--- /dev/null
+# ensure that the user has a gpg key created and it is authentication capable
+# in the monkeysphere. This is intended to be the same as generated a
+# password-less ssh key
+#
+define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048",
+ $uid_name = undef, $email = undef ) {
+
+ $user = $title
+
+ # The goal is no passphrase, monkeysphere won't work without a passphrase.
+ $calculated_passphrase = $gpg_auto_password ? {
+ '' => 'monkeys',
+ default => $gpg_auto_password
+ }
+
+ $calculated_name = $uid_name ? {
+ '' => "$user user",
+ default => $uid_name
+ }
+ $calculated_email = $email ? {
+ '' => "$user@$fqdn",
+ default => $email
+ }
+ exec { "monkeysphere-gen-key-$user":
+ command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --list-secret-key | grep ^sec >/dev/null"
+ }
+
+ #FIXME - we should check expiration date and extend it if we're < n days before expiration
+
+ # handle auth subkey
+ exec { "monkeysphere-gen-subkey-$user":
+ command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
+ user => $user,
+ unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null"
+ }
+
+}
require => Package['monkeysphere'],
}
}
-
-define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {
-
- # if we're getting a port number, prefix with a colon so it's valid
- $prefixed_port = $port ? {
- '' => '',
- default => ":$port"
- }
-
- $key = "${scheme}${fqdn}${prefixed_port}"
-
- exec { "monkeysphere-host import-key $path $key":
- alias => "monkeysphere-import-key",
- require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ],
- unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
- }
-}
-
- # Server host key publication
-define monkeysphere::publish_server_keys ( $keyid = '--all' ) {
- exec { "monkeysphere-host publish-keys $keyid":
- environment => "MONKEYSPHERE_PROMPT=false",
- require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ],
- }
-}
-
-# optionally, mail key somehwere
-define monkeysphere::email_server_keys ( ) {
- $email = $title
- exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
- require => Package["monkeysphere"],
- subscribe => Exec["monkeysphere-import-key"],
- refreshonly => true,
- }
-}
-
-# add certifiers
-define monkeysphere::add_id_certifier( $keyid ) {
- exec { "monkeysphere-authentication add-id-certifier $keyid":
- environment => "MONKEYSPHERE_PROMPT=false",
- require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ],
- unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
- }
-}
-
-define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') {
- $user = $title
- $calculated_group = $group ? {
- '' => $user,
- default => $group
- }
-
- # don't require user if it's root because root is not handled
- # by puppet
- case $user {
- root: {
- file {
- $dest_dir:
- owner => $user,
- group => $calculated_group,
- mode => 755,
- ensure => directory,
- }
- }
- default: {
- file {
- $dest_dir:
- owner => $user,
- group => $calculated_group,
- mode => 755,
- ensure => directory,
- require => User[$user]
- }
- }
- }
-
- file {
- "${dest_dir}/${dest_file}":
- owner => $user,
- group => $calculated_group,
- mode => 644,
- content => template('monkeysphere/authorized_user_ids.erb'),
- ensure => present,
- recurse => true,
- require => File[$dest_dir]
- }
-
- exec { "monkeysphere-authentication update-users $user":
- refreshonly => true,
- require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ],
- subscribe => File["${dest_dir}/${dest_file}"]
- }
-}
-
-# ensure that the user has a gpg key created and it is authentication capable
-# in the monkeysphere. This is intended to be the same as generated a
-# password-less ssh key
-#
-define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048",
- $uid_name = undef, $email = undef ) {
-
- $user = $title
-
- # The goal is no passphrase, monkeysphere won't work without a passphrase.
- $calculated_passphrase = $gpg_auto_password ? {
- '' => 'monkeys',
- default => $gpg_auto_password
- }
-
- $calculated_name = $uid_name ? {
- '' => "$user user",
- default => $uid_name
- }
- $calculated_email = $email ? {
- '' => "$user@$fqdn",
- default => $email
- }
- exec { "monkeysphere-gen-key-$user":
- command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key",
- require => [ Package["monkeysphere"] ],
- user => $user,
- unless => "gpg --list-secret-key | grep ^sec >/dev/null"
- }
-
- #FIXME - we should check expiration date and extend it if we're < n days before expiration
-
- # handle auth subkey
- exec { "monkeysphere-gen-subkey-$user":
- command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey",
- require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
- user => $user,
- unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null"
- }
-
-}
-
-define monkeysphere::publish_user_key ( ){
- $user = $title
-
- $keyserver_arg = $monkeysphere_keyserver ? {
- '' => '',
- default => "--keyserver $monkeysphere_keyserver"
- }
-
- exec { "monkeysphere-gpg-send-key-$user":
- command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)",
- require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
- user => $user,
- }
-
-}
-
-define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) {
- $keyserver_arg = $monkeysphere_keyserver ? {
- '' => '',
- default => "--keyserver $monkeysphere_keyserver"
- }
-
- # ensure the key is in the key ring
- exec { "monkeysphere-gpg-recv-key-$user-$fingerprint":
- command => "gpg $keyserver_arg --recv-key $fingerprint",
- require => [ Package["monkeysphere"] ],
- user => $user,
- unless => "gpg --list-key $fingerprint 2>&1 >/dev/null"
- }
- # provide ownertrust
- exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint":
- command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust",
- require => [ Package["monkeysphere"] ],
- user => $user,
- unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null"
- }
-}
projects / puppet-monkeysphere.git / commitdiff