# store ssh authorized_keys snippets that roles on different hosts can then
# collect using ssh::authorized_key_collect

define ssh::authorized_key_add(
  String $target_user,
  String $command,
  Variant[Array[String], String] $collect_tag,
  String $restrict = 'restrict',
  Optional[String] $key,
  Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
) {
  $from = $from_hosts.join(',')

  if ($key and size(split($key, "\n")) > 1) {
    fail('More than one line in key for ssh::authorized_key')
  }
  if (size(split($command, '"')) > 1) {
    fail('command must not contain double quotes')
  }
  if (size(split($from, '"')) > 1) {
    fail('from_hosts must not contain double quotes')
  }

  if $collect_tag =~ String {
    $raw_tags = [ $collect_tag ]
  } else {
    $raw_tags = $collect_tag
  }
  $ssh_tags = $raw_tags.map |$t| { "ssh::authorized_key::fragment::${t}::${target_user}" }
  $ferm_tags = $raw_tags.map |$t| { "ssh::authorized_key::ferm::${t}::${target_user}" }

  $from_space = $from_hosts.join(' ')

  if $key {
    @@concat::fragment { "ssh::authorized_key::${name} ${target_user} from ${::hostname}":
      tag     => $ssh_tags,
      target  => "/etc/ssh/puppetkeys/${target_user}",
      order   => '200',
      content => @("EOF"),
                 # from ${::fqdn}
                 command="${command}",from="${from}",${restrict} ${key}
                 | EOF
    }
  } else {
    notify { "Warning, ssh key for ${name}, ${target_user} not defined (yet?).":
      loglevel => warning,
    }
  }

  @@ferm::rule { "ssh-${raw_tags[0]}_${target_user}-${name}_from_${::hostname}":
    tag         => $ssh_tags,
    description => "allow ssh for ssh to ${target_user}",
    domain      => '(ip ip6)',
    chain       => 'ssh',
    rule        => "saddr (${from_space}) ACCEPT",
  }
}