aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-04-11 16:06:29 -0300
committerSilvio Rhatto <rhatto@riseup.net>2013-04-11 16:06:29 -0300
commit6f7a28d95e447f7368459de4f998d9d1d8c4f961 (patch)
treebf27b07f50097b1737f900a4d7ce17150cd42278
parentdf2965f98da233fdefa44b23bb8c90ab1bb6098f (diff)
downloadpuppet-ikiwiki-6f7a28d95e447f7368459de4f998d9d1d8c4f961.tar.gz
puppet-ikiwiki-6f7a28d95e447f7368459de4f998d9d1d8c4f961.tar.bz2
Adding code to manage ssh host identification, but not enabled by default
-rw-r--r--manifests/instance.pp71
1 files changed, 69 insertions, 2 deletions
diff --git a/manifests/instance.pp b/manifests/instance.pp
index ac8618a..a8d3e4e 100644
--- a/manifests/instance.pp
+++ b/manifests/instance.pp
@@ -1,7 +1,7 @@
define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false,
$adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki',
$account_creation_password = false, $add_plugins = false, $disable_plugins = false,
- $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$name") {
+ $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$name", $ssh_localhost_auth = false) {
$desc = $description ? {
false => $title,
@@ -25,7 +25,6 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
refreshonly => true,
}
- # TODO: shall we add NoHostAuthenticationForLocalhost in the user ssh config?
exec { "ssh-keygen-ikiwiki-${name}_${instance}":
command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/id_rsa",
creates => "${home}/.ssh/id_rsa",
@@ -62,6 +61,74 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
group => $group,
mode => 0700,
}
+
+ file { "${home}/.ssh/config":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ file { "${home}/.ssh/known_hosts":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # The NoHostAuthenticationForLocalhost ssh option might be useful
+ # for automated deployment environments so your ikiwiki user doesn't
+ # get stuck with the fingerprint confirmation prompt when pushing
+ # content via ssh in the first time it runs.
+ line { 'NoHostAuthenticationForLocalhost-${owner}':
+ file => "${home}/.ssh/config",
+ line => "NoHostAuthenticationForLocalhost yes",
+ ensure => $ssh_localhost_auth ? {
+ 'auto' => present,
+ 'fingerprint' => absent,
+ 'default' => absent,
+ },
+ }
+
+ # Alternativelly, you can choose to include the host's fingeprints
+ # directly into the known_hosts file.
+ if $::sshrsakey != '' {
+ line { 'known_hosts-localhost-rsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-rsa ${::sshrsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ 'default' => undef,
+ },
+ }
+ }
+
+ if $::sshdsakey != '' {
+ line { 'known_hosts-localhost-dsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-dss ${::sshdsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ 'default' => undef,
+ },
+ }
+ }
+
+ if $::sshecdsakey != '' {
+ line { 'known_hosts-localhost-ecdsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ 'default' => undef,
+ },
+ }
+ }
}
if !defined(File["${ikiwiki::sites_folder}/${name}"]) {