P:puppet::server: Deploy sync SSH keys to other hosts

supertassu · supertassu · commit 7837a5c334da · 2024-06-09T02:25:41.000+03:00
diff --git a/modules/profile/manifests/puppet/server.pp b/modules/profile/manifests/puppet/server.pp
@@ -7,6 +7,9 @@
 ) {
   include profile::puppet::common
 
+  $primary_host = $profile::puppet::agent::ca_server
+  $is_primary = $primary_host == $facts['networking']['fqdn']
+
   $termini_package = debian::codename() ? {
     'bullseye' => 'puppetdb-termini',
     default    => 'puppet-terminus-puppetdb',
@@ -249,6 +252,19 @@
 
   ssh::client::user_key { 'puppet-sync': }
 
+  if $facts['ssh_local_keys'] and $facts['ssh_local_keys']['puppet-sync'] {
+    $key = $facts['ssh_local_keys']['puppet-sync']
+    @@ssh_authorized_key { "puppet-sync-${facts['networking']['fqdn']}":
+      user    => 'root',
+      type    => $key.split(' ')[0],
+      key     => $key.split(' ')[1],
+      options => ['restrict'],
+      tag     => 'profile::puppet::server::puppet_sync',
+    }
+  }
+
+  Ssh_authorized_key <<| tag == 'profile::puppet::server::puppet_sync' |>>
+
   # Expose SSH keys so users can verify them
   file { '/srv/www':
     ensure => directory,
