diff --git a/pillar.example b/pillar.example index 9c88b56..1dc0c6c 100644 --- a/pillar.example +++ b/pillar.example @@ -23,9 +23,15 @@ users: groups: - users ssh_key_type: rsa + # You can inline the private keys ... ssh_keys: privkey: PRIVATEKEY pubkey: PUBLICKEY + # ... or you can pull them from a different pillar, + # for example one called "ssh_keys": + ssh_keys_pillar: + id_rsa: "ssh_keys" + another_key_pair: "ssh_keys" ssh_auth: - PUBLICKEY ssh_auth.absent: diff --git a/users/init.sls b/users/init.sls index 7fefed0..ec9915f 100644 --- a/users/init.sls +++ b/users/init.sls @@ -166,6 +166,23 @@ ssh_auth_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} +{% if 'ssh_keys_pillar' in user %} +{% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %} +ssh_keys_files_{{ name }}_{{ key_name }}_pub: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name + }}.pub + - contents: | + {{ pillar[pillar_name][key_name]['pubkey'] }} +ssh_keys_files_{{ name }}_{{ key_name }}_priv: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name + }} + - contents: | + {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }} +{% endfor %} +{% endif %} + {% if 'ssh_auth_sources' in user %} {% for pubkey_file in user['ssh_auth_sources'] %} ssh_auth_source_{{ name }}_{{ loop.index0 }}: @@ -196,7 +213,7 @@ sudoer-{{ name }}: file.managed: - name: {{ users.sudoers_dir }}/{{ name }} - user: root - - group: {{ users.root_group }} + - group: {{ users.root_group }} - mode: '0440' {% if 'sudo_rules' in user or 'sudo_defaults' in user %} {% if 'sudo_rules' in user %} @@ -205,7 +222,7 @@ sudoer-{{ name }}: cmd.run: - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' - stateful: True - - shell: {{ users.visudo_shell }} + - shell: {{ users.visudo_shell }} - env: # Specify the rule via an env var to avoid shell quoting issues. - rule: "{{ name }} {{ rule }}"