Add users keys as authorized keys for yumrepostage

theforeman · Oct 3, 2023 · 2046338 · 2046338
1 parent a416fb2
commit 2046338
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 13 deletions.
diff --git a/puppet/modules/secure_ssh/manifests/receiver_setup.pp b/puppet/modules/secure_ssh/manifests/receiver_setup.pp
@@ -37,6 +37,7 @@
   Optional[String] $foreman_search = undef,
   Array[Stdlib::IP::Address] $allowed_ips = [],
   String $ssh_key_name = "${name}_key",
+  Array[String] $authorized_keys = [],
 ) {
   # Disable password, we want this to be keys only
   user { $user:

diff --git a/puppet/modules/secure_ssh/manifests/rsync/receiver_setup.pp b/puppet/modules/secure_ssh/manifests/rsync/receiver_setup.pp
@@ -33,16 +33,18 @@
   Optional[String] $foreman_search = undef,
   Array[Stdlib::IP::Address] $allowed_ips = [],
   String $script_content = "# Permit transfer\n\$SSH_ORIGINAL_COMMAND\n",
+  Array[String] $authorized_keys = [],
 ) {
   secure_ssh::receiver_setup { $name:
-    user           => $user,
-    groups         => $groups,
-    homedir        => $homedir,
-    homedir_mode   => $homedir_mode,
-    foreman_search => $foreman_search,
-    allowed_ips    => $allowed_ips,
-    ssh_key_name   => "rsync_${name}_key",
-    script_content => template('secure_ssh/script_rsync.erb'),
+    user            => $user,
+    groups          => $groups,
+    homedir         => $homedir,
+    homedir_mode    => $homedir_mode,
+    foreman_search  => $foreman_search,
+    allowed_ips     => $allowed_ips,
+    ssh_key_name    => "rsync_${name}_key",
+    script_content  => template('secure_ssh/script_rsync.erb'),
+    authorized_keys => $authorized_keys,
   }
 
   file { "${homedir}/rsync_cache":

diff --git a/puppet/modules/secure_ssh/templates/auth_keys.erb b/puppet/modules/secure_ssh/templates/auth_keys.erb
@@ -6,7 +6,11 @@
     # Facts hash from Foreman
     array = @ip_data['results'].values.map{|a| a.values_at('external_ip4', 'external_ip6') }.flatten.compact
   end
+  users = @authorized_keys
 -%>
 <% array.sort.each do |ip| -%>
 from="<%= ip %>",command="<%= @homedir %>/bin/secure_<%= @name %>" ssh-rsa <%= @pub_key %> <%= ip %>_secure_<%= @name %>
 <% end -%>
+<% users.sort.each do |user_key| -%>
+command="<%= @homedir %>/bin/secure_<%= @name %>" <%= user_key %>
+<% end -%>
diff --git a/puppet/modules/web/manifests/vhost/stagingyum.pp b/puppet/modules/web/manifests/vhost/stagingyum.pp
@@ -28,12 +28,17 @@
     },
   ]
 
+  $authorized_keys = flatten(['ehelms', 'evgeni', 'ekohl'].map |$name| {
+      split(file("users/${name}-authorized_keys"), "\n")
+  })
+
   secure_ssh::rsync::receiver_setup { $user:
-    user           => $user,
-    homedir        => $home,
-    homedir_mode   => '0750',
-    foreman_search => 'host ~ node*.jenkins.*.theforeman.org and (name = external_ip4 or name = external_ip6)',
-    script_content => template('web/deploy-stagingyum.sh.erb'),
+    user            => $user,
+    homedir         => $home,
+    homedir_mode    => '0750',
+    foreman_search  => 'host ~ node*.jenkins.*.theforeman.org and (name = external_ip4 or name = external_ip6)',
+    script_content  => template('web/deploy-stagingyum.sh.erb'),
+    authorized_keys => $authorized_keys,
   }
 
   web::vhost { 'stagingyum':