- puppet module for monkeysphere
+ The monkeysphere puppet module is designed to help you manage your servers
+ and users using the monkeysphere[0].
- for information about monkeysphere, see http://web.monkeysphere.info/
++To install the monkeypshere module, storeconfigs should be enabled in
++your puppet server to use certain features. See:
+
- To install the monkeypshere module:
++http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
+
- * storeconfigs should be enabled in your puppet server to use certain features.
- see: http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
+ Example usage for server setup:
- * in node definitions that should export a ssh host key via
- monkeyshere, add:
+ # Assuming you are using the sshd puppet module...
+ $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u"
+ include sshd
- include monkeysphere::sshserver
+ # Optionally, indicate your preferred keyserver. You can specify a server
+ # under your control and not accessible to the public or
+ # pool.sks-keyservers.net if you want to publish to the public pool. The
+ # value you specify here will be used for all monkeysphere and gpg commands
+ $monkeysphere_keyserver = "zimmermann.mayfirst.org"
+ include monkeysphere
- * You can specify pgpids of identity certifiers:
+ # Ensure the server's ssh key is imported into your monkeysphere key ring
+ monkeysphere::import_key { "main": }
- identity_certifier { "A3AE44A4":
- ensure => present
+ # Optionally publish the server key to a keyserver (as indicated above)
+ monkeysphere::publish_server_keys { "main": }
+
+ # Optionally email the server key to your self
+ monkeysphere::email_server_keys { "we@ourdomain.org": }
+
+ # Be sure to sign the server's key!
+
+ # Indiciate the fingerprint of the gpg key that should be used
+ # to verify user ids. You can repeat this for as many certifiers
+ # as you need
+ monkeysphere::add_id_certifier { "jamie":
+ keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935"
+ }
+
+ # Indicate who should have root access on the server
+ monkeysphere::authorized_user_ids { "root":
+ user_ids => [ "sarah <sarah@ourgroup.org>" , "jose <josue@ourgroup.org" ]
+ }
+
+ In addition, you may want to create a password-less key for a user to use
+ when logging into another server (e.g. if you want automated backups from
+ one server to another).
+
+ Example usage for user setup:
+
+ # Ensure that the root user has authentication capable
+ # monkeysphere key
+ monkeysphere::auth_capable_user { "root": }
+
+ # Optionally publish the key
+ monkeysphere::publish_user_key { "root": }
+
+ # Grant full trust to a gpg key so the root user can properly
+ # authenticate servers to which it connects
+ # You can run this as many times as you want
+ monkeysphere::owner_trust { "jamie":
+ fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9"
}
-
+
+A host can be configured as a host you would use to sign the gpg keys by placing:
+
+ include monkeysphere::signer
+
+into the node definition. ON this host, a file will be placed in
+/var/lib/puppet/modules/monkeysphere/hosts for each host configured as a
+sshserver. Each file will contin the gpg id, the gpg fingerprint, and
+the ssh fingerprint of the sshserver.
+
+ 0. http://monkeysphere.info/
#
# Class for monkeysphere management
#
-class monkeysphere inherits monkeysphere::defaults {
+
- $ensure_version = 'installed'
+class monkeysphere(
+ $ssh_port = '',
+ $publish_key = false,
++ $ensure_version = 'installed',
++ $keyserver = 'pool.sks-keyservers.net'
+) {
# The needed packages
- package { monkeysphere: ensure => installed, }
+ package{'monkeysphere':
+ ensure => $ensure_version,
+ }
+
- $port = $monkeysphere::ssh_port ? {
- '' => '',
- default => ":${monkeysphere::ssh_port}",
- }
-
+ $key = "ssh://${::fqdn}${port}"
+
+ common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: }
- file {
- '/usr/local/sbin/monkeysphere-check-key':
- ensure => present,
- owner => root,
- group => root,
- mode => '0755',
- content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=${key}' &> /dev/null || false",
- }
-
- # Server host key publication
- Exec{
- unless => '/usr/local/sbin/monkeysphere-check-key',
- user => 'root',
- require => [ Package['monkeysphere'], File['/usr/local/sbin/monkeysphere-check-key'] ],
- }
- case $monkeysphere::publish_key {
- false: {
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key}": }
- }
- 'mail': {
- $mail_loc = $::operatingsystem ? {
- 'centos' => '/bin/mail',
- default => '/usr/bin/mail',
- }
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key} && \
- ${mail_loc} -s 'monkeysphere host pgp key for ${::fqdn}' root < /var/lib/monkeysphere/host_keys.pub.pgp":
++ # This was the old way which the module checked monkeysphere keys
++ file { "/usr/local/sbin/monkeysphere-check-key":
++ ensure => absent,
++ owner => root,
++ group => root,
++ mode => 0755,
++ content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false",
++ }
+
+ file { "monkeysphere_conf":
+ path => "/etc/monkeysphere/monkeysphere.conf",
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere.conf.erb"),
+ require => Package['monkeysphere'],
+ }
+ file { "monkeysphere_host_conf":
+ path => "/etc/monkeysphere/monkeysphere-host.conf",
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere-host.conf.erb"),
+ require => Package['monkeysphere'],
+ }
+ file { "monkeysphere_authentication_conf":
+ path => "/etc/monkeysphere/monkeysphere-authentication.conf",
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere-authentication.conf.erb"),
+ require => Package['monkeysphere'],
+ }
-
- # This was the old way which the module checked monkeysphere keys
- file { "/usr/local/sbin/monkeysphere-check-key":
- ensure => absent,
- owner => root,
- group => root,
- mode => 0755,
- content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false",
- }
-}
-
-class monkeysphere::defaults {
- $keyserver = $monkeysphere_keyserver ? {
- '' => 'pool.sks-keyservers.net',
- default => $monkeysphere_keyserver
- }
+ }
+
+ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {
+
+ # if we're getting a port number, prefix with a colon so it's valid
+ $prefixed_port = $port ? {
+ '' => '',
+ default => ":$port"
+ }
+
+ $key = "${scheme}${fqdn}${prefixed_port}"
+
+ exec { "monkeysphere-host import-key $path $key":
+ alias => "monkeysphere-import-key",
+ require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ],
+ unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
+ }
+ }
+
-# Server host key publication
++ # Server host key publication
+ define monkeysphere::publish_server_keys ( $keyid = '--all' ) {
+ exec { "monkeysphere-host publish-keys $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ],
+ }
+ }
+
+ # optionally, mail key somehwere
+ define monkeysphere::email_server_keys ( ) {
+ $email = $title
+ exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
+ require => Package["monkeysphere"],
+ subscribe => Exec["monkeysphere-import-key"],
+ refreshonly => true,
+ }
+ }
+
+ # add certifiers
+ define monkeysphere::add_id_certifier( $keyid ) {
+ exec { "monkeysphere-authentication add-id-certifier $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ],
+ unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
+ }
+ }
+
+ define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') {
+ $user = $title
+ $calculated_group = $group ? {
+ '' => $user,
+ default => $group
+ }
+
+ # don't require user if it's root because root is not handled
+ # by puppet
+ case $user {
+ root: {
+ file {
+ $dest_dir:
+ owner => $user,
+ group => $calculated_group,
+ mode => 755,
+ ensure => directory,
}
}
default: {
projects / puppet-monkeysphere.git / commitdiff