Add pulling keys from other pillar.
Example pillar:
ssh_keys:
id_rsa:
privkey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY
U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy
B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+
GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI
-----END RSA PRIVATE KEY-----
pubkey: |
ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
This commit is contained in:
Alex Ciobica
parent
fffad7d07a
commit
031d6ce81f
@ -23,9 +23,15 @@ users:
|
|||||||
groups:
|
groups:
|
||||||
- users
|
- users
|
||||||
ssh_key_type: rsa
|
ssh_key_type: rsa
|
||||||
|
# You can inline the private keys ...
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
privkey: PRIVATEKEY
|
privkey: PRIVATEKEY
|
||||||
pubkey: PUBLICKEY
|
pubkey: PUBLICKEY
|
||||||
|
# ... or you can pull them from a different pillar,
|
||||||
|
# for example one called "ssh_keys":
|
||||||
|
ssh_keys_pillar:
|
||||||
|
id_rsa: "ssh_keys"
|
||||||
|
another_key_pair: "ssh_keys"
|
||||||
ssh_auth:
|
ssh_auth:
|
||||||
- PUBLICKEY
|
- PUBLICKEY
|
||||||
ssh_auth.absent:
|
ssh_auth.absent:
|
||||||
|
|||||||
@ -166,6 +166,23 @@ ssh_auth_{{ name }}_{{ loop.index0 }}:
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if 'ssh_keys_pillar' in user %}
|
||||||
|
{% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %}
|
||||||
|
ssh_keys_files_{{ name }}_{{ key_name }}_pub:
|
||||||
|
file.managed:
|
||||||
|
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
|
||||||
|
}}.pub
|
||||||
|
- contents: |
|
||||||
|
{{ pillar[pillar_name][key_name]['pubkey'] }}
|
||||||
|
ssh_keys_files_{{ name }}_{{ key_name }}_priv:
|
||||||
|
file.managed:
|
||||||
|
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
|
||||||
|
}}
|
||||||
|
- contents: |
|
||||||
|
{{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if 'ssh_auth_sources' in user %}
|
{% if 'ssh_auth_sources' in user %}
|
||||||
{% for pubkey_file in user['ssh_auth_sources'] %}
|
{% for pubkey_file in user['ssh_auth_sources'] %}
|
||||||
ssh_auth_source_{{ name }}_{{ loop.index0 }}:
|
ssh_auth_source_{{ name }}_{{ loop.index0 }}:
|
||||||
@ -196,7 +213,7 @@ sudoer-{{ name }}:
|
|||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||||
- user: root
|
- user: root
|
||||||
- group: {{ users.root_group }}
|
- group: {{ users.root_group }}
|
||||||
- mode: '0440'
|
- mode: '0440'
|
||||||
{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
|
{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
|
||||||
{% if 'sudo_rules' in user %}
|
{% if 'sudo_rules' in user %}
|
||||||
@ -205,7 +222,7 @@ sudoer-{{ name }}:
|
|||||||
cmd.run:
|
cmd.run:
|
||||||
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
|
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
|
||||||
- stateful: True
|
- stateful: True
|
||||||
- shell: {{ users.visudo_shell }}
|
- shell: {{ users.visudo_shell }}
|
||||||
- env:
|
- env:
|
||||||
# Specify the rule via an env var to avoid shell quoting issues.
|
# Specify the rule via an env var to avoid shell quoting issues.
|
||||||
- rule: "{{ name }} {{ rule }}"
|
- rule: "{{ name }} {{ rule }}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user