From 780ea534acbd062353f61dd0c123c3afde9a3f97 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Sat, 19 Mar 2011 10:34:04 -0400 Subject: refactored to be more flexible for different setups. Also, defines are for actions to be taken multiple times on a single server, which includes most monkeyshere configuration steps. --- manifests/init.pp | 104 +++++++++++++++---------- templates/monkeysphere-authentication.conf.erb | 34 ++++++++ templates/monkeysphere-host.conf.erb | 15 ++++ templates/monkeysphere.conf.erb | 39 ++++++++++ 4 files changed, 152 insertions(+), 40 deletions(-) create mode 100644 templates/monkeysphere-authentication.conf.erb create mode 100644 templates/monkeysphere-host.conf.erb create mode 100644 templates/monkeysphere.conf.erb diff --git a/manifests/init.pp b/manifests/init.pp index 2d4bd61..407313b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,77 +19,101 @@ # # Class for monkeysphere management # + class monkeysphere { # The needed packages package { monkeysphere: ensure => installed, } + include monkeysphere::defaults + file { + "/etc/monkeysphere/monkeysphere.conf": + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere.conf.erb"), + } + file { + "/etc/monkeysphere/monkeysphere-host.conf": + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere-host.conf.erb"), + } + file { + "/etc/monkeysphere/monkeysphere-authentication.conf": + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere-authentication.conf.erb"), + } } -class monkeysphere::defaults inherits monkeysphere { +class monkeysphere::defaults { $keyserver = $monkeysphere_keyserver ? { - '' => "pool.sks-keyservers.net", - default => $monkeysphere_keyserver, + '' => 'pool.sks-keyservers.net', + default => $monkeysphere_keyserver } } -class monkeysphere::import_key inherits monkeysphere { - $key = "ssh://${fqdn}" - # Server host key import - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key": +define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { + + # if we're getting a port number, prefix with a colon so it's valid + $port = $port ? { + '' => '', + default => ":$port" + } + + $key = "${schema}://${fqdn}${port}" + + exec { "monkeysphere-host import-key $path $key": alias => "monkeysphere-import-key", - user => "root", - unless => "/usr/sbin/monkeysphere-host s | grep $key" + require => [ Package["monkeysphere"] ], + unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" } } # Server host key publication -class monkeysphere::publish_key inherits monkeysphere { - include monkeysphere::defaults - $no_publish = $monkeysphere_no_publish ? { - '' => '', - default => $monkeysphere_no_publish +define monkeysphere::publish_keys ( $keyid = '--all' ) { + exec { "monkeysphere-host publish-keys $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], } - if $fqdn in $no_publish { - info("Not publishing $fqdn monkeysphere key") - } else { - exec { "/usr/sbin/monkeysphere-host publish-key": - environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ], - user => "root", - } +} + +# optionally, mail key somehwere +define monkeysphere::email_keys ( $email = 'root' ) { + exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], } } # add certifiers -define monkeysphere::add_certifiers( $keyid ) { - include monkeysphere::defaults - exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid": - environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ], - user => "root", - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], - unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid" +define monkeysphere::add_id_certifier( $keyid ) { + exec { "monkeysphere-authentication add-id-certifier $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"] ], + unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" } } -define monkeysphere::root_authorized_user_ids( $file ) { + +define monkeysphere::authorized_user_ids( $source, $user = 'root', $group = $user, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids') { file { - "/root/.monkeysphere": - owner => "root", - group => "root", + $dest_dir: + owner => $user, + group => $group, mode => 755, ensure => directory, } file { - "/root/.monkeysphere/authorized_user_ids": - owner => "root", - group => "root", + "${dest_dir}/${dest_file}": + owner => $user, + group => $group, mode => 644, - source => "$file", + source => $source, ensure => present, recurse => true, } - exec { "/usr/sbin/monkeysphere-authentication update-users root": - environment => "MONKEYSPHERE_KEYSERVER=$keyserver", - user => "root", + + exec { "monkeysphere-authentication update-users $user": require => [ Package["monkeysphere"] ], - onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" + refreshonly => true, + subscribe => File["${dest_dir}/${dest_file}"] } } diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb new file mode 100644 index 0000000..1b13cfd --- /dev/null +++ b/templates/monkeysphere-authentication.conf.erb @@ -0,0 +1,34 @@ +# Monkeysphere authentication configuration file. + +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignments by a single '=' and no spaces. +# Environment variables with the same names as these variables but +# prefaced by "MONKEYSPHERE_" will take precedence over the values +# specified here. + +# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +# increasing order of verbosity. +#LOG_LEVEL=INFO + +# OpenPGP keyserver +#KEYSERVER=pool.sks-keyservers.net +<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %> +# User who controls the monkeysphere 'sphere' keyring. +#MONKEYSPHERE_USER=monkeysphere + +# Whether or not to query keyservers by default +#CHECK_KEYSERVER=true + +# Path to authorized_user_ids file to process to create +# authorized_keys file. '%h' will be replaced by the home directory +# of the user, and '%u' will be replaced by the username of the user. +# For purely admin-controlled authorized_user_ids, you might put them +# in /etc/monkeysphere/authorized_user_ids/%u, for instance. +#AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" +# +# Path to a user controlled authorized_keys file to be added to the +# monkeysphere-generated authorized_keys file. '%h' will be replaced +# by the home directory of the user, and '%u' will by replaced by the +# username of the user. Setting this variable to 'none' prevents the +# inclusion of user controlled authorized_keys file. +#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/templates/monkeysphere-host.conf.erb b/templates/monkeysphere-host.conf.erb new file mode 100644 index 0000000..418c696 --- /dev/null +++ b/templates/monkeysphere-host.conf.erb @@ -0,0 +1,15 @@ +# Monkeysphere host configuration file. + +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignments by a single '=' and no spaces. +# Environment variables with the same names as these variables but +# prefaced by "MONKEYSPHERE_" will take precedence over the values +# specified here. + +# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +# increasing order of verbosity. +#LOG_LEVEL=INFO + +# OpenPGP keyserver +#KEYSERVER=pool.sks-keyservers.net +<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %> diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb new file mode 100644 index 0000000..53e4b9e --- /dev/null +++ b/templates/monkeysphere.conf.erb @@ -0,0 +1,39 @@ +# Monkeysphere system-wide client configuration file. + +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignments by a single '=' and no spaces. +# Environment variables with the same names as these variables but +# prefaced by "MONKEYSPHERE_" will take precedence over the values +# specified here. + +# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +# increasing order of verbosity. +#LOG_LEVEL=INFO + +# GPG home directory. If not specified either here or in the +# MONKEYSPHERE_GNUPGHOME environment variable, then the value of the +# GNUPGHOME environment variable will be used. If GNUPGHOME is not +# set either, then the default value is listed below. +#GNUPGHOME=~/.gnupg + +# GPG keyserver to search for keys. +#KEYSERVER=pool.sks-keyservers.net +<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %> +# Set whether or not to check keyservers at every monkeysphere +# interaction, including all ssh connections if you use the +# monkeysphere ssh-proxycommand. Leave unset for default behavior +# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false. +# NOTE: setting CHECK_KEYSERVER explicitly to true will leak +# information about the timing and frequency of your ssh connections +# to the maintainer of the keyserver. +#CHECK_KEYSERVER=true + +# The path to the SSH known_hosts file. +#KNOWN_HOSTS=~/.ssh/known_hosts + +# Whether or not to hash the generated known_hosts lines. +# Should be "true" or "false". +#HASH_KNOWN_HOSTS=false + +# The path to the SSH authorized_keys file. +#AUTHORIZED_KEYS=~/.ssh/authorized_keys -- cgit v1.2.3