From 6c34c73f7e4c5203321547b699c6eaba9de8e2fe Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 27 Jun 2013 10:52:54 +0200
Subject: switch to own define for managing ssh keys

The problem with puppet's built-in ssh_authorized_key is that you can
purge unmanaged keys in a authorized_keys file. see
https://leap.se/code/issues/3010 for details.

Conflicts:
	puppet/modules/site_sshd/manifests/authorized_keys.pp

Change-Id: I640bf7ebc0f0f7fb19cc46feb4cb2702d6561a9b
---
 .../modules/site_sshd/manifests/authorized_keys.pp | 23 +++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'puppet/modules/site_sshd/manifests/authorized_keys.pp')

diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index 8e0c15ac..c18f691c 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,6 +1,19 @@
-class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) {
-  tag 'leap_authorized_keys'
-
-  create_resources(site_sshd::authorized_keys::key, $keys)
-
+define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
+  # This line allows default homedir based on $title variable.
+  # If $home is empty, the default is used.
+  $homedir = $home ? {'' => "/home/${title}", default => $home}
+  file {
+    "${homedir}/.ssh":
+      ensure  => 'directory',
+      owner   => $title,
+      group   => $title,
+      mode    => '0700';
+    "${homedir}/.ssh/authorized_keys":
+      ensure  => $ensure,
+      owner   => $ensure ? {'present' => $title, default => undef },
+      group   => $ensure ? {'present' => $title, default => undef },
+      mode    => '0600',
+      require => File["${homedir}/.ssh"],
+      content => template('site_sshd/authorized_keys.erb');
+  }
 }
-- 
cgit v1.2.3