--- /dev/null
+# store ssh authorized_keys snippets that roles on different hosts can then
+# collect using ssh::authorized_key_collect
+
+define ssh::authorized_key_add(
+ String $target_user,
+ String $command,
+ String $key,
+ String $collect_tag,
+ Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
+) {
+ $from = $from_hosts.join(',')
+
+ if (size(split($key, "\n")) > 1) {
+ fail('More than one line in key for ssh::authorized_key')
+ }
+ if (size(split($command, '"')) > 1) {
+ fail('command must not contain double quotes')
+ }
+ if (size(split($from, '"')) > 1) {
+ fail('from_hosts must not contain double quotes')
+ }
+
+ $from_space = $from_hosts.join(' ')
+
+ @@concat::fragment { "ssh::authorized_key::${name} ${target_user} ${from}":
+ tag => "ssh::authorized_key::fragment::${collect_tag}::${target_user}",
+ target => "/etc/ssh/userkeys/${target_user}",
+ order => '200',
+ content => @("EOF"),
+ command="${command}",from="${from}",restrict ${key}
+ | EOF
+ }
+
+ @@ferm::rule { "ssh-${target_user}-${name}":
+ tag => "ssh::authorized_key::ferm::${collect_tag}::${target_user}",
+ description => "allow ssh for ssh to ${target_user}",
+ domain => '(ip ip6)',
+ chain => 'ssh',
+ rule => "saddr (${from_space}) ACCEPT",
+ }
+}
--- /dev/null
+# collect authorized_keys stored using authorized_key_add
+
+define ssh::authorized_key_collect(
+ String $target_user,
+ String $collect_tag,
+) {
+ concat { "/etc/ssh/userkeys/${target_user}": }
+ concat::fragment { "/etc/ssh/userkeys/${target_user}-header":
+ target => "/etc/ssh/userkeys/${target_user}",
+ order => '000',
+ content => "# This file is maintained with puppet\n",
+ }
+ Concat::Fragment <<| tag == "ssh::authorized_key::fragment::${collect_tag}::${target_user}" |>>
+
+ Ferm::Rule <<| tag == "ssh::authorized_key::ferm::${collect_tag}::${target_user}" |>>
+}
projects / mirror / dsa-puppet.git / commitdiff