From 7218eb738f4d4cbcade57cdf72c7cd6c878cd60e Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 16 Oct 2013 15:06:00 -0400 Subject: split into separate file according to autoloading rules --- manifests/init.pp | 173 ------------------------------------------------------ 1 file changed, 173 deletions(-) (limited to 'manifests/init.pp') diff --git a/manifests/init.pp b/manifests/init.pp index a58faec..4d48ed3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -65,176 +65,3 @@ class monkeysphere( require => Package['monkeysphere'], } } - -define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { - - # if we're getting a port number, prefix with a colon so it's valid - $prefixed_port = $port ? { - '' => '', - default => ":$port" - } - - $key = "${scheme}${fqdn}${prefixed_port}" - - exec { "monkeysphere-host import-key $path $key": - alias => "monkeysphere-import-key", - require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], - unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" - } -} - - # Server host key publication -define monkeysphere::publish_server_keys ( $keyid = '--all' ) { - exec { "monkeysphere-host publish-keys $keyid": - environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], - } -} - -# optionally, mail key somehwere -define monkeysphere::email_server_keys ( ) { - $email = $title - exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": - require => Package["monkeysphere"], - subscribe => Exec["monkeysphere-import-key"], - refreshonly => true, - } -} - -# add certifiers -define monkeysphere::add_id_certifier( $keyid ) { - exec { "monkeysphere-authentication add-id-certifier $keyid": - environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ], - unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" - } -} - -define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { - $user = $title - $calculated_group = $group ? { - '' => $user, - default => $group - } - - # don't require user if it's root because root is not handled - # by puppet - case $user { - root: { - file { - $dest_dir: - owner => $user, - group => $calculated_group, - mode => 755, - ensure => directory, - } - } - default: { - file { - $dest_dir: - owner => $user, - group => $calculated_group, - mode => 755, - ensure => directory, - require => User[$user] - } - } - } - - file { - "${dest_dir}/${dest_file}": - owner => $user, - group => $calculated_group, - mode => 644, - content => template('monkeysphere/authorized_user_ids.erb'), - ensure => present, - recurse => true, - require => File[$dest_dir] - } - - exec { "monkeysphere-authentication update-users $user": - refreshonly => true, - require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ], - subscribe => File["${dest_dir}/${dest_file}"] - } -} - -# ensure that the user has a gpg key created and it is authentication capable -# in the monkeysphere. This is intended to be the same as generated a -# password-less ssh key -# -define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", - $uid_name = undef, $email = undef ) { - - $user = $title - - # The goal is no passphrase, monkeysphere won't work without a passphrase. - $calculated_passphrase = $gpg_auto_password ? { - '' => 'monkeys', - default => $gpg_auto_password - } - - $calculated_name = $uid_name ? { - '' => "$user user", - default => $uid_name - } - $calculated_email = $email ? { - '' => "$user@$fqdn", - default => $email - } - exec { "monkeysphere-gen-key-$user": - command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key", - require => [ Package["monkeysphere"] ], - user => $user, - unless => "gpg --list-secret-key | grep ^sec >/dev/null" - } - - #FIXME - we should check expiration date and extend it if we're < n days before expiration - - # handle auth subkey - exec { "monkeysphere-gen-subkey-$user": - command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey", - require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], - user => $user, - unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null" - } - -} - -define monkeysphere::publish_user_key ( ){ - $user = $title - - $keyserver_arg = $monkeysphere_keyserver ? { - '' => '', - default => "--keyserver $monkeysphere_keyserver" - } - - exec { "monkeysphere-gpg-send-key-$user": - command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)", - require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], - user => $user, - } - -} - -define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) { - $keyserver_arg = $monkeysphere_keyserver ? { - '' => '', - default => "--keyserver $monkeysphere_keyserver" - } - - # ensure the key is in the key ring - exec { "monkeysphere-gpg-recv-key-$user-$fingerprint": - command => "gpg $keyserver_arg --recv-key $fingerprint", - require => [ Package["monkeysphere"] ], - user => $user, - unless => "gpg --list-key $fingerprint 2>&1 >/dev/null" - } - # provide ownertrust - exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint": - command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust", - require => [ Package["monkeysphere"] ], - user => $user, - unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null" - } -} -- cgit v1.2.3