diff --git a/debian/changelog b/debian/changelog index 3cdaaa8..11d52e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,9 @@ propellor (1.3.0) UNRELEASED; urgency=medium * Added support for DNSSEC. * sshPubKey is renamed to Ssh.pubKey, and has an added SshKeyType parameter. (API change) + * Ssh.hostKey and Ssh.hostKeys no longer install public keys from + the privdata. Instead, the public keys of a host should be set using + Ssh.pubKey. * Ssh.hostKeys now also installs any available SshEd25519 keys. * Fix build with process 1.2.1.0. diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 301c628..8642d99 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -95,21 +95,25 @@ hostKeys :: IsContext c => c -> Property hostKeys ctx = propertyList "known ssh host keys" $ map (flip hostKey ctx) [minBound..maxBound] --- | Installs a single ssh host key. +-- | Installs a single ssh host key of a particular type. -- --- The private key comes from the privdata. --- --- The public key is set using 'pubKey'. +-- The private key comes from the privdata; +-- the public key is set using 'pubKey'. hostKey :: IsContext c => SshKeyType -> c -> Property hostKey keytype context = combineProperties desc - [ installkey (keysrc ".pub" (SshPubKey keytype "")) (install writeFile ".pub") - , installkey (keysrc "" (SshPrivKey keytype "")) (install writeFileProtected "") + [ property desc $ do + v <- M.lookup keytype <$> getPubKey + case v of + Just k -> install writeFile ".pub" k + Nothing -> do + warningMessage $ "Missing ssh pubKey " ++ show keytype + return FailedChange + , withPrivData (keysrc "" (SshPrivKey keytype "")) context $ \getkey -> + property desc $ getkey $ install writeFileProtected "" ] `onChange` restarted where desc = "known ssh host key (" ++ fromKeyType keytype ++ ")" - installkey p a = withPrivData p context $ \getkey -> - property desc $ getkey a install writer ext key = do let f = "/etc/ssh/ssh_host_" ++ fromKeyType keytype ++ "_key" ++ ext s <- liftIO $ readFileStrict f