manage restic rsa

TODO

@@ -1 +0,0 @@
-restic rsa keys

restic/init.sls

@@ -1,9 +1,22 @@
-{% for client in salt.pillar.get("restic:server:clients", []) %}
+{% for name, minion_id in salt.pillar.get("restic:server:clients", {}).items() %}
-restic-{{ client }}:
+restic-{{ name }}:
   user.present:
-    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ name }}
     - createhome: true
     - system: true
+
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh:
+  file.directory:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 700
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh/authorized_keys:
+  file.managed:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 400
+    # TODO: we don't ensure a root rsa key exists on the minion
+    - contents: {{ salt.mine.get(minion_id, 'root_id_rsa_pub').get(minion_id, "") | yaml_encode }}
 {% endfor %}
 
 {% if salt.pillar.get("restic:client", None) is not none %}

salt/files/minion.jinja

@@ -9,3 +9,7 @@ log_level: warning
 grains_cache: True
 pillar_merge_lists: True
 mysql.default_file: '/root/.my.cnf'
+mine_functions:
+  root_id_rsa_pub:
+    - mine_function: file.read
+    - /root/.ssh/id_rsa.pub

top.sls

@@ -1,16 +1,15 @@
 {{saltenv}}:
   '*':
-    - common
     - salt
+    - common
+    - users
 {% if salt.pillar.get('restic', None) is not none %}
     - restic
 {% endif %}
   '*.keiran.us':
-    - users
     - firewall
     - resolv
   'vps47492.inmotionhosting.com':
-    - users
     - gitea
   'kpi.keiran.us':
     - icinga2

users/files/authorized_keys.jinja

@@ -1,3 +1,4 @@
+# Managed by Saltstack
 {% for comment, key in salt.pillar.get('authorized_keys')[user].items() -%}
 {{ key }} {{ comment }}
 {% endfor -%}

users/files/bashrc.jinja

@@ -1,5 +1,7 @@
 
 # If not running interactively, don't do anything
+{# code: lang=jinja-shell -#}
+# vim: et:ai:ts=4:sw=4:ft=sh
 case $- in
     *i*) ;;
       *) return;;
@@ -25,19 +27,13 @@ shopt -s checkwinsize
 if [ -x /usr/bin/dircolors ]; then
     test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
     alias ls='ls --color=auto'
-    #alias dir='dir --color=auto'
-    #alias vdir='vdir --color=auto'
-
     alias grep='grep --color=auto'
-    alias fgrep='fgrep --color=auto'
-    alias egrep='egrep --color=auto'
 fi
 
 # some more ls aliases
 alias ll='ls -alF'
 alias la='ls -A'
 alias l='ls -CF'
-alias vi='vim'
 
 export EDITOR='vim'
 export VISUAL='vim'
@@ -64,8 +60,7 @@ PATH="${PATH}:${HOME}/.local/bin"
 alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
 {%- if bashrc_user is defined %}
 {%-   if bashrc_user == 'root' and salt.pillar.get('restic:client', None) is not none %}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:client:repo') }}
+source /opt/restic/env.sh
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:client:pass') }}
 {%-   endif %}
 {%-   for alias, cmd_str in salt.pillar.get("bash_aliases:{}".format(bashrc_user), {}).items() %}
 alias {{ alias }}="{{ cmd_str }}"

users/files/ssh_hosts.jinja

@@ -1,6 +1,15 @@
-{% for host, config in salt.pillar.get('ssh_hosts')[user].items() -%}
+# Managed by Saltstack
+{%- for host, config in salt.pillar.get('ssh_hosts', {}).get(user, {}).items() %}
 Host {{ host }}
-{%-   for key, val in config %}
+{%-   for key, val in config.items() %}
   {{ key }} {{ val }}
 {%-   endfor %}
 {%- endfor %}
+{%- if salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
+{% set user=salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY').split(':')[1] %}
+Host {{ user }}
+  HostName kpi.keiran.us
+  User {{ user }}
+  Port 9022
+  IdentityFile /root/.ssh/id_rsa
+{%- endif %}

users/init.sls

@@ -2,11 +2,14 @@
 {% for user in salt.pillar.get('authorized_keys').keys() %}
   {% set home = '' if user == 'root' else '/home' %}
 
+  {% if user != 'root' %}
+  # FIXME - both config and auth keys need this and this logic is dumb
 {{ home }}/{{ user }}/.ssh:
   file.directory:
     - user: {{ user }}
     - group: {{ user }}
     - mode: 700
+  {% endif %}
 
 {{ home }}/{{ user }}/.ssh/authorized_keys:
   file.managed:
@@ -34,15 +37,25 @@
       bashrc_user: root
 {% endif %}
 
-#/root/.ssh/config:
+/root/.ssh:
-#  file.managed:
+  file.directory:
-#    - source: 'salt://ssh/files/ssh_config.jinja'
+    - user: root
-#    - template: jinja
+    - group: root
-#    - user: root
+    - mode: 700
-#    - group: root
+
-#    - mode: 400
+{% if salt.pillar.get("ssh_hosts:root", None) is not none or salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
-#    - require:
+/root/.ssh/config:
-#      - file: /root/.ssh
+  file.managed:
+    - source: 'salt://users/files/ssh_hosts.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 400
+    - context:
+      user: root
+    - require:
+      - file: /root/.ssh
+{% endif %}
 
 {% for group in salt.pillar.get('sys_groups') %}
 {{ group }}:
@@ -77,14 +90,16 @@
       - user: {{ user }}_user
 {% endif %}
 
-{% if 'ssh_config' in data %}
+{% if salt.pillar.get('ssh_hosts', {}).get(user, None) is not none %}
 /home/{{ user }}/.ssh/config:
   file.managed:
     - source: 'salt://users/files/ssh_hosts.jinja'
-    #- contents_pillar: users:{{ user }}:ssh_config
+    - template: jinja
     - user: {{ user }}
     - group: {{ user }}
     - mode: 0400
+    - context:
+      user: keiran
     - require:
       - file: /home/{{ user }}/.ssh
 {% endif %}