puppet: Pull authorized_keys from AWS secretsmanager.

2025-10-23 04:52:12 +00:00 · 2024-01-31 13:25:39 -05:00
parent ff00c01538
commit 795621771f
5 changed files with 69 additions and 31 deletions
--- a/puppet/zulip_ops/files/install-ssh-authorized-keys
+++ b/puppet/zulip_ops/files/install-ssh-authorized-keys
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -eu
+
+username="$1"
+ssh_secret_name="$2"
+
+homedir="$(getent passwd "$username" | cut -d: -f6)"
+sshdir="$homedir/.ssh"
+
+workfile=$(mktemp)
+cleanup() { rm "$workfile"; }
+trap cleanup EXIT
+
+/srv/zulip-aws-tools/bin/aws --output text \
+    secretsmanager get-secret-value \
+    --secret-id "$ssh_secret_name" \
+    --query SecretString \
+    | jq -r 'keys[] as $k | "\(.[$k]) \($k)"' \
+        >"$workfile"
+
+chmod 644 "$workfile"
+chown "$username:$username" "$workfile"
+
+if [ "$#" -gt 2 ]; then
+    diff -N "$workfile" "$sshdir/authorized_keys"
+    exit 0
+fi
+
+rsync -v "$workfile" "$sshdir/authorized_keys"
--- a/puppet/zulip_ops/manifests/aws_tools.pp
+++ b/puppet/zulip_ops/manifests/aws_tools.pp
@@ -69,7 +69,7 @@ class zulip_ops::aws_tools {
    content => template('zulip_ops/dotfiles/aws_config.erb'),
  }

-  # Pull keys from AWS secretsmanager
+  # Pull keys and authorized_keys from AWS secretsmanager
  file { '/usr/local/bin/install-ssh-keys':
    ensure  => file,
    require => File['/root/.aws/config'],
@@ -78,4 +78,12 @@ class zulip_ops::aws_tools {
    group   => 'root',
    source  => 'puppet:///modules/zulip_ops/install-ssh-keys',
  }
+  file { '/usr/local/bin/install-ssh-authorized-keys':
+    ensure  => file,
+    require => File['/root/.aws/config'],
+    mode    => '0755',
+    owner   => 'root',
+    group   => 'root',
+    source  => 'puppet:///modules/zulip_ops/install-ssh-authorized-keys',
+  }
 }
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@@ -62,12 +62,14 @@ class zulip_ops::profile::base {

  user { 'root': }
  zulip_ops::user_dotfiles { 'root':
-    home => '/root',
-    keys => 'common',
+    home            => '/root',
+    keys            => 'common',
+    authorized_keys => 'common',
  }

  zulip_ops::user_dotfiles { 'zulip':
-    keys => 'common',
+    keys            => 'common',
+    authorized_keys => 'common',
  }

  file { '/etc/pam.d/common-session':
@@ -97,32 +99,6 @@ class zulip_ops::profile::base {
  include zulip_ops::aws_tools

  if $is_ec2 {
-    # Non-EC2 (e.g. CZO) don't have the private commit that adds these
-    # zulip_ops files.
-    file { '/root/.ssh/authorized_keys':
-      ensure => file,
-      mode   => '0600',
-      owner  => 'root',
-      group  => 'root',
-      source => 'puppet:///modules/zulip_ops/root_authorized_keys',
-    }
-    file { '/home/zulip/.ssh/authorized_keys':
-      ensure  => file,
-      require => File['/home/zulip/.ssh'],
-      mode    => '0600',
-      owner   => 'zulip',
-      group   => 'zulip',
-      source  => 'puppet:///modules/zulip_ops/authorized_keys',
-    }
-    file { '/var/lib/nagios/.ssh/authorized_keys':
-      ensure  => file,
-      require => File['/var/lib/nagios/.ssh'],
-      mode    => '0600',
-      owner   => 'nagios',
-      group   => 'nagios',
-      source  => 'puppet:///modules/zulip_ops/nagios_authorized_keys',
-    }
-
    # EC2 hosts can use the in-VPC timeserver
    file { '/etc/chrony/chrony.conf':
      ensure  => file,
@@ -152,7 +128,10 @@ class zulip_ops::profile::base {
    group   => 'nagios',
    mode    => '0700',
  }
-  zulip_ops::user_dotfiles { 'nagios': home => '/var/lib/nagios' }
+  zulip_ops::user_dotfiles { 'nagios':
+    home            => '/var/lib/nagios',
+    authorized_keys => true,
+  }
  file { '/home/nagios':
    ensure  => absent,
    force   => true,
--- a/puppet/zulip_ops/manifests/ssh_authorized_keys.pp
+++ b/puppet/zulip_ops/manifests/ssh_authorized_keys.pp
@@ -0,0 +1,15 @@
+define zulip_ops::ssh_authorized_keys(
+  $keys = true,
+) {
+  $user = $name
+  if $keys == true {
+    $keypath = "prod/ssh/authorized_keys/${user}"
+  } else {
+    $keypath = "prod/ssh/authorized_keys/${keys}"
+  }
+  exec { "ssh_authorized_keys ${user}":
+    require => File['/usr/local/bin/install-ssh-authorized-keys'],
+    command => "/usr/local/bin/install-ssh-authorized-keys ${user} ${keypath}",
+    unless  => "[ -f /usr/local/bin/install-ssh-authorized-keys ] && /usr/local/bin/install-ssh-authorized-keys ${user} ${keypath} check",
+  }
+}
--- a/puppet/zulip_ops/manifests/user_dotfiles.pp
+++ b/puppet/zulip_ops/manifests/user_dotfiles.pp
@@ -1,6 +1,7 @@
 define zulip_ops::user_dotfiles (
  $home = '',
  $keys = false,
+  $authorized_keys = false,
 ) {
  $user = $name

@@ -45,4 +46,10 @@ define zulip_ops::user_dotfiles (
      require => File["${homedir}/.ssh"],
    }
  }
+  if $authorized_keys != false {
+    zulip_ops::ssh_authorized_keys{ $user:
+      keys    => $authorized_keys,
+      require => File["${homedir}/.ssh"],
+    }
+  }
 }