aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/init.pp104
-rw-r--r--templates/monkeysphere-authentication.conf.erb34
-rw-r--r--templates/monkeysphere-host.conf.erb15
-rw-r--r--templates/monkeysphere.conf.erb39
4 files changed, 152 insertions, 40 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 2d4bd61..407313b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -19,77 +19,101 @@
#
# Class for monkeysphere management
#
+
class monkeysphere {
# The needed packages
package { monkeysphere: ensure => installed, }
+ include monkeysphere::defaults
+ file {
+ "/etc/monkeysphere/monkeysphere.conf":
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere.conf.erb"),
+ }
+ file {
+ "/etc/monkeysphere/monkeysphere-host.conf":
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere-host.conf.erb"),
+ }
+ file {
+ "/etc/monkeysphere/monkeysphere-authentication.conf":
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere-authentication.conf.erb"),
+ }
}
-class monkeysphere::defaults inherits monkeysphere {
+class monkeysphere::defaults {
$keyserver = $monkeysphere_keyserver ? {
- '' => "pool.sks-keyservers.net",
- default => $monkeysphere_keyserver,
+ '' => 'pool.sks-keyservers.net',
+ default => $monkeysphere_keyserver
}
}
-class monkeysphere::import_key inherits monkeysphere {
- $key = "ssh://${fqdn}"
- # Server host key import
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key":
+define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {
+
+ # if we're getting a port number, prefix with a colon so it's valid
+ $port = $port ? {
+ '' => '',
+ default => ":$port"
+ }
+
+ $key = "${schema}://${fqdn}${port}"
+
+ exec { "monkeysphere-host import-key $path $key":
alias => "monkeysphere-import-key",
- user => "root",
- unless => "/usr/sbin/monkeysphere-host s | grep $key"
+ require => [ Package["monkeysphere"] ],
+ unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
}
}
# Server host key publication
-class monkeysphere::publish_key inherits monkeysphere {
- include monkeysphere::defaults
- $no_publish = $monkeysphere_no_publish ? {
- '' => '',
- default => $monkeysphere_no_publish
+define monkeysphere::publish_keys ( $keyid = '--all' ) {
+ exec { "monkeysphere-host publish-keys $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
}
- if $fqdn in $no_publish {
- info("Not publishing $fqdn monkeysphere key")
- } else {
- exec { "/usr/sbin/monkeysphere-host publish-key":
- environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ],
- user => "root",
- }
+}
+
+# optionally, mail key somehwere
+define monkeysphere::email_keys ( $email = 'root' ) {
+ exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
+ require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
}
}
# add certifiers
-define monkeysphere::add_certifiers( $keyid ) {
- include monkeysphere::defaults
- exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid":
- environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ],
- user => "root",
- require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
- unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid"
+define monkeysphere::add_id_certifier( $keyid ) {
+ exec { "monkeysphere-authentication add-id-certifier $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"] ],
+ unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
}
}
-define monkeysphere::root_authorized_user_ids( $file ) {
+
+define monkeysphere::authorized_user_ids( $source, $user = 'root', $group = $user, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids') {
file {
- "/root/.monkeysphere":
- owner => "root",
- group => "root",
+ $dest_dir:
+ owner => $user,
+ group => $group,
mode => 755,
ensure => directory,
}
file {
- "/root/.monkeysphere/authorized_user_ids":
- owner => "root",
- group => "root",
+ "${dest_dir}/${dest_file}":
+ owner => $user,
+ group => $group,
mode => 644,
- source => "$file",
+ source => $source,
ensure => present,
recurse => true,
}
- exec { "/usr/sbin/monkeysphere-authentication update-users root":
- environment => "MONKEYSPHERE_KEYSERVER=$keyserver",
- user => "root",
+
+ exec { "monkeysphere-authentication update-users $user":
require => [ Package["monkeysphere"] ],
- onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root"
+ refreshonly => true,
+ subscribe => File["${dest_dir}/${dest_file}"]
}
}
diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb
new file mode 100644
index 0000000..1b13cfd
--- /dev/null
+++ b/templates/monkeysphere-authentication.conf.erb
@@ -0,0 +1,34 @@
+# Monkeysphere authentication configuration file.
+
+# This is an sh-style shell configuration file. Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# OpenPGP keyserver
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
+# User who controls the monkeysphere 'sphere' keyring.
+#MONKEYSPHERE_USER=monkeysphere
+
+# Whether or not to query keyservers by default
+#CHECK_KEYSERVER=true
+
+# Path to authorized_user_ids file to process to create
+# authorized_keys file. '%h' will be replaced by the home directory
+# of the user, and '%u' will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u, for instance.
+#AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids"
+#
+# Path to a user controlled authorized_keys file to be added to the
+# monkeysphere-generated authorized_keys file. '%h' will be replaced
+# by the home directory of the user, and '%u' will by replaced by the
+# username of the user. Setting this variable to 'none' prevents the
+# inclusion of user controlled authorized_keys file.
+#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
diff --git a/templates/monkeysphere-host.conf.erb b/templates/monkeysphere-host.conf.erb
new file mode 100644
index 0000000..418c696
--- /dev/null
+++ b/templates/monkeysphere-host.conf.erb
@@ -0,0 +1,15 @@
+# Monkeysphere host configuration file.
+
+# This is an sh-style shell configuration file. Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# OpenPGP keyserver
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb
new file mode 100644
index 0000000..53e4b9e
--- /dev/null
+++ b/templates/monkeysphere.conf.erb
@@ -0,0 +1,39 @@
+# Monkeysphere system-wide client configuration file.
+
+# This is an sh-style shell configuration file. Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# GPG home directory. If not specified either here or in the
+# MONKEYSPHERE_GNUPGHOME environment variable, then the value of the
+# GNUPGHOME environment variable will be used. If GNUPGHOME is not
+# set either, then the default value is listed below.
+#GNUPGHOME=~/.gnupg
+
+# GPG keyserver to search for keys.
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
+# Set whether or not to check keyservers at every monkeysphere
+# interaction, including all ssh connections if you use the
+# monkeysphere ssh-proxycommand. Leave unset for default behavior
+# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false.
+# NOTE: setting CHECK_KEYSERVER explicitly to true will leak
+# information about the timing and frequency of your ssh connections
+# to the maintainer of the keyserver.
+#CHECK_KEYSERVER=true
+
+# The path to the SSH known_hosts file.
+#KNOWN_HOSTS=~/.ssh/known_hosts
+
+# Whether or not to hash the generated known_hosts lines.
+# Should be "true" or "false".
+#HASH_KNOWN_HOSTS=false
+
+# The path to the SSH authorized_keys file.
+#AUTHORIZED_KEYS=~/.ssh/authorized_keys