manage restic rsa

users/init.sls

@@ -2,11 +2,14 @@
 {% for user in salt.pillar.get('authorized_keys').keys() %}
   {% set home = '' if user == 'root' else '/home' %}
 
+  {% if user != 'root' %}
+  # FIXME - both config and auth keys need this and this logic is dumb
 {{ home }}/{{ user }}/.ssh:
   file.directory:
     - user: {{ user }}
     - group: {{ user }}
     - mode: 700
+  {% endif %}
 
 {{ home }}/{{ user }}/.ssh/authorized_keys:
   file.managed:
@@ -34,15 +37,25 @@
       bashrc_user: root
 {% endif %}
 
-#/root/.ssh/config:
-#  file.managed:
-#    - source: 'salt://ssh/files/ssh_config.jinja'
-#    - template: jinja
-#    - user: root
-#    - group: root
-#    - mode: 400
-#    - require:
-#      - file: /root/.ssh
+/root/.ssh:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+{% if salt.pillar.get("ssh_hosts:root", None) is not none or salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
+/root/.ssh/config:
+  file.managed:
+    - source: 'salt://users/files/ssh_hosts.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 400
+    - context:
+      user: root
+    - require:
+      - file: /root/.ssh
+{% endif %}
 
 {% for group in salt.pillar.get('sys_groups') %}
 {{ group }}:
@@ -77,14 +90,16 @@
       - user: {{ user }}_user
 {% endif %}
 
-{% if 'ssh_config' in data %}
+{% if salt.pillar.get('ssh_hosts', {}).get(user, None) is not none %}
 /home/{{ user }}/.ssh/config:
   file.managed:
     - source: 'salt://users/files/ssh_hosts.jinja'
-    #- contents_pillar: users:{{ user }}:ssh_config
+    - template: jinja
     - user: {{ user }}
     - group: {{ user }}
     - mode: 0400
+    - context:
+      user: keiran
     - require:
       - file: /home/{{ user }}/.ssh
 {% endif %}