Merge branch 'koumbit-sarava' into 'master' HEADmaster

merge the mayfirst, koumbit and sarava changes

the monkeysphere module in shared is very old (2 years 4 months)! since then, sarava and koumbit have done significant work to improve on the module.

mayfirst did changes to allow choosing a keyserver, added flexibility, user configs and so on.

sarava fixed some bugs.

koumbit merged both with the shared modules, did a style cleanup and autoloading, added RAW_AUTHORIZED_KEYS, silence some warnings and randomized cron jobs.

this still fails in puppet 3.x, but is an improvement over what's already present.

See merge request !1

1 files changed, 57 insertions, 11 deletions

diff --git a/README b/README
index 569e512..e5f72e9 100644
--- a/README
+++ b/README
@@ -1,21 +1,65 @@
-puppet module for monkeysphere
+The monkeysphere puppet module is designed to help you manage your servers
+and users using the monkeysphere[0].
 
-for information about monkeysphere, see http://web.monkeysphere.info/
+To install the monkeypshere module, storeconfigs should be enabled in
+your puppet server to use certain features. See:
 
-To install the monkeypshere module:
+http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
 
-* storeconfigs should be enabled in your puppet server to use certain features.
-  see: http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
+Example usage for server setup:
 
-* in node definitions that should export a ssh host key via
-  monkeyshere, add:
+  # Assuming you are using the sshd puppet module...
+  $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u"
+  include sshd
 
-  include monkeysphere::sshserver
+  # Optionally, indicate your preferred keyserver. You can specify a server
+  # under your control and not accessible to the public or
+  # pool.sks-keyservers.net if you want to publish to the public pool. The
+  # value you specify here will be used for all monkeysphere and gpg commands
+  $monkeysphere_keyserver = "zimmermann.mayfirst.org" 
+  include monkeysphere
 
-* You can specify pgpids of identity certifiers:
+  # Ensure the server's ssh key is imported into your monkeysphere key ring
+  monkeysphere::import_key { "main": }
 
-  identity_certifier { "A3AE44A4":
-    ensure => present
+  # Optionally publish the server key to a keyserver (as indicated above)
+  monkeysphere::publish_server_keys { "main": } 
+  
+  # Optionally email the server key to your self
+  monkeysphere::email_server_keys { "we@ourdomain.org": }
+
+  # Be sure to sign the server's key!
+
+  # Indiciate the fingerprint of the gpg key that should be used
+  # to verify user ids. You can repeat this for as many certifiers
+  # as you need
+  monkeysphere::add_id_certifier { "jamie":
+	  keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935" 
+  }
+  
+  # Indicate who should have root access on the server 
+  monkeysphere::authorized_user_ids { "root":
+	  user_ids => [ "sarah <sarah@ourgroup.org>" , "jose <josue@ourgroup.org" ] 
+  } 
+
+In addition, you may want to create a password-less key for a user to use
+when logging into another server (e.g. if you want automated backups from
+one server to another).
+
+Example usage for user setup:
+
+  # Ensure that the root user has authentication capable
+  # monkeysphere key 
+  monkeysphere::auth_capable_user { "root": }
+
+  # Optionally publish the key
+  monkeysphere::publish_user_key { "root": } 
+
+  # Grant full trust to a gpg key so the root user can properly
+  # authenticate servers to which it connects
+  # You can run this as many times as you want
+  monkeysphere::owner_trust { "jamie":
+	  fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" 
   }
 
 A host can be configured as a host you would use to sign the gpg keys by placing:
@@ -26,3 +70,5 @@ into the node definition. ON this host, a file will be placed in
 /var/lib/puppet/modules/monkeysphere/hosts for each host configured as a
 sshserver.  Each file will contin the gpg id, the gpg fingerprint, and
 the ssh fingerprint of the sshserver.
+
+0. http://monkeysphere.info/