diff --git a/pillar.example b/pillar.example index c697889..022b3f7 100644 --- a/pillar.example +++ b/pillar.example @@ -51,6 +51,9 @@ users: # with the given keys ssh_auth_file: - PUBLICKEY + # ... or you can pull them from a different pillar similar to ssh_keys_pillar + ssh_auth_pillar: + id_rsa: "ssh_keys" # If you prefer to keep public keys as files rather # than inline in pillar, this works. ssh_auth_sources: diff --git a/users/init.sls b/users/init.sls index 34e7bcf..97a2d8e 100644 --- a/users/init.sls +++ b/users/init.sls @@ -159,17 +159,24 @@ users_user_{{ name }}_public_key: {% endfor %} {% endif %} -{% if 'ssh_auth_file' in user %} +{% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %} users_authorized_keys_{{ name }}: file.managed: - name: {{ home }}/.ssh/authorized_keys - user: {{ name }} - group: {{ name }} - mode: 600 +{% if 'ssh_auth_file' in user %} - contents: | {% for auth in user.ssh_auth_file -%} {{ auth }} {% endfor -%} +{% else %} + - contents: | + {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %} + {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }} + {%- endfor %} +{% endif %} {% endif %} {% if 'ssh_auth' in user %}