From: Antoine Beaupré <anarcat@koumbit.org>
Date: Wed, 16 Oct 2013 19:02:57 +0000 (-0400)
Subject: Merge remote-tracking branch 'sarava/master'
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=5ac51aa1072c59e7998602a8466cd9bbc2aa8cef;p=puppet-monkeysphere.git

Merge remote-tracking branch 'sarava/master'

Conflicts:
	README
	manifests/init.pp
---

5ac51aa1072c59e7998602a8466cd9bbc2aa8cef
diff --cc README
index 569e512,a1d3595..e5f72e9
--- a/README
+++ b/README
@@@ -1,28 -1,61 +1,74 @@@
- puppet module for monkeysphere
+ The monkeysphere puppet module is designed to help you manage your servers
+ and users using the monkeysphere[0].
  
- for information about monkeysphere, see http://web.monkeysphere.info/
++To install the monkeypshere module, storeconfigs should be enabled in
++your puppet server to use certain features. See:
 +
- To install the monkeypshere module:
++http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
 +
- * storeconfigs should be enabled in your puppet server to use certain features.
-   see: http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
+ Example usage for server setup:
  
- * in node definitions that should export a ssh host key via
-   monkeyshere, add:
+   # Assuming you are using the sshd puppet module...
+   $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u"
+   include sshd
  
-   include monkeysphere::sshserver
+   # Optionally, indicate your preferred keyserver. You can specify a server
+   # under your control and not accessible to the public or
+   # pool.sks-keyservers.net if you want to publish to the public pool. The
+   # value you specify here will be used for all monkeysphere and gpg commands
+   $monkeysphere_keyserver = "zimmermann.mayfirst.org" 
+   include monkeysphere
  
- * You can specify pgpids of identity certifiers:
+   # Ensure the server's ssh key is imported into your monkeysphere key ring
+   monkeysphere::import_key { "main": }
  
-   identity_certifier { "A3AE44A4":
-     ensure => present
+   # Optionally publish the server key to a keyserver (as indicated above)
+   monkeysphere::publish_server_keys { "main": } 
+   
+   # Optionally email the server key to your self
+   monkeysphere::email_server_keys { "we@ourdomain.org": }
+ 
+   # Be sure to sign the server's key!
+ 
+   # Indiciate the fingerprint of the gpg key that should be used
+   # to verify user ids. You can repeat this for as many certifiers
+   # as you need
+   monkeysphere::add_id_certifier { "jamie":
+ 	  keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935" 
+   }
+   
+   # Indicate who should have root access on the server 
+   monkeysphere::authorized_user_ids { "root":
+ 	  user_ids => [ "sarah <sarah@ourgroup.org>" , "jose <josue@ourgroup.org" ] 
+   } 
+ 
+ In addition, you may want to create a password-less key for a user to use
+ when logging into another server (e.g. if you want automated backups from
+ one server to another).
+ 
+ Example usage for user setup:
+ 
+   # Ensure that the root user has authentication capable
+   # monkeysphere key 
+   monkeysphere::auth_capable_user { "root": }
+ 
+   # Optionally publish the key
+   monkeysphere::publish_user_key { "root": } 
+ 
+   # Grant full trust to a gpg key so the root user can properly
+   # authenticate servers to which it connects
+   # You can run this as many times as you want
+   monkeysphere::owner_trust { "jamie":
+ 	  fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" 
    }
 -   
 +
 +A host can be configured as a host you would use to sign the gpg keys by placing:
 +
 +  include monkeysphere::signer
 +
 +into the node definition. ON this host, a file will be placed in
 +/var/lib/puppet/modules/monkeysphere/hosts for each host configured as a
 +sshserver.  Each file will contin the gpg id, the gpg fingerprint, and
 +the ssh fingerprint of the sshserver.
+ 
+ 0. http://monkeysphere.info/
diff --cc manifests/init.pp
index 6885b45,d5358b5..a58faec
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@@ -19,50 -19,111 +19,114 @@@
  #
  # Class for monkeysphere management
  #
+ 
 -class monkeysphere inherits monkeysphere::defaults {
 +class monkeysphere(
 +  $ssh_port       = '',
 +  $publish_key    = false,
-   $ensure_version = 'installed'
++  $ensure_version = 'installed',
++  $keyserver      = 'pool.sks-keyservers.net'
 +) {
    # The needed packages
 -  package { monkeysphere: ensure => installed, }
 +  package{'monkeysphere':
 +    ensure => $ensure_version,
 +  }
 +
-   $port = $monkeysphere::ssh_port ? {
-     ''      => '',
-     default => ":${monkeysphere::ssh_port}",
-   }
- 
 +  $key = "ssh://${::fqdn}${port}"
 +
 +  common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: }
-   file {
-     '/usr/local/sbin/monkeysphere-check-key':
-       ensure  => present,
-       owner   => root,
-       group   => root,
-       mode    => '0755',
-       content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=${key}' &> /dev/null || false",
-   }
- 
-   # Server host key publication
-   Exec{
-     unless  => '/usr/local/sbin/monkeysphere-check-key',
-     user    => 'root',
-     require => [ Package['monkeysphere'], File['/usr/local/sbin/monkeysphere-check-key'] ],
-   }
-   case $monkeysphere::publish_key {
-     false: {
-       exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key}": }
-     }
-     'mail': {
-       $mail_loc = $::operatingsystem ? {
-         'centos' => '/bin/mail',
-         default => '/usr/bin/mail',
-       }
-       exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key} && \
-           ${mail_loc} -s 'monkeysphere host pgp key for ${::fqdn}' root < /var/lib/monkeysphere/host_keys.pub.pgp":
++  # This was the old way which the module checked monkeysphere keys
++  file { "/usr/local/sbin/monkeysphere-check-key":
++    ensure  => absent,
++    owner   => root,
++    group   => root,
++    mode    => 0755,
++    content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false",
++  }
+ 
+   file { "monkeysphere_conf":
+     path => "/etc/monkeysphere/monkeysphere.conf",
+     mode => 644,
+     ensure => present,
+     content => template("monkeysphere/monkeysphere.conf.erb"),
+     require => Package['monkeysphere'],
+   }
+   file { "monkeysphere_host_conf":
+     path => "/etc/monkeysphere/monkeysphere-host.conf",
+     mode => 644,
+     ensure => present,
+     content => template("monkeysphere/monkeysphere-host.conf.erb"),
+     require => Package['monkeysphere'],
+   }
+   file { "monkeysphere_authentication_conf":
+     path => "/etc/monkeysphere/monkeysphere-authentication.conf",
+     mode => 644,
+     ensure => present,
+     content => template("monkeysphere/monkeysphere-authentication.conf.erb"),
+     require => Package['monkeysphere'],
+   }
 -
 -  # This was the old way which the module checked monkeysphere keys
 -  file { "/usr/local/sbin/monkeysphere-check-key":
 -    ensure  => absent,
 -    owner   => root,
 -    group   => root,
 -    mode    => 0755,
 -    content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false",
 -  }
 -}
 -
 -class monkeysphere::defaults {
 -  $keyserver = $monkeysphere_keyserver ? {
 -    '' => 'pool.sks-keyservers.net',
 -    default => $monkeysphere_keyserver
 -  }
+ }
+ 
+ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {
+ 
+   # if we're getting a port number, prefix with a colon so it's valid
+   $prefixed_port = $port ? {
+     '' => '',
+     default => ":$port"
+   }
+ 
+   $key = "${scheme}${fqdn}${prefixed_port}"
+ 
+   exec { "monkeysphere-host import-key $path $key":
+     alias => "monkeysphere-import-key",
+ 	  require => [ Package["monkeysphere"],  File["monkeysphere_host_conf"] ],
+ 	  unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
+   }
+ }
+ 
 -# Server host key publication
++    # Server host key publication
+ define monkeysphere::publish_server_keys ( $keyid = '--all' ) { 
+   exec { "monkeysphere-host publish-keys $keyid":
+     environment => "MONKEYSPHERE_PROMPT=false",
+ 	  require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ],
+   }
+ }
+ 
+ # optionally, mail key somehwere 
+ define monkeysphere::email_server_keys ( ) {
+   $email = $title    
+   exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
+     require     => Package["monkeysphere"],
+     subscribe   => Exec["monkeysphere-import-key"],
+     refreshonly => true,
+   }
+ }
+ 
+ # add certifiers
+ define monkeysphere::add_id_certifier( $keyid ) {
+   exec { "monkeysphere-authentication add-id-certifier $keyid":
+ 	  environment => "MONKEYSPHERE_PROMPT=false",
+ 	  require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ],
+ 	  unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
+   }
+ }
+ 
+ define monkeysphere::authorized_user_ids( $user_ids,  $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') {
+   $user = $title
+   $calculated_group = $group ? {
+     '' => $user,
+     default => $group
+   }
+ 
+   # don't require user if it's root because root is not handled 
+   # by puppet
+   case $user {
+     root: {
+       file {
+         $dest_dir:
+           owner => $user,
+           group => $calculated_group,
+           mode => 755,
+           ensure => directory,
        }
      }
      default: {