puppet: Rename and limit production key distribution.

puppet/zulip_ops/manifests/profile/base.pp

@@ -62,12 +62,12 @@ class zulip_ops::profile::base {
   user { 'root': }
   zulip_ops::user_dotfiles { 'root':
     home            => '/root',
-    keys            => 'common',
+    keys            => 'internal-read-only-deploy-key',
     authorized_keys => 'common',
   }
 
   zulip_ops::user_dotfiles { 'zulip':
-    keys            => 'common',
+    keys            => 'internal-read-only-deploy-key',
     authorized_keys => 'common',
   }
 

puppet/zulip_ops/manifests/profile/chat_zulip_org.pp

@@ -10,4 +10,11 @@ class zulip_ops::profile::chat_zulip_org inherits zulip_ops::profile::base {
   zulip_ops::firewall_allow { 'http': }
   zulip_ops::firewall_allow { 'https': }
   zulip_ops::firewall_allow { 'smtp': }
+
+  Zulip_Ops::User_Dotfiles['root'] {
+    keys => false,
+  }
+  Zulip_Ops::User_Dotfiles['zulip'] {
+    keys => false,
+  }
 }

puppet/zulip_ops/manifests/profile/prod_app_frontend.pp

@@ -2,6 +2,13 @@ class zulip_ops::profile::prod_app_frontend inherits zulip_ops::profile::base {
   include zulip_ops::app_frontend
   include zulip::hooks::zulip_notify
 
+  Zulip_Ops::User_Dotfiles['root'] {
+    keys => 'internal-limited-write-deploy-key',
+  }
+  Zulip_Ops::User_Dotfiles['zulip'] {
+    keys => 'internal-limited-write-deploy-key',
+  }
+
   $conntrack_max = zulipconf('application_server', 'conntrack_max', 262144)
   zulip::sysctl { 'conntrack':
     content => template('zulip_ops/sysctl.d/40-conntrack.conf.erb'),