diff options
author | Micah <micah@riseup.net> | 2015-10-09 20:21:58 +0000 |
---|---|---|
committer | Micah <micah@riseup.net> | 2015-10-09 20:21:58 +0000 |
commit | ba81744a42548de60bb4f48c66a7e95cd050ad4a (patch) | |
tree | 664fea7e838b553ba0864b8dc61cc5323251c4c1 /manifests/auth_capable_user.pp | |
parent | f661c786095e99087773f01351cebe00837f68a7 (diff) | |
parent | 39631404dc41f706ad665ad2770e9c48b98a98fa (diff) | |
download | puppet-monkeysphere-ba81744a42548de60bb4f48c66a7e95cd050ad4a.tar.gz puppet-monkeysphere-ba81744a42548de60bb4f48c66a7e95cd050ad4a.tar.bz2 |
merge the mayfirst, koumbit and sarava changes
the monkeysphere module in shared is very old (2 years 4 months)! since then, sarava and koumbit have done significant work to improve on the module.
mayfirst did changes to allow choosing a keyserver, added flexibility, user configs and so on.
sarava fixed some bugs.
koumbit merged both with the shared modules, did a style cleanup and autoloading, added RAW_AUTHORIZED_KEYS, silence some warnings and randomized cron jobs.
this still fails in puppet 3.x, but is an improvement over what's already present.
See merge request !1
Diffstat (limited to 'manifests/auth_capable_user.pp')
-rw-r--r-- | manifests/auth_capable_user.pp | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/manifests/auth_capable_user.pp b/manifests/auth_capable_user.pp new file mode 100644 index 0000000..497407c --- /dev/null +++ b/manifests/auth_capable_user.pp @@ -0,0 +1,44 @@ +# ensure that the user has a gpg key created and it is authentication capable +# in the monkeysphere. This is intended to be the same as generated a +# password-less ssh key +# +define monkeysphere::auth_capable_user ( + $expire = "1y", + $length = "2048", + $uid_name = undef, + $email = undef ) { + + $user = $title + + # The goal is no passphrase, monkeysphere won't work without a passphrase. + $calculated_passphrase = $gpg_auto_password ? { + '' => 'monkeys', + default => $gpg_auto_password + } + + $calculated_name = $uid_name ? { + '' => "$user user", + default => $uid_name + } + $calculated_email = $email ? { + '' => "$user@$fqdn", + default => $email + } + exec { "monkeysphere-gen-key-$user": + command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-secret-key | grep ^sec >/dev/null" + } + + #FIXME - we should check expiration date and extend it if we're < n days before expiration + + # handle auth subkey + exec { "monkeysphere-gen-subkey-$user": + command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null" + } + +} |