From 1f1962afc2839da75c6d77c228c6b74a178c06a5 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 30 Jun 2011 16:29:37 -0300 Subject: Managing ekeyd.conf as a template --- files/ekeyd.conf | 89 ---------------------------------------- manifests/base.pp | 5 ++- templates/ekeyd.conf_lenny.erb | 88 +++++++++++++++++++++++++++++++++++++++ templates/ekeyd.conf_squeeze.erb | 89 ++++++++++++++++++++++++++++++++++++++++ templates/ekeyd_default.conf | 89 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 270 insertions(+), 90 deletions(-) delete mode 100644 files/ekeyd.conf create mode 100644 templates/ekeyd.conf_lenny.erb create mode 100644 templates/ekeyd.conf_squeeze.erb create mode 100644 templates/ekeyd_default.conf diff --git a/files/ekeyd.conf b/files/ekeyd.conf deleted file mode 100644 index 76a36f1..0000000 --- a/files/ekeyd.conf +++ /dev/null @@ -1,89 +0,0 @@ --- -*- Lua -*- - --- Sample configuration file for ekeyd - --- -----------------------------------------------[ General setup ]----- - --- If you want a TCP control socket on 127.0.0.1 then uncomment this --- command. --- Please note that there is no protection on a TCP socket, anyone on --- the box can connect to it and there is no authentication process. --- TCPControlSocket "1234" - --- The unix control socket is typically what we use -UnixControlSocket "/var/run/ekeyd.sock" - --- The keyring contains the keys for the long-term rekey If you change --- this location from the default then be aware that the --- long-term-rekey tool may not work. -Keyring "/etc/entropykey/keyring" - --- The daemon background operation may be supressed. In this mode the --- daemon will run in the foreground and the controlling tty will not --- be released. --- Daemonise(false) - --- -------------------------------------------------[ Output Mode ]----- - --- Only one output mode is permitted to be active. Typically on Linux --- that would be the kernel output mode, however instead you can opt --- to use the EGD interface. Various other daemons then support taking --- EGD interfaces and adding entropy to the kernel instead, allowing --- multiple clients to retrieve entropy by various means. - --- The SetOutputToKernel option places all the gathered entropy into --- the kernel pool. The data placed into the kernel pool is --- conservatively estimated to contain 7 shannons of entropy per byte --- added. --- Note that the data coming from the UDEKEY01 should have one Shannon --- of entropy per bit so this value could quite safely be set to --- 8. The default value only has the effect of reducing the rate --- entropy is mixed into the kernel pool and no other adverse --- affect. This default is selected as an conservative choice which is --- generally preferable when dealing with random sources. -SetOutputToKernel(7) - --- The daemon may support the EGD (Entropy Gathering Daemon) socket --- protocol. There are two choice to create either a TCP or Unix --- socket which speaks the EGD protocol. --- Note that you cannot have kernel output *and* EGD output, they are --- mutually exclusive. --- The EGD protocol support assumes entropy coming off the ekeys is at --- the level of 8 shannons per byte and this cannot be changed as it --- is a limitation of the EGD protocol itself. The TCP socket can be --- given an optional parameter to specify the IP address to bind to. --- It will default to 127.0.0.1 if not specified. - --- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) --- EGDUnixSocket "/etc/entropy" - --- EGDUnixSocket can optionally take an octal mode string and --- username and group to chmod and chown the socket to. --- If you do not wish to change the user or group, use empty strings. --- You cannot change the user/group without also providing a mode string. --- The default is to leave the user/group alone and set the socket to --- mode 0600 --- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") - --- The SetOutputToFile option writes all gathered entropy to the named --- file. No additional processing is performed. The output file must --- exist before the daemon is run. This option is generally only --- useful if the user wishes to gather data for subsequent testing. --- Note as with all the other output options this may be the only --- output selection and may not be used with either the kernel or EGD --- output enabled. - --- SetOutputToFile "/tmp/entropy" - --- -----------------------------------------------[ Device Config ]----- - --- Add entropy keys from /dev/entropykey where our default udev rules --- will place symbolic links (on GNU/Linux operating systems). -AddEntropyKeys "/dev/entropykey" --- Also add keys from /var/run/entropykeys where the UNIX domain socket --- rules will place sockets if using them. -AddEntropyKeys "/var/run/entropykeys" --- On OpenBSD/MirBSD you will probably need to use something like this --- instead (match the device minor (here: 0) with the ucom(4) instance --- your umodem(4) device attaches to): --- AddEntropyKey "/dev/cuaU0" diff --git a/manifests/base.pp b/manifests/base.pp index 34c1cb8..10961a3 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -5,7 +5,10 @@ class ekeyd::base { } file{'/etc/entropykey/ekeyd.conf': - source => 'puppet:///modules/ekeyd/ekeyd.conf', + content => $operatingsystem ? { + 'debian' => template("ekeyd/ekeyd.conf_${lsbdistcodename}.erb"), + default => template("ekeyd/ekeyd.conf_default.erb"), + }, require => Package['ekeyd'], notify => Service['ekeyd'], owner => root, group => 0, mode => 0644; diff --git a/templates/ekeyd.conf_lenny.erb b/templates/ekeyd.conf_lenny.erb new file mode 100644 index 0000000..ba22536 --- /dev/null +++ b/templates/ekeyd.conf_lenny.erb @@ -0,0 +1,88 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDTCPSocket(<%= has_variable?("ekeyd_port") ? ekeyd_port : '8888' %>, "<%= has_variable?("ekeyd_address") ? ekeyd_address : '127.0.0.1' %>") +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links. +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" + + diff --git a/templates/ekeyd.conf_squeeze.erb b/templates/ekeyd.conf_squeeze.erb new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/templates/ekeyd.conf_squeeze.erb @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/templates/ekeyd_default.conf b/templates/ekeyd_default.conf new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/templates/ekeyd_default.conf @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" -- cgit v1.2.3