Split bastion host code into a few distinct profiles

mlibrary · Aug 23, 2024 · a15c1f1 · a15c1f1
1 parent cd7335c
commit a15c1f1
Show file tree

Hide file tree

Showing 6 changed files with 106 additions and 40 deletions.
diff --git a/manifests/profile/bolt.pp b/manifests/profile/bolt.pp
@@ -1,8 +1,10 @@
-# Copyright (c) 2022 The Regents of the University of Michigan.
+# Copyright (c) 2024 The Regents of the University of Michigan.
 # All Rights Reserved. Licensed according to the terms of the Revised
 # BSD License. See LICENSE.txt for details.
 
 class nebula::profile::bolt {
+  include nebula::profile::managed_known_hosts
+  include nebula::profile::github_pull_account
   include nebula::virtual::users
   package { 'puppet-bolt': }
 
@@ -26,42 +28,6 @@
     }
   }
 
-  concat { '/etc/ssh/ssh_known_hosts': }
-  Concat_fragment <<| tag == 'known_host_public_keys' |>>
-
-  user { "git":
-    ensure     => "present",
-    home       => "/var/lib/autogit",
-    gid        => 100,
-    managehome => true,
-  }
-
-  file { "/var/lib/autogit/.ssh":
-    ensure  => "directory",
-    owner   => "git",
-    group   => 100,
-    mode    => "0700",
-    require => User["git"],
-  }
-
-  exec { "create /var/lib/autogit/.ssh/id_ecdsa":
-    creates => "/var/lib/autogit/.ssh/id_ecdsa",
-    user    => "git",
-    command => "/usr/bin/ssh-keygen -t ecdsa -N '' -C '${::hostname}' -f /var/lib/autogit/.ssh/id_ecdsa",
-    require => File["/var/lib/autogit/.ssh"],
-  }
-
-  exec { "create /var/local/github_ssh_keys":
-    creates => "/var/local/github_ssh_keys",
-    command => "/usr/bin/ssh-keyscan github.com > /var/local/github_ssh_keys",
-  }
-
-  concat_fragment { "github ssh keys":
-    target  => "/etc/ssh/ssh_known_hosts",
-    source  => "/var/local/github_ssh_keys",
-    require => Exec["create /var/local/github_ssh_keys"],
-  }
-
   file { "/opt/bolt":
     ensure => "directory",
     owner  => "git",
@@ -75,9 +41,8 @@
     source   => "ssh://[email protected]/mlibrary/bolt.git",
     user     => "git",
     require  => [
-      Exec["create /var/local/github_ssh_keys"],
+      Class["nebula::profile::github_pull_account"],
       File["/opt/bolt"],
-      Concat_fragment["github ssh keys"],
     ]
   }
 }
diff --git a/manifests/profile/github_pull_account.pp b/manifests/profile/github_pull_account.pp
@@ -0,0 +1,48 @@
+# Copyright (c) 2024 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+
+class nebula::profile::github_pull_account (
+  String $git_username = "git",
+  Integer $git_gid = 100,
+  String $git_homedir = "/var/lib/autogit",
+) {
+  user { $git_username:
+    ensure     => "present",
+    home       => $git_homedir,
+    gid        => $git_gid,
+    managehome => true,
+  }
+
+  file { "${git_homedir}/.ssh":
+    ensure  => "directory",
+    owner   => $git_username,
+    group   => $git_gid,
+    mode    => "0700",
+    require => User[$git_username],
+  }
+
+  # Once this exists, you have to add the id_ecdsa.pub to any private
+  # github repos you want to pull.
+  exec { "create ${git_homedir}/.ssh/id_ecdsa":
+    creates => "${git_homedir}/.ssh/id_ecdsa",
+    user    => $git_username,
+    command => "/usr/bin/ssh-keygen -t ecdsa -N '' -C '${::hostname}' -f ${git_homedir}/.ssh/id_ecdsa",
+    require => File["${git_homedir}/.ssh"],
+  }
+
+  exec { "create /var/local/github_ssh_keys":
+    creates => "/var/local/github_ssh_keys",
+    command => "/usr/bin/ssh-keyscan github.com > /var/local/github_ssh_keys",
+  }
+
+  include nebula::profile::managed_known_hosts
+
+  # Without this, the git user will not be able to pull from private
+  # repos using ssh.
+  concat_fragment { "github ssh keys":
+    target  => "/etc/ssh/ssh_known_hosts",
+    source  => "/var/local/github_ssh_keys",
+    require => Exec["create /var/local/github_ssh_keys"],
+  }
+}
diff --git a/manifests/profile/managed_known_hosts.pp b/manifests/profile/managed_known_hosts.pp
@@ -0,0 +1,10 @@
+# Copyright (c) 2024 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+
+class nebula::profile::managed_known_hosts {
+  concat { '/etc/ssh/ssh_known_hosts': }
+
+  # See nebula::profile::known_host_public_keys
+  Concat_fragment <<| tag == 'known_host_public_keys' |>>
+}
diff --git a/spec/classes/profile/bolt_spec.rb b/spec/classes/profile/bolt_spec.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-# Copyright (c) 2022 The Regents of the University of Michigan.
+# Copyright (c) 2022, 2024 The Regents of the University of Michigan.
 # All Rights Reserved. Licensed according to the terms of the Revised
 # BSD License. See LICENSE.txt for details.
 require 'spec_helper'
@@ -12,6 +12,8 @@
 
       it { is_expected.to compile }
       it { is_expected.to contain_package('puppet-bolt') }
+      it { is_expected.to contain_file('/opt/bolt').with_ensure('directory') }
+      it { is_expected.to contain_vcsrepo('/opt/bolt').with_ensure('latest') }
     end
   end
 end
diff --git a/spec/classes/profile/github_pull_account_spec.rb b/spec/classes/profile/github_pull_account_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Copyright (c) 2024 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+require 'spec_helper'
+
+describe 'nebula::profile::github_pull_account' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      it { is_expected.to compile }
+      it { is_expected.to contain_user('git').with_home('/var/lib/autogit') }
+      it { is_expected.to contain_user('git').with_gid(100) }
+      it { is_expected.to contain_user('git').with_managehome(true) }
+      it { is_expected.to contain_file('/var/lib/autogit/.ssh').with_ensure('directory') }
+      it { is_expected.to contain_file('/var/lib/autogit/.ssh').with_mode('0700') }
+      it { is_expected.to contain_exec('create /var/lib/autogit/.ssh/id_ecdsa') }
+      it { is_expected.to contain_exec('create /var/local/github_ssh_keys') }
+      it { is_expected.to contain_concat_fragment('github ssh keys').with_target('/etc/ssh/ssh_known_hosts') }
+    end
+  end
+end
diff --git a/spec/classes/profile/managed_known_hosts_spec.rb b/spec/classes/profile/managed_known_hosts_spec.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Copyright (c) 2024 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+require 'spec_helper'
+
+describe 'nebula::profile::managed_known_hosts' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      it { is_expected.to compile }
+      it { is_expected.to contain_concat('/etc/ssh/ssh_known_hosts') }
+    end
+  end
+end