diff options
| -rw-r--r-- | manifests/instance.pp | 71 |
1 files changed, 69 insertions, 2 deletions
diff --git a/manifests/instance.pp b/manifests/instance.pp index ac8618a..a8d3e4e 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -1,7 +1,7 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false, $adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki', $account_creation_password = false, $add_plugins = false, $disable_plugins = false, - $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$name") { + $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$name", $ssh_localhost_auth = false) { $desc = $description ? { false => $title, @@ -25,7 +25,6 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description refreshonly => true, } - # TODO: shall we add NoHostAuthenticationForLocalhost in the user ssh config? exec { "ssh-keygen-ikiwiki-${name}_${instance}": command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/id_rsa", creates => "${home}/.ssh/id_rsa", @@ -62,6 +61,74 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description group => $group, mode => 0700, } + + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + 'default' => absent, + }, + } + + # Alternativelly, you can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + 'default' => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + 'default' => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + 'default' => undef, + }, + } + } } if !defined(File["${ikiwiki::sites_folder}/${name}"]) { |