From 031d6ce81f11371dfafeff32ad67ed528c0f79cd Mon Sep 17 00:00:00 2001
From: Alex Ciobica <alex.ciobica@gmail.com>
Date: Fri, 1 May 2015 18:48:28 +0300
Subject: [PATCH] Add pulling keys from other pillar.

Example pillar:

ssh_keys:
  id_rsa:
    privkey: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY
      U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy
      B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+
      GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI
      -----END RSA PRIVATE KEY-----
    pubkey: |
      ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
---
 pillar.example |  6 ++++++
 users/init.sls | 21 +++++++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/pillar.example b/pillar.example
index 9c88b56..1dc0c6c 100644
--- a/pillar.example
+++ b/pillar.example
@@ -23,9 +23,15 @@ users:
     groups:
       - users
     ssh_key_type: rsa
+    # You can inline the private keys ...
     ssh_keys:
       privkey: PRIVATEKEY
       pubkey: PUBLICKEY
+    # ... or you can pull them from a different pillar,
+    # for example one called "ssh_keys":
+    ssh_keys_pillar:
+      id_rsa: "ssh_keys"
+      another_key_pair: "ssh_keys"
     ssh_auth:
       - PUBLICKEY
     ssh_auth.absent:
diff --git a/users/init.sls b/users/init.sls
index 7fefed0..ec9915f 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -166,6 +166,23 @@ ssh_auth_{{ name }}_{{ loop.index0 }}:
 {% endfor %}
 {% endif %}
 
+{% if 'ssh_keys_pillar' in user %}
+{% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems()  %}
+ssh_keys_files_{{ name }}_{{ key_name }}_pub:
+  file.managed:
+    - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
+    }}.pub
+    - contents: |
+        {{ pillar[pillar_name][key_name]['pubkey'] }}
+ssh_keys_files_{{ name }}_{{ key_name }}_priv:
+  file.managed:
+    - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
+    }}
+    - contents: |
+        {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}
+{% endfor %}
+{% endif %}
+
 {% if 'ssh_auth_sources' in user %}
 {% for pubkey_file in user['ssh_auth_sources'] %}
 ssh_auth_source_{{ name }}_{{ loop.index0 }}:
@@ -196,7 +213,7 @@ sudoer-{{ name }}:
   file.managed:
     - name: {{ users.sudoers_dir }}/{{ name }}
     - user: root
-    - group: {{ users.root_group }} 
+    - group: {{ users.root_group }}
     - mode: '0440'
 {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
 {% if 'sudo_rules' in user %}
@@ -205,7 +222,7 @@ sudoer-{{ name }}:
   cmd.run:
     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
     - stateful: True
-    - shell: {{ users.visudo_shell }} 
+    - shell: {{ users.visudo_shell }}
     - env:
       # Specify the rule via an env var to avoid shell quoting issues.
       - rule: "{{ name }} {{ rule }}"