From 5be2a914acaf1ba940411720d110ddfd34de5cc0 Mon Sep 17 00:00:00 2001
From: Keiran Snowden <keiran@keiran.us>
Date: Mon, 27 Nov 2023 01:42:37 -0500
Subject: [PATCH] manage restic rsa

---
 TODO                              |  1 -
 restic/init.sls                   | 19 +++++++++++++---
 salt/files/minion.jinja           |  4 ++++
 top.sls                           |  5 ++---
 users/files/authorized_keys.jinja |  1 +
 users/files/bashrc.jinja          | 11 +++------
 users/files/ssh_hosts.jinja       | 13 +++++++++--
 users/init.sls                    | 37 ++++++++++++++++++++++---------
 8 files changed, 63 insertions(+), 28 deletions(-)
 delete mode 100644 TODO

diff --git a/TODO b/TODO
deleted file mode 100644
index 3bdac5c..0000000
--- a/TODO
+++ /dev/null
@@ -1 +0,0 @@
-restic rsa keys
diff --git a/restic/init.sls b/restic/init.sls
index 5f9ccc6..f4b4232 100644
--- a/restic/init.sls
+++ b/restic/init.sls
@@ -1,9 +1,22 @@
-{% for client in salt.pillar.get("restic:server:clients", []) %}
-restic-{{ client }}:
+{% for name, minion_id in salt.pillar.get("restic:server:clients", {}).items() %}
+restic-{{ name }}:
   user.present:
-    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ name }}
     - createhome: true
     - system: true
+
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh:
+  file.directory:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 700
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh/authorized_keys:
+  file.managed:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 400
+    # TODO: we don't ensure a root rsa key exists on the minion
+    - contents: {{ salt.mine.get(minion_id, 'root_id_rsa_pub').get(minion_id, "") | yaml_encode }}
 {% endfor %}
 
 {% if salt.pillar.get("restic:client", None) is not none %}
diff --git a/salt/files/minion.jinja b/salt/files/minion.jinja
index cde0e2d..c3ebcad 100644
--- a/salt/files/minion.jinja
+++ b/salt/files/minion.jinja
@@ -9,3 +9,7 @@ log_level: warning
 grains_cache: True
 pillar_merge_lists: True
 mysql.default_file: '/root/.my.cnf'
+mine_functions:
+  root_id_rsa_pub:
+    - mine_function: file.read
+    - /root/.ssh/id_rsa.pub
diff --git a/top.sls b/top.sls
index ace14ac..72f787d 100644
--- a/top.sls
+++ b/top.sls
@@ -1,16 +1,15 @@
 {{saltenv}}:
   '*':
-    - common
     - salt
+    - common
+    - users
 {% if salt.pillar.get('restic', None) is not none %}
     - restic
 {% endif %}
   '*.keiran.us':
-    - users
     - firewall
     - resolv
   'vps47492.inmotionhosting.com':
-    - users
     - gitea
   'kpi.keiran.us':
     - icinga2
diff --git a/users/files/authorized_keys.jinja b/users/files/authorized_keys.jinja
index 06c0f34..d6fdbc7 100644
--- a/users/files/authorized_keys.jinja
+++ b/users/files/authorized_keys.jinja
@@ -1,3 +1,4 @@
+# Managed by Saltstack
 {% for comment, key in salt.pillar.get('authorized_keys')[user].items() -%}
 {{ key }} {{ comment }}
 {% endfor -%}
diff --git a/users/files/bashrc.jinja b/users/files/bashrc.jinja
index 207483d..325e9c2 100644
--- a/users/files/bashrc.jinja
+++ b/users/files/bashrc.jinja
@@ -1,5 +1,7 @@
 
 # If not running interactively, don't do anything
+{# code: lang=jinja-shell -#}
+# vim: et:ai:ts=4:sw=4:ft=sh
 case $- in
     *i*) ;;
       *) return;;
@@ -25,19 +27,13 @@ shopt -s checkwinsize
 if [ -x /usr/bin/dircolors ]; then
     test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
     alias ls='ls --color=auto'
-    #alias dir='dir --color=auto'
-    #alias vdir='vdir --color=auto'
-
     alias grep='grep --color=auto'
-    alias fgrep='fgrep --color=auto'
-    alias egrep='egrep --color=auto'
 fi
 
 # some more ls aliases
 alias ll='ls -alF'
 alias la='ls -A'
 alias l='ls -CF'
-alias vi='vim'
 
 export EDITOR='vim'
 export VISUAL='vim'
@@ -64,8 +60,7 @@ PATH="${PATH}:${HOME}/.local/bin"
 alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
 {%- if bashrc_user is defined %}
 {%-   if bashrc_user == 'root' and salt.pillar.get('restic:client', None) is not none %}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:client:repo') }}
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:client:pass') }}
+source /opt/restic/env.sh
 {%-   endif %}
 {%-   for alias, cmd_str in salt.pillar.get("bash_aliases:{}".format(bashrc_user), {}).items() %}
 alias {{ alias }}="{{ cmd_str }}"
diff --git a/users/files/ssh_hosts.jinja b/users/files/ssh_hosts.jinja
index 291b59e..5e90b2a 100644
--- a/users/files/ssh_hosts.jinja
+++ b/users/files/ssh_hosts.jinja
@@ -1,6 +1,15 @@
-{% for host, config in salt.pillar.get('ssh_hosts')[user].items() -%}
+# Managed by Saltstack
+{%- for host, config in salt.pillar.get('ssh_hosts', {}).get(user, {}).items() %}
 Host {{ host }}
-{%-   for key, val in config %}
+{%-   for key, val in config.items() %}
   {{ key }} {{ val }}
 {%-   endfor %}
 {%- endfor %}
+{%- if salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
+{% set user=salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY').split(':')[1] %}
+Host {{ user }}
+  HostName kpi.keiran.us
+  User {{ user }}
+  Port 9022
+  IdentityFile /root/.ssh/id_rsa
+{%- endif %}
diff --git a/users/init.sls b/users/init.sls
index 5efc480..2cd3856 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -2,11 +2,14 @@
 {% for user in salt.pillar.get('authorized_keys').keys() %}
   {% set home = '' if user == 'root' else '/home' %}
 
+  {% if user != 'root' %}
+  # FIXME - both config and auth keys need this and this logic is dumb
 {{ home }}/{{ user }}/.ssh:
   file.directory:
     - user: {{ user }}
     - group: {{ user }}
     - mode: 700
+  {% endif %}
 
 {{ home }}/{{ user }}/.ssh/authorized_keys:
   file.managed:
@@ -34,15 +37,25 @@
       bashrc_user: root
 {% endif %}
 
-#/root/.ssh/config:
-#  file.managed:
-#    - source: 'salt://ssh/files/ssh_config.jinja'
-#    - template: jinja
-#    - user: root
-#    - group: root
-#    - mode: 400
-#    - require:
-#      - file: /root/.ssh
+/root/.ssh:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+{% if salt.pillar.get("ssh_hosts:root", None) is not none or salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
+/root/.ssh/config:
+  file.managed:
+    - source: 'salt://users/files/ssh_hosts.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 400
+    - context:
+      user: root
+    - require:
+      - file: /root/.ssh
+{% endif %}
 
 {% for group in salt.pillar.get('sys_groups') %}
 {{ group }}:
@@ -77,14 +90,16 @@
       - user: {{ user }}_user
 {% endif %}
 
-{% if 'ssh_config' in data %}
+{% if salt.pillar.get('ssh_hosts', {}).get(user, None) is not none %}
 /home/{{ user }}/.ssh/config:
   file.managed:
     - source: 'salt://users/files/ssh_hosts.jinja'
-    #- contents_pillar: users:{{ user }}:ssh_config
+    - template: jinja
     - user: {{ user }}
     - group: {{ user }}
     - mode: 0400
+    - context:
+      user: keiran
     - require:
       - file: /home/{{ user }}/.ssh
 {% endif %}