git a/salt/benchmarks/init.sls b/salt/benchmarks/init.sls
new file mode 100644
index 00000000..504a6337
--- /dev/null
+++ b/salt/benchmarks/init.sls
@@ -0,0 +1,13 @@
+/etc/ssh/sshd_config.d/99-hardening.conf:
+  file.managed:
+    - source: salt://benchmarks/configs/sshd-hardening.conf
+    - user: root
+    - group: root
+    - mode: "0644"
+
+ssh-reload-benchmarks:
+  service.running:
+    - name: ssh
+    - reload: True
+    - watch:
+      - file: /etc/ssh/sshd_config.d/99-hardening.conf
diff --git a/salt/top.sls b/salt/top.sls
index ab5dd716..611b84b0 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -36,6 +36,10 @@ base:
     - pgbouncer
     - buildbot
 
+  'benchmarks':
+    - match: nodegroup
+    - benchmarks
+
   'cdn-logs':
     - match: nodegroup
     - cdn-logs

From 4b821f5754f66b8ad1f915be2ea3ebdf0c6b0e40 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Fri, 12 Dec 2025 18:15:09 -0600
Subject: [PATCH 2/2] source the hardening conf + add psf-users to AllowGrops

---
 salt/benchmarks/configs/sshd-hardening.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 salt/benchmarks/configs/sshd-hardening.conf

diff --git a/salt/benchmarks/configs/sshd-hardening.conf b/salt/benchmarks/configs/sshd-hardening.conf
new file mode 100644
index 00000000..853f9315
--- /dev/null
+++ b/salt/benchmarks/configs/sshd-hardening.conf
@@ -0,0 +1,17 @@
+# Forbid any root SSH login
+PermitRootLogin no
+
+# Only allow public key auth for all users
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+
+# Restrict who can SSH in - allow PSF users and system admins
+AllowGroups psf-users sudo admin
+
+# Where to read user keys from
+AuthorizedKeysFile .ssh/authorized_keys
+
+# Keep PAM enabled for account/session modules (e.g., limits)
+UsePAM yes