From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 14 Sep 2019 10:57:26 +0000 (+0200)
Subject: Copy improved ssh::keygen from tor
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=428e8b8082b32e591bc8200d35eb5912c56a2e53;p=mirror%2Fdsa-puppet.git

Copy improved ssh::keygen from tor

This supports providing the name for the key (defaults to id_rsa).

It also uses a more generic facter, one that doesn't require us manually
listing every single role we care about.
---

diff --git a/modules/ssh/manifests/keygen.pp b/modules/ssh/manifests/keygen.pp
index 0af33418c..6bca7ff8b 100644
--- a/modules/ssh/manifests/keygen.pp
+++ b/modules/ssh/manifests/keygen.pp
@@ -1,23 +1,20 @@
 # create an ssh key for user
 define ssh::keygen(
   String $user = $name,
+  String $keyfile = 'id_rsa',
 ) {
-  if $facts["${user}_user_exists"] == undef {
-    notify { "We do not have facters for user ${user} existance and keys -- add it to modules/debian_org/lib/facter/roleaccounts.rb":
+  if ! $facts['ssh_keys_users'] {
+    notify { 'We do not have an ssh_keys_users fact!':
       loglevel => warning,
     }
-  } elsif $facts["${user}_user_exists"] {
-    if ! $facts["${user}_key"] {
-      exec { "create-${user}-ssh-key":
-        command => @("EOF"),
-          /bin/su - ${user} -c 'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/id_rsa -q'
-          | EOF
-        onlyif  => "/usr/bin/getent passwd ${user} > /dev/null && ! [ -e ~${user}/.ssh/id_rsa ]"
-      }
-    }
-  } else {
-    notify { "User ${user} does not exist on this host.  Will not create ssh key":
-      loglevel => warning,
+  } elsif ! $facts['ssh_keys_users'][$user] or ! $facts['ssh_keys_users'][$user]["${keyfile}.pub"] {
+    # We use su - rather than user => so that our pam config creates the homedir
+    # for the user if it does not yet exist.
+    exec { "create-${user}-ssh-key-${keyfile}":
+      command => @("EOF"),
+        /bin/su - ${user} -c 'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/${keyfile} -q'
+        | EOF
+      onlyif  => "/usr/bin/getent passwd '${user}' > /dev/null && ! [ -e ~${user}/'.ssh/${keyfile}' ]",
     }
   }
 }