plug:goss

Goss provides a simple and efficient healthcheck. This installation adds a user but not a home directory.

(not tested)

#Add ssh key here (or substitute username)
GOSS_SSH_KEY=${SSH_keith_id_ed25519}

# ./goss_v0.2/pkg/scripts/install.sh is run under the user chosen here (goss).
# - installs a symlink to itself in the users ~/bin
# The user can use goss according to their access rights
# The user can be given privileged but restricted ssh access
# In theory the user doesnt even need a home dir 

storage.files[+]:
    path: /opt/inbox/trusted/root/goss_v0.2.tar.gz
    mode: 0644
    contents:
        source: https://github.com/keithy/portable_goss/archive/goss_v0.2-fedora31-x86_64.tar.gz
        verification:
            hash: sha512-92e20561ca0152cd44e2b03a5e13720eda38bec0597645db5625061b874b5f3490aa03de81e8b350fc3bc219484853895cdd87eff1013683b73b01b6268c20d5

storage.files[+]:
    path: /etc/ssh/sshd_config.d/extra_keys.conf
    mode: 0600
    contents:
        inline: |
            # Added from ignition
            Match User goss
                AuthorizedKeysFile /etc/ssh/sshd_config.d/authorized-keys_%u

storage.files[+]:
    path: /etc/ssh/sshd_config.d/authorized-keys_goss
    mode: 0644
    user:
        id: 111
    contents:
        inline: |
            command="sudo /usr/local/lib/goss/pkg/usr/local/bin/goss -g /etc/goss/goss.yaml validate $SSH_ORIGINAL_COMMAND" ${GOSS_SSH_KEY}

# Healthz Check User
passwd.users[+]:
    name: goss # health check
    uid: 111
    system: true
    no_create_home: true
    no_user_group: true
    groups:
    - sudo