manage restic rsa

restic/init.sls

@@ -1,9 +1,22 @@
-{% for client in salt.pillar.get("restic:server:clients", []) %}
-restic-{{ client }}:
+{% for name, minion_id in salt.pillar.get("restic:server:clients", {}).items() %}
+restic-{{ name }}:
   user.present:
-    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ name }}
     - createhome: true
     - system: true
+
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh:
+  file.directory:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 700
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh/authorized_keys:
+  file.managed:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 400
+    # TODO: we don't ensure a root rsa key exists on the minion
+    - contents: {{ salt.mine.get(minion_id, 'root_id_rsa_pub').get(minion_id, "") | yaml_encode }}
 {% endfor %}
 
 {% if salt.pillar.get("restic:client", None) is not none %}