1 # store ssh authorized_keys snippets that roles on different hosts can then
2 # collect using ssh::authorized_key_collect
4 define ssh::authorized_key_add(
8 Variant[Array[String], String] $collect_tag,
9 String $restrict = 'restrict',
10 Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
12 $from = $from_hosts.join(',')
14 if (size(split($key, "\n")) > 1) {
15 fail('More than one line in key for ssh::authorized_key')
17 if (size(split($command, '"')) > 1) {
18 fail('command must not contain double quotes')
20 if (size(split($from, '"')) > 1) {
21 fail('from_hosts must not contain double quotes')
24 if $collect_tag =~ String {
25 $raw_tags = [ $collect_tag ]
27 $raw_tags = $collect_tag
29 $ssh_tags = $raw_tags.map |$t| { "ssh::authorized_key::fragment::${t}::${target_user}" }
30 $ferm_tags = $raw_tags.map |$t| { "ssh::authorized_key::ferm::${t}::${target_user}" }
32 $from_space = $from_hosts.join(' ')
35 @@concat::fragment { "ssh::authorized_key::${name} ${target_user} from ${::hostname}":
37 target => "/etc/ssh/puppetkeys/${target_user}",
41 command="${command}",from="${from}",${restrict} ${key}
45 notify { "Warning, ssh key for ${name}, ${target_user} not defined (yet?).":
50 @@ferm::rule { "ssh-${raw_tags[0]}_${target_user}-${name}_from_${::hostname}":
52 description => "allow ssh for ssh to ${target_user}",
55 rule => "saddr (${from_space}) ACCEPT",