From a07114ed85e5066a3846c0e82ab96e22fd27aa2e Mon Sep 17 00:00:00 2001
From: Terry Derks <terry@keiran.us>
Date: Fri, 22 Dec 2023 18:57:01 -0500
Subject: [PATCH] redo users and ssh

---
 _grains/lsusb.py                  |  8 ++-
 salt/init.sls                     |  5 +-
 salt/modules.sls                  |  7 +++
 screen/files/screenrc             |  4 ++
 screen/init.sls                   |  1 +
 ssh/files/authorized_keys.jinja   |  5 ++
 ssh/files/ssh_hosts.jinja         |  8 +++
 ssh/init.sls                      | 46 +++++++++++++++++
 ssh/map.jinja                     | 20 ++++++++
 top.sls                           |  3 +-
 users/files/authorized_keys.jinja |  4 --
 users/files/ssh_hosts.jinja       | 15 ------
 users/init.sls                    | 82 +++----------------------------
 13 files changed, 109 insertions(+), 99 deletions(-)
 create mode 100644 salt/modules.sls
 create mode 100644 screen/files/screenrc
 create mode 100644 screen/init.sls
 create mode 100644 ssh/files/authorized_keys.jinja
 create mode 100644 ssh/files/ssh_hosts.jinja
 create mode 100644 ssh/init.sls
 create mode 100644 ssh/map.jinja
 delete mode 100644 users/files/authorized_keys.jinja
 delete mode 100644 users/files/ssh_hosts.jinja

diff --git a/_grains/lsusb.py b/_grains/lsusb.py
index 4578096..c3a90fb 100644
--- a/_grains/lsusb.py
+++ b/_grains/lsusb.py
@@ -1,9 +1,15 @@
 import re
 from subprocess import check_output
 
+log = logging.getLogger(__name__)
+
 def main():
     dev_re = re.compile(r"Bus\s+(\d+)\s+Device\s+(\d+):\s+ID\s(\w+:\w+)\s(.+)$")
-    lsusb = check_output("lsusb", encoding='UTF-8')
+    try:
+        lsusb = check_output("lsusb", encoding='UTF-8')
+    except OSError as exc:
+        log.error(exc)
+        return {}
     devices = []
     corsair_aio = None
     for line in lsusb.splitlines():
diff --git a/salt/init.sls b/salt/init.sls
index 71437ff..05ae7d9 100644
--- a/salt/init.sls
+++ b/salt/init.sls
@@ -9,7 +9,4 @@ include:
 {% else %}
   {{ raise("Unsupported grains.os") }}
 {% endif %}
-
-saltutil.sync_all:
-  saltutil.sync_all:
-    - refresh: True
+  - salt.modules
diff --git a/salt/modules.sls b/salt/modules.sls
new file mode 100644
index 0000000..02c718f
--- /dev/null
+++ b/salt/modules.sls
@@ -0,0 +1,7 @@
+saltutil.sync_all:
+  saltutil.sync_all:
+    - refresh: True
+
+{# required for the lsusb grain #}
+usbutils:
+  pkg.installed: []
diff --git a/screen/files/screenrc b/screen/files/screenrc
new file mode 100644
index 0000000..c359dd9
--- /dev/null
+++ b/screen/files/screenrc
@@ -0,0 +1,4 @@
+vbell off
+termcapinfo xterm ti@:te@
+hardstatus alwayslastline
+hardstatus string '%{= kG}[ %{G}%H %{g} ][%= %{=kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B}%Y-%m-%d %{W}%c %{g}]'
diff --git a/screen/init.sls b/screen/init.sls
new file mode 100644
index 0000000..4640904
--- /dev/null
+++ b/screen/init.sls
@@ -0,0 +1 @@
+# TODO
diff --git a/ssh/files/authorized_keys.jinja b/ssh/files/authorized_keys.jinja
new file mode 100644
index 0000000..cdbb3f6
--- /dev/null
+++ b/ssh/files/authorized_keys.jinja
@@ -0,0 +1,5 @@
+# Managed by Saltstack
+{% from "ssh/map.jinja" import ssh_users with context -%}
+{% for comment, key in ssh_users[user]['authorized_keys'].items() -%}
+{{ key }} {{ comment }}
+{% endfor -%}
diff --git a/ssh/files/ssh_hosts.jinja b/ssh/files/ssh_hosts.jinja
new file mode 100644
index 0000000..75619f2
--- /dev/null
+++ b/ssh/files/ssh_hosts.jinja
@@ -0,0 +1,8 @@
+# Managed by Saltstack
+{%- from "ssh/map.jinja" import ssh_users with context %}
+{%- for host, config in ssh_users[user]['ssh_hosts'].items() %}
+Host {{ host }}
+{%-   for key, val in config.items() %}
+  {{ key }} {{ val }}
+{%-   endfor %}
+{%- endfor %}
diff --git a/ssh/init.sls b/ssh/init.sls
new file mode 100644
index 0000000..098995e
--- /dev/null
+++ b/ssh/init.sls
@@ -0,0 +1,46 @@
+{% from "ssh/map.jinja" import ssh_users with context %}
+
+{% for user, confs in ssh_users.items() %}
+  {% set homedir = salt.user.info(user).get('home', None) %}
+  {% if homedir is none %}
+
+{{ "~%s/.ssh" | format(user) }}:
+  test.fail_without_changes:
+    - name: {{ "No homedir for %s - if they were created in this run, run this state again" | format(user) }}
+
+  {% else %}
+
+{{ homedir }}/.ssh:
+  file.directory:
+    - user: {{ user }}
+    - group: {{ user }}
+    - mode: 700
+    {% if 'authorized_keys' in confs %}
+{{ homedir }}/.ssh/authorized_keys:
+  file.managed:
+    - template: jinja
+    - source: salt://ssh/files/authorized_keys.jinja
+    - user: {{ user }}
+    - group: {{ user }}
+    - mode: 400
+    - context:
+        user: {{ user }}
+    - require:
+      - file: {{ homedir }}/.ssh
+    {% endif %}
+    {% if 'ssh_hosts' in confs %}
+{{ homedir }}/.ssh/config:
+  file.managed:
+    - source: 'salt://ssh/files/ssh_hosts.jinja'
+    - template: jinja
+    - user: {{ user }}
+    - group: {{ user }}
+    - mode: 0400
+    - context:
+      user: {{ user }}
+    - require:
+      - file: {{ homedir }}/.ssh
+    {% endif %}
+
+  {% endif %}
+{% endfor %}
diff --git a/ssh/map.jinja b/ssh/map.jinja
new file mode 100644
index 0000000..c404e27
--- /dev/null
+++ b/ssh/map.jinja
@@ -0,0 +1,20 @@
+{% set restic_repo = salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '') %}
+
+{% if restic_repo.startswith('sftp:') %}
+  {% set default = {
+    "root": {
+      "ssh_hosts": {
+        restic_repo.split(':')[1]: {
+          'HostName': 'kpi.keiran.us',
+          'User': restic_repo.split(':')[1],
+          'Port': 9022,
+          'IdentityFile': '/root/.ssh/id_rsa',
+        }
+      }
+    }
+  } %}
+{% else %}
+  {% set default = {} %}
+{% endif %}
+
+{% set ssh_users = salt.pillar.get('ssh:users', default, merge=True) %}
diff --git a/top.sls b/top.sls
index f923428..97ac3bf 100644
--- a/top.sls
+++ b/top.sls
@@ -1,10 +1,11 @@
 {{ saltenv }}:
   '*':
     - salt
+    - users
+    - ssh
     - cron
     - vim
     - packages
-    - users
 {% if salt.pillar.get('restic:client', None) is not none
    or salt.pillar.get('restic:server', None) is not none %}
     - restic
diff --git a/users/files/authorized_keys.jinja b/users/files/authorized_keys.jinja
deleted file mode 100644
index d6fdbc7..0000000
--- a/users/files/authorized_keys.jinja
+++ /dev/null
@@ -1,4 +0,0 @@
-# Managed by Saltstack
-{% for comment, key in salt.pillar.get('authorized_keys')[user].items() -%}
-{{ key }} {{ comment }}
-{% endfor -%}
diff --git a/users/files/ssh_hosts.jinja b/users/files/ssh_hosts.jinja
deleted file mode 100644
index 5e90b2a..0000000
--- a/users/files/ssh_hosts.jinja
+++ /dev/null
@@ -1,15 +0,0 @@
-# Managed by Saltstack
-{%- for host, config in salt.pillar.get('ssh_hosts', {}).get(user, {}).items() %}
-Host {{ host }}
-{%-   for key, val in config.items() %}
-  {{ key }} {{ val }}
-{%-   endfor %}
-{%- endfor %}
-{%- if salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
-{% set user=salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY').split(':')[1] %}
-Host {{ user }}
-  HostName kpi.keiran.us
-  User {{ user }}
-  Port 9022
-  IdentityFile /root/.ssh/id_rsa
-{%- endif %}
diff --git a/users/init.sls b/users/init.sls
index ab7f96f..b272364 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -1,29 +1,4 @@
 
-{% for user in salt.pillar.get('authorized_keys').keys() %}
-  {% set home = '' if user == 'root' else '/home' %}
-
-  {% if user != 'root' %}
-{{ home }}/{{ user }}/.ssh:
-  file.directory:
-    - user: {{ user }}
-    - group: {{ user }}
-    - mode: 700
-  {% endif %}
-
-{{ home }}/{{ user }}/.ssh/authorized_keys:
-  file.managed:
-    - template: jinja
-    - source: salt://users/files/authorized_keys.jinja
-    - user: {{ user }}
-    - group: {{ user }}
-    - mode: 400
-    - context:
-        user: {{ user }}
-    - require:
-      - file: {{ home }}/{{ user }}/.ssh
-
-{% endfor %}
-
 {% if salt.pillar.get('manage_root_bashrc', False) %}
 /root/.bashrc:
   file.managed:
@@ -36,46 +11,19 @@
       bashrc_user: root
 {% endif %}
 
-/root/.ssh:
-  file.directory:
-    - user: root
-    - group: root
-    - mode: 700
-
-{% if salt.pillar.get("ssh_hosts:root", None) is not none or salt.pillar.get('restic:client:environ:RESTIC_REPOSITORY', '').startswith('sftp:') %}
-/root/.ssh/config:
-  file.managed:
-    - source: 'salt://users/files/ssh_hosts.jinja'
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 400
-    - context:
-      user: root
-    - require:
-      - file: /root/.ssh
-{% endif %}
-
-{% for group in salt.pillar.get('sys_groups') %}
-{{ group }}:
-  group.present:
-    - system: True
-{% endfor %}
-
-{% for user, data in salt.pillar.get('users', {}).items() %}
+{% for user, config in salt.pillar.get('users', {}).items() %}
 
 {{ user }}_user:
   user.present:
     - name: {{ user }}
-    - shell: {{ data.get('shell', '/bin/bash')|yaml_encode }}
-{% if 'groups' in data %}
-    - groups:
-{%   for group in data['groups'] %}
-      - {{ group|yaml_encode }}
-{%   endfor %}
-{% endif %}
+    - shell: {{ config.get('shell', '/bin/bash') | yaml_encode }}
+  {% for key, val in config.items() %}
+    {% if key not in ('shell', 'manage_bashrc') %}
+    - {{ key }}: {{ val | tojson }}
+    {% endif %}
+  {% endfor %}
 
-{% if data.get('manage_bashrc', False) %}
+{% if config.get('manage_bashrc', False) %}
 /home/{{ user }}/.bashrc:
   file.managed:
     - source: 'salt://users/files/bashrc.jinja'
@@ -89,19 +37,5 @@
       - user: {{ user }}_user
 {% endif %}
 
-{% if salt.pillar.get('ssh_hosts', {}).get(user, None) is not none %}
-/home/{{ user }}/.ssh/config:
-  file.managed:
-    - source: 'salt://users/files/ssh_hosts.jinja'
-    - template: jinja
-    - user: {{ user }}
-    - group: {{ user }}
-    - mode: 0400
-    - context:
-      user: keiran
-    - require:
-      - file: /home/{{ user }}/.ssh
-{% endif %}
-
 {% endfor %}