From a6b1f44da9947a04c20ba87fd1ea01b22941eb3f Mon Sep 17 00:00:00 2001
From: Simon Murray <simon.murray@datacentred.co.uk>
Date: Fri, 19 Sep 2014 09:54:19 +0100
Subject: [PATCH] Initial commit

---
 README.md         | 36 +++++++++++++++++++++
 manifests/init.pp | 79 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 115 insertions(+)
 create mode 100644 README.md
 create mode 100644 manifests/init.pp

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..021d366
--- /dev/null
+++ b/README.md
@@ -0,0 +1,36 @@
+#datacentred-passwordless_ssh
+
+#### Table of Contents
+
+1. [Overview](#overview)
+2. [Module Description - What the module does and why it is useful](#module-description)
+3. [Usage - Configuration options and additional functionality](#usage)
+
+## Overview
+
+Sets up passwordless ssh for a given user with optional privilege escalation
+
+## Module Description
+
+Provided an existing user account this module will create the necessary directories, key files and authorize remote logins.  Unfortunately due to the nature of ssh we also need to disable strict host checking for this user at present.
+
+Optionally this module allows the creation of sudo access for the remote user with full control over which accounts and applications can be accessed.
+
+## Usage
+
+To allows simple remote ssh access:
+
+    passwordless_ssh { 'cephdeploy':
+      ssh_private_key => '-----BEGIN RSA PRIVATE KEY----- ...',
+      ssh_public_key  => 'AAAAB3NzaC1yc2EAAA ...',
+    }
+
+To allow remote access with sudo rights:
+
+    passwordless_ssh { 'dhcp_sync_agent':
+      ssh_private_key   => '-----BEGIN RSA PRIVATE KEY----- ...',
+      ssh_public_key    => 'AAAAB3NzaC1yc2EAAA ...',
+      sudo              => 'true',
+      sudo_users        => 'root',
+      sudo_applications => '/etc/init.d/isc-dhcp-server',
+    }
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..5e9f861
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,79 @@
+# == Define: passwordless_ssh
+#
+# Common pattern to define passwordless ssh access for a
+# particular user.  Additionally allows sudo access for
+# said user if required
+#
+# === Parameters
+#
+# [*title*]
+#   User account to generate the passwordless access for [Mandatory]
+#
+# [*ssh_private_key*]
+#   Full private key file contents [Mandatory]
+#
+# [*ssh_public_key*]
+#   Public key portion of the public key file [Mandatory]
+#
+# [*sudo*]
+#   Whether the remote client needs sudo rights [Optional]
+#
+# [*sudo_host*]
+#   Hosts or IPs allowed sudo access [Optional]
+#
+# [*sudo_users*]
+#   User accounts that sudo allows to be accessed [Optional]
+#
+# [*sudo_applications*]
+#   Applications sudo is allowed to execute [Optional]
+#
+define passwordless_ssh (
+  $ssh_private_key,
+  $ssh_public_key,
+  $sudo = false,
+  $sudo_host = 'ALL',
+  $sudo_users = 'ALL',
+  $sudo_applications = 'ALL',
+) {
+
+  File {
+    owner => $title,
+    group => $ssh_group,
+  }
+
+  file { "/home/${title}/.ssh":
+    ensure => directory,
+    mode   => '0755',
+  } ->
+
+  file { "/home/${title}/.ssh/id_rsa":
+    ensure  => file,
+    mode    => '0400',
+    content => $ssh_private_key,
+  } ->
+
+  file { "/home/${title}/.ssh/id_rsa.pub":
+    ensure  => file,
+    mode    => '0644',
+    content => inline_template("ssh-rsa ${ssh_public_key} ${title}@${::fqdn}"),
+  } ->
+
+  ssh_authorized_key { "${title}@${::fqdn}":
+    user    => $title,
+    type    => 'ssh-rsa',
+    key     => $ssh_public_key,
+  }
+
+  if $sudo {
+
+    file { "/etc/sudoers.d/${title}":
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0440',
+      content => inline_template("${title}  ${sudo_host}=(${sudo_users}) NOPASSWD:${sudo_applications}"),
+    }
+
+  }
+
+}