plug:portable goss

Goss provides a simple and efficient healthcheck. This installation adds a user but not a home directory.

(not tested)

#Add ssh key here (or substitute username)
GOSS_SSH_KEY=${SSH_keith_id_ed25519}

# ./goss_v0.2/pkg/scripts/install.sh is run under the user chosen here (goss).
# - installs a symlink to itself in the users ~/bin
# The user can use goss according to their access rights
# The user can be given privileged but restricted ssh access
# In theory the user doesnt even need a home dir 

storage.files[+]:
    path: /opt/inbox/trusted/root/goss_v0.2.tar.gz
    mode: 0644
    contents:
        source: https://github.com/keithy/portable_goss/archive/goss_v0.2-fedora31-x86_64.tar.gz
        verification:
            hash: sha512-1dd464fd0f0ef80b6daa8caa24f93cbb660b746e338471f4163c6b9defe4eacfa6bd046676be6829a4485f6a06b3234a093399f87eb192478b61d18cc9a8b0e9

storage.files[+]:
    path: /etc/ssh/sshd_config.d/extra_keys.conf
    mode: 0600
    contents:
        inline: |
            # Added from ignition
            Match User goss
                AuthorizedKeysFile /etc/ssh/sshd_config.d/authorized-keys_%u

storage.files[+]:
    path: /etc/ssh/sshd_config.d/authorized-keys_goss
    mode: 0644
    user:
        id: 111
    contents:
        inline: |
            command="sudo /usr/local/lib/goss/pkg/usr/local/bin/goss -g /etc/goss/goss.yaml validate $SSH_ORIGINAL_COMMAND" ${GOSS_SSH_KEY}

# Healthz Check User
passwd.users[+]:
    name: goss # health check
    uid: 111
    system: true
    no_create_home: true
    no_user_group: true
    groups:
    - sudo