Open KervyN opened 7 years ago
jschaeff
commented
7 years ago Yes it's possible. The documentation of this module explains how te declare the accounts and the ssh_keys via hiera.
For your uid management, I suggest you put a node level hierarchy (nodes/%{trusted['certname']}.yaml) and you can override configurations from common.yaml
My advices : read the hiera merging strategy documentation, test a hierarchy and play with the puppet lookup command
KervyN
commented
7 years ago Hi, thank you. Is it also possible to have groups of ssh keys? Like @admins(admin1, admin2, admin3) @team-project1(dev1,dev2,admin3,pm2) ?
jschaeff
commented
7 years ago To do this, I use a hack:
accounts::user{'project1':
authorized_keys => ['@keys_for_project1']
}Maybe I need to find some other idea to realise this. We have ~300 hosts, which are exclusive for single projects, every host got its own users based on the project, with multiple devs accessing this particular user.
Wouldn't be practical to have this in my manifest. Thats why I wanted to have this kind of stuff in hiera and have the module just create/manage the user(s)
common.yaml:
accounts::user:
root:
authorized_keys:
- @admins
host1.example.com.yaml
accounts::user:
project1:
authorized_keys:
- @team-project1
- DBAdude
host2.example.com.yaml
accounts::user:
root:
authorized_keys:
- @admins
- dbadude
project2:
authorized_keys:
- frank-the-tank
- jenkins-deployment-keySo with your solution I would need to make something like (correct me if I am wrong):
if fqdn == host2.example.com
accounts::user{'project2':
authorized_keys => ['@keys_for_project1']
}
elsif fqdn == host1.example.com
....
endYou could put your Unix users project* in a accounts::group, let's say "projects" then in your manifests you realize accounts::user{'@projects': ....}
Nice ?
2017-09-06 17:30 GMT+02:00 Boris Behrens notifications@github.com:
Maybe I need to find some other idea to realise this. We have ~300 hosts, which are exclusive for single projects, every host got its own users based on the project, with multiple devs accessing this particular user.
Wouldn't be practical to have this in my manifest. Thats why I wanted to have this kind of stuff in hiera and have the module just create/manage the user(s)
common.yaml: accounts::user: root: authorized_keys:
- @admins
host1.example.com.yaml accounts::user: project1: authorized_keys:
- @team-project1
- DBAdude
host2.example.com.yaml accounts::user: root: authorized_keys:
- @admins
- dbadude project2: authorized_keys:
- frank-the-tank
- jenkins-deployment-key
So with your solution I would need to make something like (correct me if I am wrong):
if fqdn == host2.example.com accounts::user{'project2': authorized_keys => ['@keys_for_project1'] } elsif fqdn == host1.example.com .... end
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/camptocamp/puppet-accounts/issues/54#issuecomment-327521586, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGDY2mcwmegcV977STpTh_6C_TdNCpbks5sfrqXgaJpZM4O9hUA .
KervyN
commented
7 years ago But this would enroll all the project accounts on all servers, wouldn't it? Or maybe I am just to stupid to understand correctly.
jschaeff
commented
7 years ago Or it's a bit complicated to explain.
Say in your common.yaml you set
accounts::usergroups:
projects:
authorized_keys_for_project:Without any user in those groups
If you realise
if lookup('accounts::usergroups')['projects'] {
accounts::user{'@projects':
authorized_keys => ['@keys_for_project1']
}
}Then a host without specific usergroup defined in hiera will not realize anything.
Hi, sorry for that, maybe dump, question, but is it possible to manage the ssh authorized_keys and accounts via hiera?
I would like to roll out a basic set of keys for root (all the senior uber duper admins) and on some hosts a couple more (maybe db admins, or admins in training). Additional to that question: We have a seperate user with a seperate uid on each host (host1.example.com -> host1(uid 12345), host2.example.com -> someotheruser(uid 54324) and so on). I would like to define them in the hiera config so I have one single point of truth where which accounts are generated.
Currently everything is done manual, and the puppet configuration is more than obscure. I try to refactor everything to the current state of the art with hiera, r10k, modules and roles.