diff options
-rw-r--r-- | files/debian/default | 5 | ||||
-rw-r--r-- | manifests/base.pp | 7 | ||||
-rw-r--r-- | manifests/egd/debian.pp | 27 | ||||
-rw-r--r-- | manifests/egd/nagios.pp | 5 | ||||
-rw-r--r-- | manifests/host/debian.pp | 18 | ||||
-rw-r--r-- | manifests/nagios.pp | 5 | ||||
-rw-r--r-- | manifests/tunnel.pp | 92 | ||||
-rw-r--r-- | templates/ekeyd-egd-linux.default.erb | 24 |
8 files changed, 183 insertions, 0 deletions
diff --git a/files/debian/default b/files/debian/default new file mode 100644 index 0000000..8ce76c3 --- /dev/null +++ b/files/debian/default @@ -0,0 +1,5 @@ +# THIS FILE MANAGED BY PUPPET + +# Change to NO to prevent ekeyd starting on boot +START_EKEYD=YES + diff --git a/manifests/base.pp b/manifests/base.pp index 10961a3..2826d33 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,6 +4,13 @@ class ekeyd::base { ensure => installed, } + # TODO (from riseup code) + # * eventually it would be cool if we could have two classes: one for + # SetOutputToKernel and one for EGDTCPSocket. But for now we're just going + # to have puppet deliver the ekeyd.conf file. + # * ekeyd will be setup to feed output to whatever is configured in the + # variables: $ekeyd_address and $ekeyd_port with the defaults being + # 127.0.0.1 and 8888 file{'/etc/entropykey/ekeyd.conf': content => $operatingsystem ? { 'debian' => template("ekeyd/ekeyd.conf_${lsbdistcodename}.erb"), diff --git a/manifests/egd/debian.pp b/manifests/egd/debian.pp new file mode 100644 index 0000000..1c2c37d --- /dev/null +++ b/manifests/egd/debian.pp @@ -0,0 +1,27 @@ +class egd::debian inherits ekeyd::egd { + if ( $virtual == "vserver" ) { + fail("This class shouldn't be included on vservers") + } + + Package["ekeyd-egd-linux"] { + ensure => $lsbdistcodename ? { + "lenny" => "1.1.3-3~bpo50+1", + default => 'installed' + } + } + + Service["egd-linux"] { + ensure => running, + hasrestart => true, + pattern => '/usr/sbin/ekeyd-egd-linux', + subscribe => File["/etc/default/ekeyd-egd-linux"]; + } + + file { "/etc/default/ekeyd-egd-linux": + content => template("ekeyd/ekeyd-egd-linux.default"), + mode => 644, + owner => root, + group => root, + require => Package["ekeyd-egd-linux"]; + } +} diff --git a/manifests/egd/nagios.pp b/manifests/egd/nagios.pp new file mode 100644 index 0000000..7798508 --- /dev/null +++ b/manifests/egd/nagios.pp @@ -0,0 +1,5 @@ +class ekeyd::egd::nagios { + nagios::service { "ekeyd-egd-linux": + check_command => "nagios-stat-proc!/usr/sbin/ekeyd-egd-linux!1!1!proc", + } +} diff --git a/manifests/host/debian.pp b/manifests/host/debian.pp index a457ae7..773d84d 100644 --- a/manifests/host/debian.pp +++ b/manifests/host/debian.pp @@ -1,3 +1,21 @@ class ekeyd::host::debian inherits ekeyd::host::base { package { "usbutils": ensure => installed } + + if ( $virtual == "vserver" ) or ( $virtual == "xenu" ) { + fail("This class shouldn't be included on vservers or xen domUs") + } + + file { "/etc/default/ekeyd": + source => "puppet:///modules/ekeyd/debian/ekeyd.default", + mode => 644, + owner => root, + group => root, + require => File["/etc/entropykey/ekeyd.conf"]; + } + + Service["ekeyd"] { + subscribe => [ File["/etc/default/ekeyd"], File["/etc/entropykey/ekeyd.conf"] ]; + pattern => '/usr/sbin/ekeyd', + hasrestart => true, + } } diff --git a/manifests/nagios.pp b/manifests/nagios.pp new file mode 100644 index 0000000..5f045d7 --- /dev/null +++ b/manifests/nagios.pp @@ -0,0 +1,5 @@ +class ekeyd::nagios { + nagios::service { "ekeyd": + check_command => "nagios-stat-proc!/usr/sbin/ekeyd!1!1!proc"; + } +} diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp new file mode 100644 index 0000000..ccb3ecd --- /dev/null +++ b/manifests/tunnel.pp @@ -0,0 +1,92 @@ +class ekeyd-tunnel { + + include site-stunnel + + # set the ekeyd bind address/port that the actual ekeyd will use and this + # tunnel will connect to + $ekeyd_address = '127.0.0.1' + $ekeyd_port = '8889' + + # the ekeyd class ensures that we're not on a vserver or xen domU + # so we're either on a vhost, a xen dom0, or a plain old machine, all of + # which might be places we'd want to run this class + include ekeyd + + # stunnel service that listens on pn 8888/SSL and sends to localhost + # 8889/nonSSL + stunnel::service { + "ekeyd": + accept => "${ekeyd_tunnel_address}:8888", + connect => "127.0.0.1:8889", + client => false, + chroot => false, + pid => "/var/run/stunnel4/ekeyd.pid", + cafile => "/etc/certs/roots/${domain}.pem", + cert => "/etc/certs/stunnel/certs/${fqdn}/${fqdn}_server.crt", + key => "/etc/certs/stunnel/keys/${fqdn}/${fqdn}_server.key", + verify => "2", + rndfile => "/var/lib/stunnel4/.rnd", + debuglevel => "4"; + } + +} + +class egd-tunnel { + + include site-stunnel + + # set the ekeyd bind address that egd will connect to, which is stunnel on + # localhost, then the tunnel will connect to the tunnel on the ekeyd server + $ekeyd_address = '127.0.0.1' + + # the egd class ensures that we're not on a vserver, so we're either + # on a vhost, a xen dom0, a xen domU, or a plain old machine, all of + # which might be places we'd want to run this class + include egd + + # stunnel service that listens on localhost 8888/nonSSL and sends to + # pn 8888/SSL on the ekeyd server + stunnel::service { + "egd": + accept => "127.0.0.1:8888", + connect => "${ekeyd_tunnel_address}:8888", + client => true, + chroot => false, + pid => "/var/run/stunnel4/egd.pid", + cafile => "/etc/certs/roots/${domain}.pem", + cert => "/etc/certs/stunnel/certs/${fqdn}/${fqdn}_client.crt", + key => "/etc/certs/stunnel/keys/${fqdn}/${fqdn}_client.key", + verify => "2", + rndfile => "/var/lib/stunnel4/.rnd", + debuglevel => "4"; + } + + # egd needs stunnel to be up, but by default egd starts before stunnel + # (both are started at rc2.d/s20). So we need to adjust egd. + # See #576387 + + # On machines where we use loop-aes, we need to move egd to + # runlevel 3 (since stunnel starts there too since it needs the certs + # in /crypt). Unfortunately we don't have a variable to tell us + # if a machine is running loop-aes. But since all of our machines + # use either dmcrypt or loop-aes and we have a way to know if they + # are using the former, then we can just do all machines NOT using + # dmcrypt. If someone ends up using this on machines without + # encryption, this will break. + if ( ! $root_is_encrypted ) { + # We're on a loop-aes machine + exec { + "fix_egd_priority": + command => "/bin/sh -c 'update-rc.d -f ekeyd-egd-linux remove && update-rc.d ekeyd-egd-linux start 21 3 . stop 21 0 1 2 4 5 6 .'", + onlyif => '/usr/bin/test -L /etc/rc3.d/S20ekeyd-egd-linux'; + } + } + else { + # We're on a dmcrypt machine + exec { + "fix_egd_priority": + command => "/bin/sh -c 'update-rc.d -f ekeyd-egd-linux remove && update-rc.d ekeyd-egd-linux defaults 21'", + onlyif => '/usr/bin/test -L /etc/rc3.d/S20ekeyd-egd-linux'; + } + } +} diff --git a/templates/ekeyd-egd-linux.default.erb b/templates/ekeyd-egd-linux.default.erb new file mode 100644 index 0000000..33f1a7b --- /dev/null +++ b/templates/ekeyd-egd-linux.default.erb @@ -0,0 +1,24 @@ +# THIS FILE MANAGED BY PUPPET + +# Change to YES to allow ekeyd-egd-linux to start. Ensure the below are +# correctly configured first though. +START_EKEYD_EGD_LINUX=YES + +# Change this if you want it to be something other than the default +HOST=<%= has_variable?("ekeyd_address") ? ekeyd_address : '127.0.0.1' %> +<%= has_variable?("ekeyd_port") ? 'PORT=' + ekeyd_port : '#PORT=8888' %> + +# Number of bits minimum in the pool, below which the daemon will kick in +# and transfer data from the EGD to the pool (providing it's available) +WATERMARK=1024 + +# Number of 1024 bit (128 byte) blocks to transfer to the kernel each +# time it dips below the low water mark. +# BLOCKS=3 + +# How many shannons-per-byte to claim for data pushed to the pool +# SHANNONS=7 + +# by default egd exits if it dies, instead we want to try to reconnect +RETRYTIME=20 + |