aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystem/ssh
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2015-09-11 21:16:42 -0300
committerSilvio Rhatto <rhatto@riseup.net>2015-09-11 21:16:42 -0300
commit76ec4642be1a8bc64380c077a5890c4d0f4243e0 (patch)
treee31930271b7eefb3c3d693264e012e8ff45832ae /manifests/subsystem/ssh
parent6509060a791daeeee13c40f9367489ac5e00880e (diff)
downloadpuppet-nodo-76ec4642be1a8bc64380c077a5890c4d0f4243e0.tar.gz
puppet-nodo-76ec4642be1a8bc64380c077a5890c4d0f4243e0.tar.bz2
Autoload definitions
Diffstat (limited to 'manifests/subsystem/ssh')
-rw-r--r--manifests/subsystem/ssh/config.pp35
-rw-r--r--manifests/subsystem/ssh/create_key.pp20
-rw-r--r--manifests/subsystem/ssh/folder.pp16
-rw-r--r--manifests/subsystem/ssh/known_hosts.pp58
-rw-r--r--manifests/subsystem/ssh/local_key.pp43
5 files changed, 172 insertions, 0 deletions
diff --git a/manifests/subsystem/ssh/config.pp b/manifests/subsystem/ssh/config.pp
new file mode 100644
index 0000000..6c9fbc3
--- /dev/null
+++ b/manifests/subsystem/ssh/config.pp
@@ -0,0 +1,35 @@
+# Manage ssh config for a particular user
+define nodo::subsystem::ssh::config(
+ $owner,
+ $group,
+ $home = '/home/$owner',
+ $ssh_localhost_auth = false
+) {
+ nodo::subsystem::ssh::folder { "ssh-config-${name}":
+ home => $home,
+ owner => $owner,
+ group => $group,
+ }
+
+ file { "${home}/.ssh/config":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # The NoHostAuthenticationForLocalhost ssh option might be useful
+ # for automated deployment environments so your ikiwiki user doesn't
+ # get stuck with the fingerprint confirmation prompt when pushing
+ # content via ssh in the first time it runs.
+ line { 'NoHostAuthenticationForLocalhost-${owner}':
+ file => "${home}/.ssh/config",
+ line => "NoHostAuthenticationForLocalhost yes",
+ ensure => $ssh_localhost_auth ? {
+ 'auto' => present,
+ 'fingerprint' => absent,
+ default => absent,
+ },
+ }
+}
diff --git a/manifests/subsystem/ssh/create_key.pp b/manifests/subsystem/ssh/create_key.pp
new file mode 100644
index 0000000..881ddda
--- /dev/null
+++ b/manifests/subsystem/ssh/create_key.pp
@@ -0,0 +1,20 @@
+define nodo::subsystem::ssh::create_key(
+ $owner,
+ $group,
+ $keyfile = 'id_rsa',
+ $home = '/home/$owner'
+) {
+ nodo::subsystem::ssh::folder { "ssh_create_key-${name}":
+ home => $home,
+ owner => $owner,
+ group => $group,
+ }
+
+ exec { "ssh-keygen-${owner}":
+ command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}",
+ creates => "${home}/.ssh/${keyfile}",
+ user => $owner,
+ group => $group,
+ require => File["${home}/.ssh"],
+ }
+}
diff --git a/manifests/subsystem/ssh/folder.pp b/manifests/subsystem/ssh/folder.pp
new file mode 100644
index 0000000..462f8fb
--- /dev/null
+++ b/manifests/subsystem/ssh/folder.pp
@@ -0,0 +1,16 @@
+# Manage a ssh folder
+define nodo:subsystem::ssh::folder(
+ $home,
+ $owner,
+ $group,
+ $ensure = 'directory',
+) {
+ if !defined(File["${home}/.ssh"]) {
+ file { "${home}/.ssh":
+ ensure => $ensure,
+ owner => $owner,
+ group => $group,
+ mode => 0700,
+ }
+ }
+}
diff --git a/manifests/subsystem/ssh/known_hosts.pp b/manifests/subsystem/ssh/known_hosts.pp
new file mode 100644
index 0000000..c20b973
--- /dev/null
+++ b/manifests/subsystem/ssh/known_hosts.pp
@@ -0,0 +1,58 @@
+# Manage known_hosts for a particular user
+define nodo::subsystem::ssh::known_host(
+ $owner,
+ $home = '/home/$owner',
+ $ssh_localhost_auth = false
+) {
+ nodo::subsystem::ssh::folder { "ssh_known_host-${name}":
+ home => $home,
+ owner => $owner,
+ group => $group,
+ }
+
+ file { "${home}/.ssh/known_hosts":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # You can choose to include the host's fingeprints
+ # directly into the known_hosts file.
+ if $::sshrsakey != '' {
+ line { 'known_hosts-localhost-rsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-rsa ${::sshrsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+
+ if $::sshdsakey != '' {
+ line { 'known_hosts-localhost-dsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-dss ${::sshdsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+
+ if $::sshecdsakey != '' {
+ line { 'known_hosts-localhost-ecdsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+}
diff --git a/manifests/subsystem/ssh/local_key.pp b/manifests/subsystem/ssh/local_key.pp
new file mode 100644
index 0000000..f311ea3
--- /dev/null
+++ b/manifests/subsystem/ssh/local_key.pp
@@ -0,0 +1,43 @@
+# Manage local ssh keys
+define nodo::subsystem::ssh::local_key(
+ $owner = $name,
+ $group = $name,
+ $home = "/home/${owner}",
+ $source = "puppet:///ssh/${name}_id_rsa",
+ $dest = 'id_rsa',
+ $ensure = 'present',
+) {
+ nodo::subsystem::ssh::folder { "ssh_local_key-${name}":
+ home => $home,
+ owner => $owner,
+ group => $group,
+ ensure => $ensure ? {
+ 'present' => 'directory',
+ default => 'absent',
+ },
+ }
+
+ file { "${home}/.ssh/${dest}":
+ ensure => $ensure,
+ owner => $owner,
+ group => $group,
+ mode => 0400,
+ source => $ensure ? {
+ 'present' => $source,
+ default => undef,
+ },
+ require => File["${home}/.ssh"],
+ }
+
+ file { "${home}/.ssh/${dest}.pub":
+ ensure => $ensure,
+ owner => $owner,
+ group => $group,
+ mode => 0400,
+ source => $ensure ? {
+ 'present' => "${source}.pub",
+ default => undef,
+ },
+ require => File["${home}/.ssh"],
+ }
+}