Merge remote-tracking branch 'elijah/feature/known_hosts' into 0.6

Conflicts:
	provider_base/services/monitor.json

6 files changed, 64 insertions, 4 deletions

diff --git a/platform.rb b/platform.rb
index 60b0d9a5..54590f4b 100644
--- a/platform.rb
+++ b/platform.rb
@@ -3,8 +3,8 @@
 #
 
 Leap::Platform.define do
-  self.version = "0.2.4"
-  self.compatible_cli = "1.2.4".."1.99"
+  self.version = "0.4.0"
+  self.compatible_cli = "1.4.0".."1.99"
 
   #
   # the facter facts that should be gathered
@@ -43,6 +43,8 @@ Leap::Platform.define do
     :user_pgp         => 'users/#{arg}/#{arg}_pgp.pub',
     :known_hosts      => 'files/ssh/known_hosts',
     :authorized_keys  => 'files/ssh/authorized_keys',
+    :monitor_pub_key  => 'files/ssh/monitor_ssh.pub',
+    :monitor_priv_key => 'files/ssh/monitor_ssh',
     :ca_key           => 'files/ca/ca.key',
     :ca_cert          => 'files/ca/ca.crt',
     :client_ca_key    => 'files/ca/client_ca.key',
@@ -73,5 +75,9 @@ Leap::Platform.define do
   self.node_files = [
     :node_config, :hiera, :node_x509_cert, :node_x509_key, :node_ssh_pub_key
   ]
+
+  self.monitor_username = 'monitor'
+
+  self.reserved_usernames = ['monitor']
 end
 
diff --git a/provider_base/common.json b/provider_base/common.json
index 07a45972..07a58bba 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -16,7 +16,6 @@
   },
   "ssh": {
     "authorized_keys": "= authorized_keys",
-    "known_hosts": "=> known_hosts_file",
     "port": 22,
     "mosh": {
       "ports": "60000:61000",
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index 142a4b5e..5656fe80 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -1,7 +1,14 @@
 {
   "nagios": {
     "nagiosadmin_pw": "= secret :nagios_admin_password",
-    "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')"
+    "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')"
+  },
+  "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])",
+  "ssh": {
+    "monitor": {
+      "username": "= Leap::Platform.monitor_username",
+      "private_key": "= file(:monitor_priv_key)"
+    }
   },
   "x509": {
     "use": true,
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 90dd2d0e..2bcde603 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,5 +1,6 @@
 class site_sshd {
   $ssh = hiera_hash('ssh')
+  $hosts = hiera_hash('hosts')
 
   ##
   ## SETUP AUTHORIZED KEYS
@@ -12,6 +13,23 @@ class site_sshd {
   }
 
   ##
+  ## SETUP KNOWN HOSTS and SSH_CONFIG
+  ##
+
+  file {
+    '/etc/ssh/ssh_known_hosts':
+      owner   => root,
+      group   => root,
+      mode    => '0644',
+      content => template('site_sshd/ssh_known_hosts.erb');
+    '/etc/ssh/ssh_config':
+      owner => root,
+      group => root,
+      mode => '0644',
+      content => template('site_sshd/ssh_config.erb');
+  }
+
+  ##
   ## OPTIONAL MOSH SUPPORT
   ##
 
diff --git a/puppet/modules/site_sshd/templates/ssh_config.erb b/puppet/modules/site_sshd/templates/ssh_config.erb
new file mode 100644
index 00000000..7e967413
--- /dev/null
+++ b/puppet/modules/site_sshd/templates/ssh_config.erb
@@ -0,0 +1,23 @@
+# This file is generated by Puppet
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+Host *
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+<% if scope.lookupvar('::site_config::params::environment') == 'local' -%>
+    #
+    # Vagrant nodes should have strict host key checking
+    # turned off. The problem is that the host key for a vagrant
+    # node is specific to the particular instance of the vagrant
+    # node you have running locally. For this reason, we can't
+    # track the host keys, or your host key for vpn1 would conflict
+    # with my host key for vpn1.
+    #
+    StrictHostKeyChecking no
+<% end -%>
+
diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb
new file mode 100644
index 00000000..002ab732
--- /dev/null
+++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb
@@ -0,0 +1,7 @@
+# This file is generated by Puppet
+
+<% @hosts.sort.each do |name, hash| -%>
+<%   if hash['host_pub_key'] -%>
+<%=    name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%>
+<%   end -%>
+<% end -%>