#!/bin/bash # # Compile configuration. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with this program. If not, see # . # Load source $APP_BASE/lib/hydra/functions || exit 1 hydra_config_load # Config CONFIG="$HYDRA_FOLDER/puppet/config/compiled.yaml" NODES="`hydra $HYDRA nodes`" FACTS="$HYDRA_FOLDER/puppet/config/facts" KEYS="$HYDRA_FOLDER/keyring/keys/nodes" function hydractl_get_yaml_ssh_key { local file="$1" local type="$2" # Old facted implementation key="$(grep ssh${type}key: ${file} | cut -d ':' -f 2 | sed -e 's/ //g' -e 's/"//g')" if [ ! -z "$key" ]; then echo $key return fi # New facter implementation if [ ! -e "$APP_BASE/vendor/shyaml/shyaml" ]; then echo "error: missing $APP_BASE/vendor/shyaml installation" exit 1 fi cat $file | $APP_BASE/vendor/shyaml/shyaml get-value ssh.${type}.key 2> /dev/null } echo "Starting a fresh compiled config..." mkdir -p "`dirname $CONFIG`" echo "---" > $CONFIG echo "#" >> $CONFIG echo "# Compiled configuration." >> $CONFIG echo "# Do not edit this file. Use 'hydra $HYDRA compile' instead." >> $CONFIG echo "#" >> $CONFIG # Per-node configuration for node in $NODES; do # SSH public keys if [ -e "$KEYS/$node/ssh/id_rsa.pub.asc" ]; then echo "Adding SSH public key for $node..." key="ssh_authorized_key::$node" value="$(keyringer $HYDRA decrypt nodes/$node/ssh/id_rsa.pub 2> /dev/null | cut -d ' ' -f 2)" echo "$key: '$value'" >> $CONFIG fi done echo "Compiling data from collected facts..." # SSH known_hosts echo "sshkeys:" >> $CONFIG for node in $NODES; do if [ -e "$FACTS/${node}.yaml" ]; then echo "Processing $node..." # Get key info rsakey="`hydractl_get_yaml_ssh_key $FACTS/${node}.yaml rsa`" sshed25519key="`hydractl_get_yaml_ssh_key $FACTS/${node}.yaml ed25519`" sshecdsakey="`hydractl_get_yaml_ssh_key $FACTS/${node}.yaml ecdsa`" # SSH ports host_aliases="" ssh_ports="`hydra_hiera_query $node sshd::ports`" if [ "$ssh_ports" != "nil" ] && [ ! -z "$ssh_ports" ]; then ssh_ports="`echo $ssh_ports | sed -e 's/\[//g' -e 's/\]//g' -e 's/,//g'`" for port in $ssh_ports; do if [ -z "$host_aliases" ]; then host_aliases="'[${node}]:$port'" else host_aliases="$host_aliases, '[${node}]:${port}'" fi done fi if [ ! -z "$rsakey" ]; then #echo " $node-rsa:" >> $CONFIG echo " $node:" >> $CONFIG #echo " name : '$node'" >> $CONFIG echo " ensure : 'present'" >> $CONFIG echo " type : 'ssh-rsa'" >> $CONFIG echo " key : '$rsakey'" >> $CONFIG if [ ! -z "$host_aliases" ]; then echo " host_aliases : [ $host_aliases ]" >> $CONFIG fi fi # In the past that was not possible due to the following issue: # [PUP-6589] Resource Type sshkey doesn't allow the declaration of multiple SSH host keys for one host # https://tickets.puppetlabs.com/browse/PUP-6589 # https://puppet.com/docs/puppet/5.5/types/sshkey.html if [ ! -z "$sshed25519key" ]; then echo " sshed25519key-${node}:" >> $CONFIG #echo " name : '$node'" >> $CONFIG echo " ensure: 'present'" >> $CONFIG echo " type : 'ssh-ed25519'" >> $CONFIG echo " key : '$sshed25519key'" >> $CONFIG if [ ! -z "$host_aliases" ]; then echo " host_aliases : [ $node, $host_aliases ]" >> $CONFIG else echo " host_aliases : [ $node ]" >> $CONFIG fi fi if [ ! -z "$sshecdsakey" ]; then echo " sshecdsakey-${node}:" >> $CONFIG #echo " name : '$node'" >> $CONFIG echo " ensure: 'present'" >> $CONFIG echo " type : 'ecdsa-sha2-nistp256'" >> $CONFIG echo " key : '$sshecdsakey'" >> $CONFIG if [ ! -z "$host_aliases" ]; then echo " host_aliases : [ $node, $host_aliases ]" >> $CONFIG else echo " host_aliases : [ $node ]" >> $CONFIG fi fi fi done