diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 68 |
1 files changed, 57 insertions, 11 deletions
@@ -1,21 +1,65 @@ -puppet module for monkeysphere +The monkeysphere puppet module is designed to help you manage your servers +and users using the monkeysphere[0]. -for information about monkeysphere, see http://web.monkeysphere.info/ +To install the monkeypshere module, storeconfigs should be enabled in +your puppet server to use certain features. See: -To install the monkeypshere module: +http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs -* storeconfigs should be enabled in your puppet server to use certain features. - see: http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs +Example usage for server setup: -* in node definitions that should export a ssh host key via - monkeyshere, add: + # Assuming you are using the sshd puppet module... + $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u" + include sshd - include monkeysphere::sshserver + # Optionally, indicate your preferred keyserver. You can specify a server + # under your control and not accessible to the public or + # pool.sks-keyservers.net if you want to publish to the public pool. The + # value you specify here will be used for all monkeysphere and gpg commands + $monkeysphere_keyserver = "zimmermann.mayfirst.org" + include monkeysphere -* You can specify pgpids of identity certifiers: + # Ensure the server's ssh key is imported into your monkeysphere key ring + monkeysphere::import_key { "main": } - identity_certifier { "A3AE44A4": - ensure => present + # Optionally publish the server key to a keyserver (as indicated above) + monkeysphere::publish_server_keys { "main": } + + # Optionally email the server key to your self + monkeysphere::email_server_keys { "we@ourdomain.org": } + + # Be sure to sign the server's key! + + # Indiciate the fingerprint of the gpg key that should be used + # to verify user ids. You can repeat this for as many certifiers + # as you need + monkeysphere::add_id_certifier { "jamie": + keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935" + } + + # Indicate who should have root access on the server + monkeysphere::authorized_user_ids { "root": + user_ids => [ "sarah <sarah@ourgroup.org>" , "jose <josue@ourgroup.org" ] + } + +In addition, you may want to create a password-less key for a user to use +when logging into another server (e.g. if you want automated backups from +one server to another). + +Example usage for user setup: + + # Ensure that the root user has authentication capable + # monkeysphere key + monkeysphere::auth_capable_user { "root": } + + # Optionally publish the key + monkeysphere::publish_user_key { "root": } + + # Grant full trust to a gpg key so the root user can properly + # authenticate servers to which it connects + # You can run this as many times as you want + monkeysphere::owner_trust { "jamie": + fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" } A host can be configured as a host you would use to sign the gpg keys by placing: @@ -26,3 +70,5 @@ into the node definition. ON this host, a file will be placed in /var/lib/puppet/modules/monkeysphere/hosts for each host configured as a sshserver. Each file will contin the gpg id, the gpg fingerprint, and the ssh fingerprint of the sshserver. + +0. http://monkeysphere.info/ |