aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
authorMicah <micah@riseup.net>2015-10-09 20:21:58 +0000
committerMicah <micah@riseup.net>2015-10-09 20:21:58 +0000
commitba81744a42548de60bb4f48c66a7e95cd050ad4a (patch)
tree664fea7e838b553ba0864b8dc61cc5323251c4c1 /manifests
parentf661c786095e99087773f01351cebe00837f68a7 (diff)
parent39631404dc41f706ad665ad2770e9c48b98a98fa (diff)
downloadpuppet-monkeysphere-master.tar.gz
puppet-monkeysphere-master.tar.bz2
Merge branch 'koumbit-sarava' into 'master' HEADmaster
merge the mayfirst, koumbit and sarava changes the monkeysphere module in shared is very old (2 years 4 months)! since then, sarava and koumbit have done significant work to improve on the module. mayfirst did changes to allow choosing a keyserver, added flexibility, user configs and so on. sarava fixed some bugs. koumbit merged both with the shared modules, did a style cleanup and autoloading, added RAW_AUTHORIZED_KEYS, silence some warnings and randomized cron jobs. this still fails in puppet 3.x, but is an improvement over what's already present. See merge request !1
Diffstat (limited to 'manifests')
-rw-r--r--manifests/add_id_certifier.pp8
-rw-r--r--manifests/auth_capable_user.pp44
-rw-r--r--manifests/authorized_user_ids.pp53
-rw-r--r--manifests/email_server_keys.pp9
-rw-r--r--manifests/import_key.pp20
-rw-r--r--manifests/init.pp70
-rw-r--r--manifests/owner_trust.pp25
-rw-r--r--manifests/publish_server_keys.pp7
-rw-r--r--manifests/publish_user_key.pp15
-rw-r--r--manifests/sshserver.pp10
10 files changed, 217 insertions, 44 deletions
diff --git a/manifests/add_id_certifier.pp b/manifests/add_id_certifier.pp
new file mode 100644
index 0000000..726551e
--- /dev/null
+++ b/manifests/add_id_certifier.pp
@@ -0,0 +1,8 @@
+# add certifiers
+define monkeysphere::add_id_certifier( $keyid ) {
+ exec { "monkeysphere-authentication add-id-certifier $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ],
+ unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
+ }
+}
diff --git a/manifests/auth_capable_user.pp b/manifests/auth_capable_user.pp
new file mode 100644
index 0000000..497407c
--- /dev/null
+++ b/manifests/auth_capable_user.pp
@@ -0,0 +1,44 @@
+# ensure that the user has a gpg key created and it is authentication capable
+# in the monkeysphere. This is intended to be the same as generated a
+# password-less ssh key
+#
+define monkeysphere::auth_capable_user (
+ $expire = "1y",
+ $length = "2048",
+ $uid_name = undef,
+ $email = undef ) {
+
+ $user = $title
+
+ # The goal is no passphrase, monkeysphere won't work without a passphrase.
+ $calculated_passphrase = $gpg_auto_password ? {
+ '' => 'monkeys',
+ default => $gpg_auto_password
+ }
+
+ $calculated_name = $uid_name ? {
+ '' => "$user user",
+ default => $uid_name
+ }
+ $calculated_email = $email ? {
+ '' => "$user@$fqdn",
+ default => $email
+ }
+ exec { "monkeysphere-gen-key-$user":
+ command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --list-secret-key | grep ^sec >/dev/null"
+ }
+
+ #FIXME - we should check expiration date and extend it if we're < n days before expiration
+
+ # handle auth subkey
+ exec { "monkeysphere-gen-subkey-$user":
+ command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
+ user => $user,
+ unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null"
+ }
+
+}
diff --git a/manifests/authorized_user_ids.pp b/manifests/authorized_user_ids.pp
new file mode 100644
index 0000000..09fd182
--- /dev/null
+++ b/manifests/authorized_user_ids.pp
@@ -0,0 +1,53 @@
+define monkeysphere::authorized_user_ids(
+ $user_ids,
+ $dest_dir = '/root/.monkeysphere',
+ $dest_file = 'authorized_user_ids',
+ $group = '') {
+
+ $user = $title
+ $calculated_group = $group ? {
+ '' => $user,
+ default => $group
+ }
+
+ # don't require user if it's root because root is not handled
+ # by puppet
+ case $user {
+ root: {
+ file {
+ $dest_dir:
+ owner => $user,
+ group => $calculated_group,
+ mode => 755,
+ ensure => directory,
+ }
+ }
+ default: {
+ file {
+ $dest_dir:
+ owner => $user,
+ group => $calculated_group,
+ mode => 755,
+ ensure => directory,
+ require => User[$user]
+ }
+ }
+ }
+
+ file {
+ "${dest_dir}/${dest_file}":
+ owner => $user,
+ group => $calculated_group,
+ mode => 644,
+ content => template('monkeysphere/authorized_user_ids.erb'),
+ ensure => present,
+ recurse => true,
+ require => File[$dest_dir]
+ }
+
+ exec { "monkeysphere-authentication update-users $user":
+ refreshonly => true,
+ require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ],
+ subscribe => File["${dest_dir}/${dest_file}"]
+ }
+}
diff --git a/manifests/email_server_keys.pp b/manifests/email_server_keys.pp
new file mode 100644
index 0000000..0a0bd4b
--- /dev/null
+++ b/manifests/email_server_keys.pp
@@ -0,0 +1,9 @@
+# optionally, mail key somehwere
+define monkeysphere::email_server_keys ( ) {
+ $email = $title
+ exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
+ require => Package["monkeysphere"],
+ subscribe => Exec["monkeysphere-import-key"],
+ refreshonly => true,
+ }
+}
diff --git a/manifests/import_key.pp b/manifests/import_key.pp
new file mode 100644
index 0000000..ba965ce
--- /dev/null
+++ b/manifests/import_key.pp
@@ -0,0 +1,20 @@
+define monkeysphere::import_key (
+ $scheme = 'ssh://',
+ $port = '',
+ $path = '/etc/ssh/ssh_host_rsa_key',
+ $hostname = $fqdn ) {
+
+ # if we're getting a port number, prefix with a colon so it's valid
+ $prefixed_port = $port ? {
+ '' => '',
+ default => ":$port"
+ }
+
+ $key = "${scheme}${fqdn}${prefixed_port}"
+
+ exec { "monkeysphere-host import-key $path $key":
+ alias => "monkeysphere-import-key",
+ require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ],
+ unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 6885b45..31c341d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -19,56 +19,50 @@
#
# Class for monkeysphere management
#
+
class monkeysphere(
$ssh_port = '',
- $publish_key = false,
- $ensure_version = 'installed'
+ $ensure_version = 'installed',
+ # if not false, will override the path for MONKEYSPHERE_RAW_AUTHORIZED_KEYS
+ # use 'none' to disable appending the authorized_keys file
+ # see monkeysphere-authentication for more information
+ $raw_authorized_keys = false,
+ $keyserver = 'pool.sks-keyservers.net'
) {
# The needed packages
- package{'monkeysphere':
+ package { 'monkeysphere':
ensure => $ensure_version,
}
- $port = $monkeysphere::ssh_port ? {
- '' => '',
- default => ":${monkeysphere::ssh_port}",
- }
-
$key = "ssh://${::fqdn}${port}"
- common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: }
+ modules_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: }
+
file {
+ # This was the old way which the module checked monkeysphere keys
'/usr/local/sbin/monkeysphere-check-key':
- ensure => present,
+ ensure => absent,
owner => root,
group => root,
- mode => '0755',
- content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=${key}' &> /dev/null || false",
- }
-
- # Server host key publication
- Exec{
- unless => '/usr/local/sbin/monkeysphere-check-key',
- user => 'root',
- require => [ Package['monkeysphere'], File['/usr/local/sbin/monkeysphere-check-key'] ],
- }
- case $monkeysphere::publish_key {
- false: {
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key}": }
- }
- 'mail': {
- $mail_loc = $::operatingsystem ? {
- 'centos' => '/bin/mail',
- default => '/usr/bin/mail',
- }
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key} && \
- ${mail_loc} -s 'monkeysphere host pgp key for ${::fqdn}' root < /var/lib/monkeysphere/host_keys.pub.pgp":
- }
- }
- default: {
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key} && \
- echo Y | /usr/sbin/monkeysphere-host publish-key":
- }
- }
+ mode => 0755,
+ content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false";
+ 'monkeysphere_conf':
+ path => '/etc/monkeysphere/monkeysphere.conf',
+ mode => 644,
+ ensure => present,
+ content => template('monkeysphere/monkeysphere.conf.erb'),
+ require => Package['monkeysphere'];
+ 'monkeysphere_host_conf':
+ path => '/etc/monkeysphere/monkeysphere-host.conf',
+ mode => 644,
+ ensure => present,
+ content => template('monkeysphere/monkeysphere-host.conf.erb'),
+ require => Package['monkeysphere'];
+ 'monkeysphere_authentication_conf':
+ path => '/etc/monkeysphere/monkeysphere-authentication.conf',
+ mode => 644,
+ ensure => present,
+ content => template('monkeysphere/monkeysphere-authentication.conf.erb'),
+ require => Package['monkeysphere'];
}
}
diff --git a/manifests/owner_trust.pp b/manifests/owner_trust.pp
new file mode 100644
index 0000000..0e0af7f
--- /dev/null
+++ b/manifests/owner_trust.pp
@@ -0,0 +1,25 @@
+define monkeysphere::owner_trust (
+ $fingerprint,
+ $user = 'root',
+ $level = 6 ) {
+
+ $keyserver_arg = $monkeysphere_keyserver ? {
+ '' => '',
+ default => "--keyserver $monkeysphere_keyserver"
+ }
+
+ # ensure the key is in the key ring
+ exec { "monkeysphere-gpg-recv-key-$user-$fingerprint":
+ command => "gpg $keyserver_arg --recv-key $fingerprint",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --list-key $fingerprint 2>&1 >/dev/null"
+ }
+ # provide ownertrust
+ exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint":
+ command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null"
+ }
+}
diff --git a/manifests/publish_server_keys.pp b/manifests/publish_server_keys.pp
new file mode 100644
index 0000000..33e070e
--- /dev/null
+++ b/manifests/publish_server_keys.pp
@@ -0,0 +1,7 @@
+# Server host key publication
+define monkeysphere::publish_server_keys ( $keyid = '--all' ) {
+ exec { "monkeysphere-host publish-keys $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ];
+ }
+}
diff --git a/manifests/publish_user_key.pp b/manifests/publish_user_key.pp
new file mode 100644
index 0000000..f76c408
--- /dev/null
+++ b/manifests/publish_user_key.pp
@@ -0,0 +1,15 @@
+define monkeysphere::publish_user_key ( ){
+ $user = $title
+
+ $keyserver_arg = $monkeysphere_keyserver ? {
+ '' => '',
+ default => "--keyserver $monkeysphere_keyserver"
+ }
+
+ exec { "monkeysphere-gpg-send-key-$user":
+ command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
+ user => $user,
+ }
+
+}
diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp
index 43c0f6f..a525b55 100644
--- a/manifests/sshserver.pp
+++ b/manifests/sshserver.pp
@@ -10,12 +10,10 @@ class monkeysphere::sshserver {
}
}
- file{'/etc/cron.d/update-monkeysphere-auth':
- ensure => present,
- source => 'puppet:///modules/monkeysphere/etc/cron.d/update-monkeysphere-auth',
+ cron {'update-monkeysphere-auth':
+ command => '/usr/sbin/monkeysphere-authentication update-users > /dev/null 2>&1',
+ user => root,
+ minute => fqdn_rand(60),
require => Package['monkeysphere'],
- mode => '0644',
- owner => root,
- group => root,
}
}