diff options
author | varac <varacanero@zeromail.org> | 2013-06-27 10:52:54 +0200 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2013-06-30 12:51:35 -0400 |
commit | 6c34c73f7e4c5203321547b699c6eaba9de8e2fe (patch) | |
tree | 96ca00bde1b03468508301e3a28565035f49fd58 | |
parent | 3b6f11a60778d5cb3ae265980e4e4870bf065de2 (diff) |
switch to own define for managing ssh keys
The problem with puppet's built-in ssh_authorized_key is that you can
purge unmanaged keys in a authorized_keys file. see
https://leap.se/code/issues/3010 for details.
Conflicts:
puppet/modules/site_sshd/manifests/authorized_keys.pp
Change-Id: I640bf7ebc0f0f7fb19cc46feb4cb2702d6561a9b
5 files changed, 34 insertions, 14 deletions
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 8e0c15ac..c18f691c 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,19 @@ -class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { - tag 'leap_authorized_keys' - - create_resources(site_sshd::authorized_keys::key, $keys) - +define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # This line allows default homedir based on $title variable. + # If $home is empty, the default is used. + $homedir = $home ? {'' => "/home/${title}", default => $home} + file { + "${homedir}/.ssh": + ensure => 'directory', + owner => $title, + group => $title, + mode => '0700'; + "${homedir}/.ssh/authorized_keys": + ensure => $ensure, + owner => $ensure ? {'present' => $title, default => undef }, + group => $ensure ? {'present' => $title, default => undef }, + mode => '0600', + require => File["${homedir}/.ssh"], + content => template('site_sshd/authorized_keys.erb'); + } } diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp deleted file mode 100644 index 56271cdc..00000000 --- a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp +++ /dev/null @@ -1,8 +0,0 @@ -define site_sshd::authorized_keys::key ($key, $type) { - ssh_authorized_key { - $name: - type => $type, - user => 'root', - key => $key - } -} diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp new file mode 100644 index 00000000..97ca058f --- /dev/null +++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp @@ -0,0 +1,9 @@ +class site_sshd::deploy_authorized_keys ( $keys ) { + tag 'leap_authorized_keys' + + site_sshd::authorized_keys {'root': + keys => $keys, + home => '/root' + } + +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 905d5c9b..90dd2d0e 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -7,7 +7,7 @@ class site_sshd { $authorized_keys = $ssh['authorized_keys'] - class { 'site_sshd::authorized_keys': + class { 'site_sshd::deploy_authorized_keys': keys => $authorized_keys } diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb new file mode 100644 index 00000000..3c65e8ab --- /dev/null +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -0,0 +1,6 @@ +# NOTICE: This file is autogenerated by Puppet +# all manually added keys will be overridden + +<% keys.sort.each do |user, hash| -%> +<%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> |