summaryrefslogtreecommitdiff
path: root/manifests/agent/generate_sshkey.pp
blob: b00271f50e8c40496373f7e1e24ddf6fb4a7c973 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
define check_mk::agent::generate_sshkey (
  # dir on the check-mk-server where the collected key pairs are stored
  $keydir,
  # user/group the key should be owned by on the check-mk-server
  $keyuser          = 'nagios',
  $keygroup         = 'nagios',
  # dir on the check-mk-agent where the authorized_keys file is stored
  $authdir,
  # name of the authorized_keys file
  $authfile         = undef,
  # dir on the puppetmaster where keys are stored
  # FIXME: need a way to ensure this dir is setup on the puppetmaster correctly
  #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys",
  #  for now use a dir we know works
  $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys',
  # user on the client the check_mk server will ssh to, to run the agent
  $sshuser          = 'root',
  $hostname         = $::fqdn,
  $check_mk_tag     = 'check_mk_sshkey'
){

  # generate check-mk ssh keypair, stored on puppetmaster
  $ssh_key_name = "${hostname}_id_rsa"
  $ssh_keys     = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}")
  $public       = split($ssh_keys[1],' ')
  $public_type  = $public[0]
  $public_key   = $public[1]
  $secret_key   = $ssh_keys[0]

  # if we're not root we need to use sudo
  if $sshuser != 'root' {
    $command = 'sudo /usr/bin/check_mk_agent'
  } else {
    $command = '/usr/bin/check_mk_agent'
  }

  # setup the public half of the key in authorized_keys on the agent
  #  and restrict it to running only the agent
  if $authdir or $authfile {
    # if $authkey or $authdir are set, override authorized_keys path and file
    # and also override using the built-in ssh_authorized_key since it may
    # not be able to write to $authdir
    sshd::ssh_authorized_key { $ssh_key_name:
        type             => 'ssh-rsa',
        key              => $public_key,
        user             => $sshuser,
        target           => "${authdir}/${authfile}",
        override_builtin => true,
        options          => "command=\"${command}\"";
    }
  } else {
    # otherwise use the defaults
    sshd::ssh_authorized_key { $ssh_key_name:
        type    => 'ssh-rsa',
        key     => $public_key,
        user    => $sshuser,
        options => "command=\"${command}\"";
    }
  }

  # resource collector for the private half of the keys, these end up on
  #  the check-mk-server host, and the user running check-mk needs access
  @@file { "${keydir}/${ssh_key_name}":
    content => $secret_key,
    owner   => $keyuser,
    group   => $keygroup,
    mode    => '0600',
    tag     => $check_mk_tag;
  }
}