diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/init.pp | 49 | ||||
| -rw-r--r-- | manifests/signer.pp | 5 | ||||
| -rw-r--r-- | manifests/sshserver.pp | 21 | ||||
| -rw-r--r-- | manifests/sshserverdanger.pp | 11 |
4 files changed, 63 insertions, 23 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index d5358b5..a58faec 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,18 +1,18 @@ # This module is distributed under the GNU Affero General Public License: -# +# # Monkeysphere module for puppet # Copyright (C) 2009-2010 Sarava Group -# +# # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or any later version. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. -# +# # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. @@ -20,9 +20,28 @@ # Class for monkeysphere management # -class monkeysphere inherits monkeysphere::defaults { +class monkeysphere( + $ssh_port = '', + $publish_key = false, + $ensure_version = 'installed', + $keyserver = 'pool.sks-keyservers.net' +) { # The needed packages - package { monkeysphere: ensure => installed, } + package{'monkeysphere': + ensure => $ensure_version, + } + + $key = "ssh://${::fqdn}${port}" + + common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } + # This was the old way which the module checked monkeysphere keys + file { "/usr/local/sbin/monkeysphere-check-key": + ensure => absent, + owner => root, + group => root, + mode => 0755, + content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false", + } file { "monkeysphere_conf": path => "/etc/monkeysphere/monkeysphere.conf", @@ -45,22 +64,6 @@ class monkeysphere inherits monkeysphere::defaults { content => template("monkeysphere/monkeysphere-authentication.conf.erb"), require => Package['monkeysphere'], } - - # This was the old way which the module checked monkeysphere keys - file { "/usr/local/sbin/monkeysphere-check-key": - ensure => absent, - owner => root, - group => root, - mode => 0755, - content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false", - } -} - -class monkeysphere::defaults { - $keyserver = $monkeysphere_keyserver ? { - '' => 'pool.sks-keyservers.net', - default => $monkeysphere_keyserver - } } define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { @@ -80,7 +83,7 @@ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ } } -# Server host key publication + # Server host key publication define monkeysphere::publish_server_keys ( $keyid = '--all' ) { exec { "monkeysphere-host publish-keys $keyid": environment => "MONKEYSPHERE_PROMPT=false", diff --git a/manifests/signer.pp b/manifests/signer.pp new file mode 100644 index 0000000..cfbe46d --- /dev/null +++ b/manifests/signer.pp @@ -0,0 +1,5 @@ +# collect all the host keys +class monkeysphere::signer { + include monkeysphere + File <<| tag == 'monkeysphere-host' |>> +} diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp new file mode 100644 index 0000000..43c0f6f --- /dev/null +++ b/manifests/sshserver.pp @@ -0,0 +1,21 @@ +# include to export your ssh key +class monkeysphere::sshserver { + include monkeysphere + if $::monkeysphere_has_hostkey { + @@file { "/var/lib/puppet/modules/monkeysphere/hosts/${::fqdn}": + ensure => present, + content => template('monkeysphere/host.erb'), + require => Package['monkeysphere'], + tag => 'monkeysphere-host', + } + } + + file{'/etc/cron.d/update-monkeysphere-auth': + ensure => present, + source => 'puppet:///modules/monkeysphere/etc/cron.d/update-monkeysphere-auth', + require => Package['monkeysphere'], + mode => '0644', + owner => root, + group => root, + } +} diff --git a/manifests/sshserverdanger.pp b/manifests/sshserverdanger.pp new file mode 100644 index 0000000..7ae6970 --- /dev/null +++ b/manifests/sshserverdanger.pp @@ -0,0 +1,11 @@ +# use this to authenticate with monkeysphere on ssh +# you should not manage the sshd config as a whole +# or at least put there the same key. +class monkeysphere::sshserverdanger { + include monkeysphere::sshserver + augeas{'sshd_config': + context => '/files/etc/ssh/sshd_config', + changes => [ 'set AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' ], + notify => Service['ssh'], + } +} |