# store ssh authorized_keys snippets that roles on different hosts can then
# collect using ssh::authorized_key_collect

define ssh::authorized_key_add(
  String $target_user,
  String $command,
  String $key,
  String $collect_tag,
  Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
) {
  $from = $from_hosts.join(',')

  if (size(split($key, "\n")) > 1) {
    fail('More than one line in key for ssh::authorized_key')
  }
  if (size(split($command, '"')) > 1) {
    fail('command must not contain double quotes')
  }
  if (size(split($from, '"')) > 1) {
    fail('from_hosts must not contain double quotes')
  }

  $from_space = $from_hosts.join(' ')

  @@concat::fragment { "ssh::authorized_key::${name} ${target_user} ${from}":
    tag     => "ssh::authorized_key::fragment::${collect_tag}::${target_user}",
    target  => "/etc/ssh/userkeys/${target_user}",
    order   => '200',
    content => @("EOF"),
               command="${command}",from="${from}",restrict ${key}
               | EOF
  }

  @@ferm::rule { "ssh-${target_user}-${name}":
    tag         => "ssh::authorized_key::ferm::${collect_tag}::${target_user}",
    description => "allow ssh for ssh to ${target_user}",
    domain      => '(ip ip6)',
    chain       => 'ssh',
    rule        => "saddr (${from_space}) ACCEPT",
  }
}