From 3a1ab8b24140e56e96f7176b6fb1d82590fddbcc Mon Sep 17 00:00:00 2001 From: "Mike (stew) O'Connor" Date: Thu, 17 Feb 2011 21:37:27 -0500 Subject: initial commit Signed-off-by: Mike (stew) O'Connor --- .gitignore | 1 + README | 30 ++++++++++++++++++++++ files/etc/cron.d/update-monkeysphere-auth | 1 + lib/facter/monkeysphere.rb | 42 +++++++++++++++++++++++++++++++ manifests/debian.pp | 16 ++++++++++++ manifests/init.pp | 22 ++++++++++++++++ manifests/signer.pp | 4 +++ manifests/sshserver.pp | 29 +++++++++++++++++++++ manifests/sshserverdanger.pp | 11 ++++++++ templates/host.erb | 3 +++ 10 files changed, 159 insertions(+) create mode 100644 .gitignore create mode 100644 README create mode 100644 files/etc/cron.d/update-monkeysphere-auth create mode 100644 lib/facter/monkeysphere.rb create mode 100644 manifests/debian.pp create mode 100644 manifests/init.pp create mode 100644 manifests/signer.pp create mode 100644 manifests/sshserver.pp create mode 100644 manifests/sshserverdanger.pp create mode 100644 templates/host.erb diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b25c15b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*~ diff --git a/README b/README new file mode 100644 index 0000000..dbd13e3 --- /dev/null +++ b/README @@ -0,0 +1,30 @@ +puppet module for monkeysphere + +for information about monkeysphere, see http://web.monkeysphere.info/ + +To install the monkeypshere module: + +* storeconfigs must be enabled in your puppet server. see: + http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs + +* copy the code to a directory named "monkeysphere" in the modules + directory of your puppet install. This will usually be + /etc/puppetd/modules/monkeysphere + +* add the following line to modules.pp: + + import "monkeysphere" + +* in node definitions that should export a ssh host key via + monkeyshere, add: + + include monkeysphere::sshserver + +A host can be configured as a host you would use to sign the gpg keys by placing: + + include monkeysphere::signer + +into the node definition. ON this host, a file will be placed in +/var/lib/puppet/monkeysphere/hosts for each host configured as a +sshserver. Each file will contin the gpg id, the gpg fingerprint, and +the ssh fingerprint of the sshserver. \ No newline at end of file diff --git a/files/etc/cron.d/update-monkeysphere-auth b/files/etc/cron.d/update-monkeysphere-auth new file mode 100644 index 0000000..06bb5ae --- /dev/null +++ b/files/etc/cron.d/update-monkeysphere-auth @@ -0,0 +1 @@ +*/5 * * * * root /usr/sbin/monkeysphere-authentication update-users diff --git a/lib/facter/monkeysphere.rb b/lib/facter/monkeysphere.rb new file mode 100644 index 0000000..e3a0a73 --- /dev/null +++ b/lib/facter/monkeysphere.rb @@ -0,0 +1,42 @@ +has_hostkey = false +pgp_fingerprint = '' +pgp_id = '' +ssh_fingerprint = '' + +if File.exist?('/usr/sbin/monkeysphere-host') + + sk = %x{/usr/sbin/monkeysphere-host show-keys} + if $? == 0 + has_hostkey = true + sk.lines.each do |line| + m = line.match('^OpenPGP fingerprint:(.*)$') + if m + pgp_fingerprint = m[1].strip + end + m = line.match('^uid (.*)$') + if m + pgp_id = m[1].strip + end + m = line.match('^ssh fingerprint:(.*)$') + if m + ssh_fingerprint = m[1].strip + end + end + end +end + +Facter.add("monkeysphere_has_hostkey") do + setcode{ has_hostkey } +end + +Facter.add("monkeysphere_pgp_fp") do + setcode{ pgp_fingerprint } +end + +Facter.add("monkeysphere_pgp_id") do + setcode{ pgp_id } +end + +Facter.add("monkeysphere_ssh_fp") do + setcode{ ssh_fingerprint } +end diff --git a/manifests/debian.pp b/manifests/debian.pp new file mode 100644 index 0000000..4166c79 --- /dev/null +++ b/manifests/debian.pp @@ -0,0 +1,16 @@ +class monkeysphere::debian { + +case $lsbdistcodename { + lenny: { + if $monkeysphere_ensure_version == '' + { + $monkeysphere_ensure_version = '1.4.10-2~bpo50+1' + } + + if $gnupg_ensure_version == '' + { + $gnupg_ensure_version = '0.31-3~bpo50+1' + } + } + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..943d3eb --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,22 @@ +# monkeysphere module +class monkeysphere { + module_dir { [ "monkeysphere", "monkeysphere/hosts", "monkeysphere/plugins" ]: } + + case $operatingsystem { + debian: { include monkeysphere::debian } + } + + if $monkeysphere_ensure_version == '' + { + $monkeysphere_ensure_version = 'installed' + } + + if $gnupg_ensure_version == '' + { + $gnupg_ensure_version = 'installed' + } + + package {"gnupg": ensure => $gnupg_ensure_version, } + package {"monkeysphere": ensure => $monkeysphere_ensure_version, require => [ Package["gnupg"] ] } + +} diff --git a/manifests/signer.pp b/manifests/signer.pp new file mode 100644 index 0000000..350b4be --- /dev/null +++ b/manifests/signer.pp @@ -0,0 +1,4 @@ +class monkeysphere::signer inherits monkeysphere +{ + File <<| tag == 'monkeysphere-host' |>> +} diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp new file mode 100644 index 0000000..966e136 --- /dev/null +++ b/manifests/sshserver.pp @@ -0,0 +1,29 @@ +class monkeysphere::sshserver inherits monkeysphere +{ + + exec {"import.hostkey": + command => "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://${fqdn} && echo Y | /usr/sbin/monkeysphere-host publish-key", + unless => "/usr/sbin/monkeysphere-host show-key", + user => root, + require => [ Package[ "monkeysphere" ] ], + } + + if $monkeysphere_has_hostkey { + @@file { "/var/lib/puppet/modules/monkeysphere/hosts/${fqdn}": + ensure => present, + content => template("monkeysphere/host.erb" ), + require => [ Package[ "monkeysphere" ] ], + tag => 'monkeysphere-host', + } + } + + file { "/etc/cron.d/update-monkeysphere-auth": + ensure => present, + source => "puppet:///modules/monkeysphere/etc/cron.d/update-monkeysphere-auth", + require => [ Package[ "monkeysphere" ] ], + mode => 0644, + owner => root, + group => root, + } + +} diff --git a/manifests/sshserverdanger.pp b/manifests/sshserverdanger.pp new file mode 100644 index 0000000..7d7f12c --- /dev/null +++ b/manifests/sshserverdanger.pp @@ -0,0 +1,11 @@ +class monkeysphere::sshserverdanger inherits monkeysphere::sshserver +{ + augeas { "sshd_config": + context => "/files/etc/ssh/sshd_config", + changes => [ + "set AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u" + ], + notify => Service[ "ssh" ], + } + +} diff --git a/templates/host.erb b/templates/host.erb new file mode 100644 index 0000000..6412663 --- /dev/null +++ b/templates/host.erb @@ -0,0 +1,3 @@ +uid <%= monkeysphere_pgp_id %> +host_key <%= monkeysphere_ssh_fp %> +fingerprint <%= monkeysphere_pgp_fp %> -- cgit v1.2.3 From 7358997fd51ffb852476ea9f5b68d91cef84ba9a Mon Sep 17 00:00:00 2001 From: "Mike (stew) O'Connor" Date: Thu, 17 Feb 2011 22:17:10 -0500 Subject: easy fix for facter Signed-off-by: Mike (stew) O'Connor --- lib/facter/monkeysphere.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/facter/monkeysphere.rb b/lib/facter/monkeysphere.rb index e3a0a73..1d7d68e 100644 --- a/lib/facter/monkeysphere.rb +++ b/lib/facter/monkeysphere.rb @@ -1,7 +1,7 @@ has_hostkey = false -pgp_fingerprint = '' -pgp_id = '' -ssh_fingerprint = '' +pgp_fingerprint = ' ' +pgp_id = ' ' +ssh_fingerprint = ' ' if File.exist?('/usr/sbin/monkeysphere-host') -- cgit v1.2.3 From fd7e629e6a34cee030d1602be2a76c290d18e52b Mon Sep 17 00:00:00 2001 From: "Mike (stew) O'Connor" Date: Sun, 20 Feb 2011 14:03:56 -0500 Subject: add identity_certifier type Signed-off-by: Mike (stew) O'Connor --- .../provider/identify_certifier/monkeysphere.rb | 57 ++++++++++++++++++++++ lib/puppet/type/identity_certifier.rb | 10 ++++ 2 files changed, 67 insertions(+) create mode 100644 lib/puppet/provider/identify_certifier/monkeysphere.rb create mode 100644 lib/puppet/type/identity_certifier.rb diff --git a/lib/puppet/provider/identify_certifier/monkeysphere.rb b/lib/puppet/provider/identify_certifier/monkeysphere.rb new file mode 100644 index 0000000..49ea6e6 --- /dev/null +++ b/lib/puppet/provider/identify_certifier/monkeysphere.rb @@ -0,0 +1,57 @@ +## + + +require 'puppet/provider/package' +require "open3" + +Puppet::Type.type(:identity_certifier).provide(:monkeysphere, + :parent => Puppet::Provider::Package) do + + commands :monkeysphereauth => "/usr/sbin/monkeysphere-authentication" + + desc "asdf" + + # retrieve the current set of mysql users + def self.instances + ids = [] + + cmd = "#{command(:monkeysphereauth)} list-id-certifiers" + execpipe(cmd) do |process| + process.each do |line| + m = line.match( "^[0-9A-Z]{32}([0-9A-Z]{8}):" ) + if m + ids << new( { :ensure => :present, :pgpid => m.group(1) } ) + end + end + end + return ids + end + + def create + Open3.popen3("monkeysphere-authentication add-id-certifier #{resource[:pgpid]}") do |i, o, e| + i.puts( "Y" ) + o.readlines() + end + end + + def destroy + Open3.popen3("monkeysphere-authentication remove-id-certifier #{resource[:pgpid]}") do |i, o, e| + i.puts( "Y" ) + o.readlines() + end + end + + def exists? + + cil = %x{/usr/sbin/monkeysphere-authentication list-id-certifiers} + if $? == 0 + cil.lines.each do |line| + m = line.match( '^[0-9A-Z]*' + resource[:pgpid] + ':' ) + if m + return true + end + end + end + return false + end +end diff --git a/lib/puppet/type/identity_certifier.rb b/lib/puppet/type/identity_certifier.rb new file mode 100644 index 0000000..cc8295f --- /dev/null +++ b/lib/puppet/type/identity_certifier.rb @@ -0,0 +1,10 @@ +Puppet::Type.newtype(:identity_certifier) do + @doc = "Manage monkeysphere identity-certifiers" + + ensurable + newparam(:pgpid) do + desc "The pgp id of the certifier" + isnamevar + end + +end -- cgit v1.2.3 From c4913fb3e46624494a0935ec133b25db735afc30 Mon Sep 17 00:00:00 2001 From: "Mike (stew) O'Connor" Date: Sun, 20 Feb 2011 14:08:46 -0500 Subject: add documentation for identity certifier Signed-off-by: Mike (stew) O'Connor --- README | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README b/README index dbd13e3..4fcec87 100644 --- a/README +++ b/README @@ -20,6 +20,12 @@ To install the monkeypshere module: include monkeysphere::sshserver +* You can specify pgpids of identity certifiers: + + identity_certifier { "A3AE44A4": + ensure => present + } + A host can be configured as a host you would use to sign the gpg keys by placing: include monkeysphere::signer -- cgit v1.2.3