From 4be9af9b63ef9abaa3bb835e8d271495f1c936bc Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 11 Apr 2013 17:51:27 -0300 Subject: Major cleanup --- manifests/auth.pp | 70 ++++++++++++++++++++++++++++++++++ manifests/instance.pp | 99 +++++++++++------------------------------------- templates/deploy.sh.erb | 2 +- templates/refresh.sh.erb | 6 +-- 4 files changed, 96 insertions(+), 81 deletions(-) create mode 100644 manifests/auth.pp diff --git a/manifests/auth.pp b/manifests/auth.pp new file mode 100644 index 0000000..6bbd65b --- /dev/null +++ b/manifests/auth.pp @@ -0,0 +1,70 @@ +# This has probably to be removed from this module +define ikiwiki::auth($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + default => absent, + }, + } + + # Alternativelly, you can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } +} diff --git a/manifests/instance.pp b/manifests/instance.pp index 06f3cc8..8b4e13f 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -1,13 +1,26 @@ -define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false, - $adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki', - $account_creation_password = false, $add_plugins = false, $disable_plugins = false, - $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$owner", $ssh_localhost_auth = false) { +define ikiwiki::instance( + $ensure = 'present', + $base_url = $domain, + $description = false, + $adminuser = 'yourname', + $adminemail = 'me@example.org', + $account_creation_password = false, + $add_plugins = false, + $disable_plugins = false, + $protocol = 'https', + $owner = $name, + $group = $name, + $home = "/home/$owner" +) { $desc = $description ? { false => $title, default => $description, } + # This was previously a parameter + $instance = 'ikiwiki' + case $ensure { 'present': { file { "/etc/ikiwiki/$name.setup": @@ -16,16 +29,16 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description owner => root, group => $group, mode => 640, - notify => Exec["ikiwiki_refresh_${name}_${instance}"], + notify => Exec["ikiwiki_refresh_${name}"], } - exec { "ikiwiki_refresh_${name}_${instance}": - command => "/usr/local/sbin/ikiwiki-refresh $name $instance $owner $group", + exec { "ikiwiki_refresh_${name}": + command => "/usr/local/sbin/ikiwiki-refresh $name $owner $group", user => root, refreshonly => true, } - exec { "ssh-keygen-ikiwiki-${name}_${instance}": + exec { "ssh-keygen-ikiwiki-${owner}": command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/id_rsa", creates => "${home}/.ssh/id_rsa", user => $owner, @@ -39,7 +52,7 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description owner => $owner, group => $group, recurse => true, - notify => Exec["ikiwiki_refresh_${name}_${instance}"], + notify => Exec["ikiwiki_refresh_${name}"], require => File["${ikiwiki::sites_folder}/${name}"], } } @@ -61,74 +74,6 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description group => $group, mode => 0700, } - - file { "${home}/.ssh/config": - ensure => present, - owner => $owner, - group => $group, - mode => 0600, - require => File["${home}/.ssh"], - } - - file { "${home}/.ssh/known_hosts": - ensure => present, - owner => $owner, - group => $group, - mode => 0600, - require => File["${home}/.ssh"], - } - - # The NoHostAuthenticationForLocalhost ssh option might be useful - # for automated deployment environments so your ikiwiki user doesn't - # get stuck with the fingerprint confirmation prompt when pushing - # content via ssh in the first time it runs. - line { 'NoHostAuthenticationForLocalhost-${owner}': - file => "${home}/.ssh/config", - line => "NoHostAuthenticationForLocalhost yes", - ensure => $ssh_localhost_auth ? { - 'auto' => present, - 'fingerprint' => absent, - default => absent, - }, - } - - # Alternativelly, you can choose to include the host's fingeprints - # directly into the known_hosts file. - if $::sshrsakey != '' { - line { 'known_hosts-localhost-rsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ssh-rsa ${::sshrsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } - - if $::sshdsakey != '' { - line { 'known_hosts-localhost-dsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ssh-dss ${::sshdsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } - - if $::sshecdsakey != '' { - line { 'known_hosts-localhost-ecdsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } } if !defined(File["${ikiwiki::sites_folder}/${name}"]) { diff --git a/templates/deploy.sh.erb b/templates/deploy.sh.erb index 34064d7..61fd2d5 100644 --- a/templates/deploy.sh.erb +++ b/templates/deploy.sh.erb @@ -1,7 +1,7 @@ #!/bin/bash NAME="$1" -INSTANCE="$2" +INSTANCE="ikiwiki" BASE="<%= scope.lookupvar('ikiwiki::sites_folder') %>" SITE=$BASE/$NAME CONF="/etc/ikiwiki" diff --git a/templates/refresh.sh.erb b/templates/refresh.sh.erb index d7b7502..92c42ca 100644 --- a/templates/refresh.sh.erb +++ b/templates/refresh.sh.erb @@ -1,12 +1,12 @@ #!/bin/bash NAME="$1" -INSTANCE="$2" -WEB_OWNER="$3" -WEB_GROUP="$4" +WEB_OWNER="$2" +WEB_GROUP="$3" BASE="<%= scope.lookupvar('ikiwiki::sites_folder') %>" SITE="$BASE/$NAME" CONF="/etc/ikiwiki" +INSTANCE="ikiwiki" REPO_OWNER="<%= scope.lookupvar('ikiwiki::git_implementation') %>" REPO_GROUP="<%= scope.lookupvar('ikiwiki::git_implementation') %>" REPO="/var/git/repositories/$NAME.git" -- cgit v1.2.3