diff options
-rw-r--r-- | manifests/init.pp | 1 | ||||
-rw-r--r-- | manifests/subsystems/ssh.pp | 101 |
2 files changed, 102 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 8eb4ff0..c17a739 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -108,6 +108,7 @@ import "subsystems/mount.pp" import "subsystems/monitor.pp" import "subsystems/fstab.pp" import "subsystems/crypttab.pp" +import "subsystems/ssh.pp" import "subsystems/utils.pp" import "subsystems/utils/debian.pp" import "subsystems/utils/desktop.pp" diff --git a/manifests/subsystems/ssh.pp b/manifests/subsystems/ssh.pp new file mode 100644 index 0000000..f15931d --- /dev/null +++ b/manifests/subsystems/ssh.pp @@ -0,0 +1,101 @@ +# Base class +class ssh_folder { + if !defined(File["${home}/.ssh"]) { + file { "${home}/.ssh": + ensure => directory, + owner => $owner, + group => $group, + mode => 0700, + } + } +} + +# Manage ssh config for a particular user +define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + include ssh_folder + + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + default => absent, + }, + } +} + +# Manage known_hosts for a particular user +define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + include ssh_folder + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # You can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } +} + +define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') { + include ssh_folder + + exec { "ssh-keygen-${owner}": + command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}", + creates => "${home}/.ssh/${keyfile}", + user => $owner, + group => $group, + require => File["${home}/.ssh"], + } +} |