-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathssl.rb
49 lines (47 loc) · 1.36 KB
/
ssl.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
dep 'passwordless ssh logins', :username, :key do
username.default(shell('whoami'))
def ssh_dir
"~#{username}" / '.ssh'
end
def group
shell "id -gn #{username}"
end
def sudo?
@sudo ||= username != shell('whoami')
end
met? {
shell? "fgrep '#{key}' '#{ssh_dir / 'authorized_keys'}'", :sudo => sudo?
}
meet {
shell "mkdir -p -m 700 '#{ssh_dir}'", :sudo => sudo?
shell "cat >> #{ssh_dir / 'authorized_keys'}", :input => key, :sudo => sudo?
sudo "chown -R #{username}:#{group} '#{ssh_dir}'" unless ssh_dir.owner == username
sudo "chown -R #{username}:#{group} '#{ssh_dir / 'authorized_keys'}'" unless (ssh_dir / 'authorized_keys').owner == username
shell "chmod 600 #{(ssh_dir / 'authorized_keys')}", :sudo => sudo?
}
end
dep 'public key' do
met? { '~/.ssh/id_dsa.pub'.p.grep(/^ssh-dss/) }
meet { log shell("ssh-keygen -t dsa -f ~/.ssh/id_dsa -N ''") }
end
dep 'bad certificates removed' do
def cert_names
%w[
DigiNotar_Root_CA
]
end
def existing_certs
cert_names.map {|name|
"/etc/ssl/certs/#{name}.pem".p
}.select {|cert|
cert.exists?
}
end
setup {
unless [:debian, :ubuntu].include?(Babushka.host.flavour)
unmeetable! "Not sure where to find certs on a #{Babushka.host.description} system."
end
}
met? { existing_certs.empty? }
meet { existing_certs.each(&:rm) }
end