aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/init.pp1
-rw-r--r--manifests/subsystems/ssh.pp101
2 files changed, 102 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 8eb4ff0..c17a739 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -108,6 +108,7 @@ import "subsystems/mount.pp"
import "subsystems/monitor.pp"
import "subsystems/fstab.pp"
import "subsystems/crypttab.pp"
+import "subsystems/ssh.pp"
import "subsystems/utils.pp"
import "subsystems/utils/debian.pp"
import "subsystems/utils/desktop.pp"
diff --git a/manifests/subsystems/ssh.pp b/manifests/subsystems/ssh.pp
new file mode 100644
index 0000000..f15931d
--- /dev/null
+++ b/manifests/subsystems/ssh.pp
@@ -0,0 +1,101 @@
+# Base class
+class ssh_folder {
+ if !defined(File["${home}/.ssh"]) {
+ file { "${home}/.ssh":
+ ensure => directory,
+ owner => $owner,
+ group => $group,
+ mode => 0700,
+ }
+ }
+}
+
+# Manage ssh config for a particular user
+define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+ include ssh_folder
+
+ file { "${home}/.ssh/config":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # The NoHostAuthenticationForLocalhost ssh option might be useful
+ # for automated deployment environments so your ikiwiki user doesn't
+ # get stuck with the fingerprint confirmation prompt when pushing
+ # content via ssh in the first time it runs.
+ line { 'NoHostAuthenticationForLocalhost-${owner}':
+ file => "${home}/.ssh/config",
+ line => "NoHostAuthenticationForLocalhost yes",
+ ensure => $ssh_localhost_auth ? {
+ 'auto' => present,
+ 'fingerprint' => absent,
+ default => absent,
+ },
+ }
+}
+
+# Manage known_hosts for a particular user
+define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+ include ssh_folder
+
+ file { "${home}/.ssh/known_hosts":
+ ensure => present,
+ owner => $owner,
+ group => $group,
+ mode => 0600,
+ require => File["${home}/.ssh"],
+ }
+
+ # You can choose to include the host's fingeprints
+ # directly into the known_hosts file.
+ if $::sshrsakey != '' {
+ line { 'known_hosts-localhost-rsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-rsa ${::sshrsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+
+ if $::sshdsakey != '' {
+ line { 'known_hosts-localhost-dsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ssh-dss ${::sshdsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+
+ if $::sshecdsakey != '' {
+ line { 'known_hosts-localhost-ecdsa-${owner}':
+ file => "${home}/.ssh/known_hosts",
+ line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+ ensure => $ssh_localhost_auth ? {
+ 'fingerprint' => present,
+ 'auto' => undef,
+ default => undef,
+ },
+ }
+ }
+}
+
+define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') {
+ include ssh_folder
+
+ exec { "ssh-keygen-${owner}":
+ command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}",
+ creates => "${home}/.ssh/${keyfile}",
+ user => $owner,
+ group => $group,
+ require => File["${home}/.ssh"],
+ }
+}