refactored to be more flexible for different setups. Also, defines are

for actions to be taken multiple times on a single server, which
includes most monkeyshere configuration steps.

4 files changed, 152 insertions, 40 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
index 2d4bd61..407313b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -19,77 +19,101 @@
 #
 # Class for monkeysphere management
 #
+
 class monkeysphere {
   # The needed packages
   package { monkeysphere: ensure => installed, }
 
+  include monkeysphere::defaults
+  file {
+    "/etc/monkeysphere/monkeysphere.conf":
+    mode => 644,
+    ensure => present,
+    content => template("monkeysphere/monkeysphere.conf.erb"),
+  }
+  file {
+    "/etc/monkeysphere/monkeysphere-host.conf":
+    mode => 644,
+    ensure => present,
+    content => template("monkeysphere/monkeysphere-host.conf.erb"),
+  }
+  file {
+    "/etc/monkeysphere/monkeysphere-authentication.conf":
+    mode => 644,
+    ensure => present,
+    content => template("monkeysphere/monkeysphere-authentication.conf.erb"),
+  }
 }
 
-class monkeysphere::defaults inherits monkeysphere {
+class monkeysphere::defaults {
   $keyserver = $monkeysphere_keyserver ? {
-    '' => "pool.sks-keyservers.net",
-    default => $monkeysphere_keyserver,
+    '' => 'pool.sks-keyservers.net',
+    default => $monkeysphere_keyserver
   }
 }
 
-class monkeysphere::import_key inherits monkeysphere {
-  $key = "ssh://${fqdn}"
-  # Server host key import 
-  exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key":
+define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {
+
+  # if we're getting a port number, prefix with a colon so it's valid
+  $port = $port ? {
+    '' => '',
+    default => ":$port"
+  }
+
+  $key = "${schema}://${fqdn}${port}"
+
+  exec { "monkeysphere-host import-key $path $key":
     alias => "monkeysphere-import-key",
-	  user    => "root",
-	  unless => "/usr/sbin/monkeysphere-host s | grep $key"
+	  require => [ Package["monkeysphere"] ],
+	  unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
   }
 }
 
 # Server host key publication
-class monkeysphere::publish_key inherits monkeysphere { 
-  include monkeysphere::defaults
-  $no_publish = $monkeysphere_no_publish ? {
-    '' => '',
-    default => $monkeysphere_no_publish
+define monkeysphere::publish_keys ( $keyid = '--all' ) { 
+  exec { "monkeysphere-host publish-keys $keyid":
+    environment => "MONKEYSPHERE_PROMPT=false",
+	  require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
   }
-  if $fqdn in $no_publish {
-    info("Not publishing $fqdn monkeysphere key")
-  } else {
-    exec { "/usr/sbin/monkeysphere-host publish-key":
-      environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ],
-      user    => "root",
-    }
+}
+
+# optionally, mail key somehwere 
+define monkeysphere::email_keys ( $email = 'root'  ) { 
+  exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
+	  require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
   }
 }
 
 # add certifiers
-define monkeysphere::add_certifiers( $keyid ) {
-  include monkeysphere::defaults
-  exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid":
-	  environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ],
-	  user    => "root",
-	  require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
-	  unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid"
+define monkeysphere::add_id_certifier( $keyid ) {
+  exec { "monkeysphere-authentication add-id-certifier $keyid":
+	  environment => "MONKEYSPHERE_PROMPT=false",
+	  require => [ Package["monkeysphere"] ],
+	  unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
   }
 }
-define monkeysphere::root_authorized_user_ids( $file ) {
+
+define monkeysphere::authorized_user_ids( $source, $user = 'root', $group = $user, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids') {
   file {
-    "/root/.monkeysphere":
-      owner => "root",
-      group => "root",
+    $dest_dir:
+      owner => $user,
+      group => $group,
       mode => 755,
       ensure => directory,
   }
   file {
-    "/root/.monkeysphere/authorized_user_ids":
-      owner => "root",
-      group => "root",
+    "${dest_dir}/${dest_file}":
+      owner => $user,
+      group => $group,
       mode => 644,
-      source => "$file",
+      source => $source,
       ensure => present,
       recurse => true,
   }
-  exec { "/usr/sbin/monkeysphere-authentication update-users root":
-	  environment => "MONKEYSPHERE_KEYSERVER=$keyserver",
-	  user    => "root",
+
+  exec { "monkeysphere-authentication update-users $user":
 	  require => [ Package["monkeysphere"] ],
-    onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" 
+    refreshonly => true,
+    subscribe => File["${dest_dir}/${dest_file}"] 
   }
 }
diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb
new file mode 100644
index 0000000..1b13cfd
--- /dev/null
+++ b/templates/monkeysphere-authentication.conf.erb
@@ -0,0 +1,34 @@
+# Monkeysphere authentication configuration file.
+
+# This is an sh-style shell configuration file.  Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level.  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# OpenPGP keyserver
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
+# User who controls the monkeysphere 'sphere' keyring.
+#MONKEYSPHERE_USER=monkeysphere
+
+# Whether or not to query keyservers by default
+#CHECK_KEYSERVER=true
+
+# Path to authorized_user_ids file to process to create
+# authorized_keys file.  '%h' will be replaced by the home directory
+# of the user, and '%u' will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u, for instance.
+#AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids"
+#
+# Path to a user controlled authorized_keys file to be added to the
+# monkeysphere-generated authorized_keys file.  '%h' will be replaced
+# by the home directory of the user, and '%u' will by replaced by the
+# username of the user.  Setting this variable to 'none' prevents the
+# inclusion of user controlled authorized_keys file.
+#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
diff --git a/templates/monkeysphere-host.conf.erb b/templates/monkeysphere-host.conf.erb
new file mode 100644
index 0000000..418c696
--- /dev/null
+++ b/templates/monkeysphere-host.conf.erb
@@ -0,0 +1,15 @@
+# Monkeysphere host configuration file.
+
+# This is an sh-style shell configuration file.  Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level.  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# OpenPGP keyserver
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb
new file mode 100644
index 0000000..53e4b9e
--- /dev/null
+++ b/templates/monkeysphere.conf.erb
@@ -0,0 +1,39 @@
+# Monkeysphere system-wide client configuration file.
+
+# This is an sh-style shell configuration file.  Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level.  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# GPG home directory.  If not specified either here or in the
+# MONKEYSPHERE_GNUPGHOME environment variable, then the value of the
+# GNUPGHOME environment variable will be used.  If GNUPGHOME is not
+# set either, then the default value is listed below.
+#GNUPGHOME=~/.gnupg
+
+# GPG keyserver to search for keys.
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
+# Set whether or not to check keyservers at every monkeysphere
+# interaction, including all ssh connections if you use the
+# monkeysphere ssh-proxycommand.  Leave unset for default behavior
+# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false.
+# NOTE: setting CHECK_KEYSERVER explicitly to true will leak
+# information about the timing and frequency of your ssh connections
+# to the maintainer of the keyserver.
+#CHECK_KEYSERVER=true
+
+# The path to the SSH known_hosts file.
+#KNOWN_HOSTS=~/.ssh/known_hosts
+
+# Whether or not to hash the generated known_hosts lines.
+# Should be "true" or "false".
+#HASH_KNOWN_HOSTS=false
+
+# The path to the SSH authorized_keys file.
+#AUTHORIZED_KEYS=~/.ssh/authorized_keys