manage restic rsa

2023-11-27 01:42:37 -05:00
parent c1a5c8d95b
commit 5be2a914ac
8 changed files with 63 additions and 28 deletions
--- a/1
+++ b/1
@@ -1 +0,0 @@
-restic rsa keys
--- a/restic/init.sls
+++ b/restic/init.sls
@@ -1,9 +1,22 @@
-{% for client in salt.pillar.get("restic:server:clients", []) %}
-restic-{{ client }}:
+{% for name, minion_id in salt.pillar.get("restic:server:clients", {}).items() %}
+restic-{{ name }}:
  user.present:
-    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ name }}
    - createhome: true
    - system: true
+
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh:
+  file.directory:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 700
+{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh/authorized_keys:
+  file.managed:
+    - user: restic-{{ name }}
+    - group: restic-{{ name }}
+    - mode: 400
+    # TODO: we don't ensure a root rsa key exists on the minion
+    - contents: {{ salt.mine.get(minion_id, 'root_id_rsa_pub').get(minion_id, "") | yaml_encode }}
 {% endfor %}

 {% if salt.pillar.get("restic:client", None) is not none %}
--- a/salt/files/minion.jinja
+++ b/salt/files/minion.jinja
@@ -9,3 +9,7 @@ log_level: warning
 grains_cache: True
 pillar_merge_lists: True
 mysql.default_file: '/root/.my.cnf'
+mine_functions:
+  root_id_rsa_pub:
+    - mine_function: file.read
+    - /root/.ssh/id_rsa.pub
--- a/top.sls
+++ b/top.sls
@@ -1,16 +1,15 @@
 {{saltenv}}:
  '*':
-    - common
    - salt
+    - common
+    - users
 {% if salt.pillar.get('restic', None) is not none %}
    - restic
 {% endif %}
  '*.keiran.us':
-    - users
    - firewall
    - resolv
  'vps47492.inmotionhosting.com':
-    - users
    - gitea
  'kpi.keiran.us':
    - icinga2
--- a/users/files/authorized_keys.jinja
+++ b/users/files/authorized_keys.jinja
@@ -1,3 +1,4 @@
+# Managed by Saltstack
 {% for comment, key in salt.pillar.get('authorized_keys')[user].items() -%}
 {{ key }} {{ comment }}
 {% endfor -%}
--- a/users/files/bashrc.jinja
+++ b/users/files/bashrc.jinja
@@ -1,5 +1,7 @@

 # If not running interactively, don't do anything
+{# code: lang=jinja-shell -#}
+# vim: et:ai:ts=4:sw=4:ft=sh
 case $- in
    *i*) ;;
      *) return;;
@@ -25,19 +27,13 @@ shopt -s checkwinsize
 if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
-    #alias dir='dir --color=auto'
-    #alias vdir='vdir --color=auto'
-
    alias grep='grep --color=auto'
-    alias fgrep='fgrep --color=auto'
-    alias egrep='egrep --color=auto'
 fi

 # some more ls aliases
 alias ll='ls -alF'
 alias la='ls -A'
 alias l='ls -CF'
-alias vi='vim'

 export EDITOR='vim'
 export VISUAL='vim'
@@ -64,8 +60,7 @@ PATH="${PATH}:${HOME}/.local/bin"
 alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
 {%- if bashrc_user is defined %}
 {%-   if bashrc_user == 'root' and salt.pillar.get('restic:client', None) is not none %}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:client:repo') }}
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:client:pass') }}
+source /opt/restic/env.sh
 {%-   endif %}
 {%-   for alias, cmd_str in salt.pillar.get("bash_aliases:{}".format(bashrc_user), {}).items() %}
 alias {{ alias }}="{{ cmd_str }}"
--- a/users/files/ssh_hosts.jinja
+++ b/users/files/ssh_hosts.jinja
@@ -1,6 +1,15 @@
-{% for host, config in salt.pillar.get('ssh_hosts')[user].items() -%}
+# Managed by Saltstack
+{%- for host, config in salt.pillar.get('ssh_hosts', {}).get(user, {}).items() %}
 Host {{ host }}
-{%-   for key, val in config %}
+{%-   for key, val in config.items() %}
  {{ key }} {{ val }}
 {%-   endfor %}
 {%- endfor %}
+{%- if salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
+{% set user=salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY').split(':')[1] %}
+Host {{ user }}
+  HostName kpi.keiran.us
+  User {{ user }}
+  Port 9022
+  IdentityFile /root/.ssh/id_rsa
+{%- endif %}
--- a/users/init.sls
+++ b/users/init.sls
@@ -2,11 +2,14 @@
 {% for user in salt.pillar.get('authorized_keys').keys() %}
  {% set home = '' if user == 'root' else '/home' %}

+  {% if user != 'root' %}
+  # FIXME - both config and auth keys need this and this logic is dumb
 {{ home }}/{{ user }}/.ssh:
  file.directory:
    - user: {{ user }}
    - group: {{ user }}
    - mode: 700
+  {% endif %}

 {{ home }}/{{ user }}/.ssh/authorized_keys:
  file.managed:
@@ -34,15 +37,25 @@
      bashrc_user: root
 {% endif %}

-#/root/.ssh/config:
-#  file.managed:
-#    - source: 'salt://ssh/files/ssh_config.jinja'
-#    - template: jinja
-#    - user: root
-#    - group: root
-#    - mode: 400
-#    - require:
-#      - file: /root/.ssh
+/root/.ssh:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+{% if salt.pillar.get("ssh_hosts:root", None) is not none or salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
+/root/.ssh/config:
+  file.managed:
+    - source: 'salt://users/files/ssh_hosts.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 400
+    - context:
+      user: root
+    - require:
+      - file: /root/.ssh
+{% endif %}

 {% for group in salt.pillar.get('sys_groups') %}
 {{ group }}:
@@ -77,14 +90,16 @@
      - user: {{ user }}_user
 {% endif %}

-{% if 'ssh_config' in data %}
+{% if salt.pillar.get('ssh_hosts', {}).get(user, None) is not none %}
 /home/{{ user }}/.ssh/config:
  file.managed:
    - source: 'salt://users/files/ssh_hosts.jinja'
-    #- contents_pillar: users:{{ user }}:ssh_config
+    - template: jinja
    - user: {{ user }}
    - group: {{ user }}
    - mode: 0400
+    - context:
+      user: keiran
    - require:
      - file: /home/{{ user }}/.ssh
 {% endif %}