Adding misc ssh definitions

diff --git a/manifests/init.pp b/manifests/init.pp
index 8eb4ff03827ff7ef38ced851620f93b1e0e4b59e..c17a7399495c3dfc8b9bf9c498624861fefcb5d8 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -108,6 +108,7 @@ import "subsystems/mount.pp"
 import "subsystems/monitor.pp"
 import "subsystems/fstab.pp"
 import "subsystems/crypttab.pp"
+import "subsystems/ssh.pp"
 import "subsystems/utils.pp"
 import "subsystems/utils/debian.pp"
 import "subsystems/utils/desktop.pp"

diff --git a/manifests/subsystems/ssh.pp b/manifests/subsystems/ssh.pp
new file mode 100644 (file)
index 0000000..f15931d
--- /dev/null
+++ b/manifests/subsystems/ssh.pp
@@ -0,0 +1,101 @@
+# Base class
+class ssh_folder {
+  if !defined(File["${home}/.ssh"]) {
+    file { "${home}/.ssh":
+      ensure  => directory,
+      owner   => $owner,
+      group   => $group,
+      mode    => 0700,
+    }
+  }
+}
+
+# Manage ssh config for a particular user
+define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+  include ssh_folder
+
+  file { "${home}/.ssh/config":
+    ensure  => present,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0600,
+    require => File["${home}/.ssh"],
+  }
+
+  # The NoHostAuthenticationForLocalhost ssh option might be useful
+  # for automated deployment environments so your ikiwiki user doesn't
+  # get stuck with the fingerprint confirmation prompt when pushing
+  # content via ssh in the first time it runs.
+  line { 'NoHostAuthenticationForLocalhost-${owner}':
+    file   => "${home}/.ssh/config",
+    line   => "NoHostAuthenticationForLocalhost yes",
+    ensure => $ssh_localhost_auth ? {
+      'auto'        => present,
+      'fingerprint' => absent,
+      default       => absent,
+    },
+  }
+}
+
+# Manage known_hosts for a particular user
+define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) {
+  include ssh_folder
+
+  file { "${home}/.ssh/known_hosts":
+    ensure  => present,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0600,
+    require => File["${home}/.ssh"],
+  }
+
+  # You can choose to include the host's fingeprints
+  # directly into the known_hosts file.
+  if $::sshrsakey != '' {
+    line { 'known_hosts-localhost-rsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ssh-rsa ${::sshrsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+
+  if $::sshdsakey != '' {
+    line { 'known_hosts-localhost-dsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ssh-dss ${::sshdsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+
+  if $::sshecdsakey != '' {
+    line { 'known_hosts-localhost-ecdsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+}
+
+define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') {
+  include ssh_folder
+
+  exec { "ssh-keygen-${owner}":
+    command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}",
+    creates => "${home}/.ssh/${keyfile}",
+    user    => $owner,
+    group   => $group,
+    require => File["${home}/.ssh"],
+  }
+}