diff options
author | Leif Johansson <leifj@sunet.se> | 2013-12-19 06:45:37 -0800 |
---|---|---|
committer | Leif Johansson <leifj@sunet.se> | 2013-12-19 06:45:37 -0800 |
commit | f1c2ae2e0495f279493d8989b1c72bf3f8ed122a (patch) | |
tree | 5e87a9144cf8c23da8b5c7f438380b2bd39ab675 /global | |
parent | 6d74b3d6de4ca065c9b6519dbdad677fc72dc184 (diff) | |
parent | 389c04019b6df3dcbaf0c9d34a95601231895092 (diff) |
Merge pull request #1 from fredrikt/master
Add hiera-gpg for storing secrets used in templates.
Diffstat (limited to 'global')
-rw-r--r-- | global/overlay/etc/puppet/cosmos-modules.conf | 1 | ||||
-rw-r--r-- | global/overlay/etc/puppet/hiera.yaml | 18 | ||||
-rwxr-xr-x | global/pre-tasks.d/040hiera-gpg | 52 |
3 files changed, 71 insertions, 0 deletions
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index ea69171..af786c4 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -10,3 +10,4 @@ vcsrepo puppetlabs/vcsrepo no xinetd puppetlabs/xinetd no #golang elithrar/golang yes #python git://github.com/stankevich/puppet-python.git yes +hiera-gpg git://github.com/SUNET/hiera-gpg.git no diff --git a/global/overlay/etc/puppet/hiera.yaml b/global/overlay/etc/puppet/hiera.yaml index e69de29..cd619bb 100644 --- a/global/overlay/etc/puppet/hiera.yaml +++ b/global/overlay/etc/puppet/hiera.yaml @@ -0,0 +1,18 @@ +--- +:backends: - yaml + - gpg + +:logger: console + +:hierarchy: - %{env}/%{location}/%{calling_module} + - %{env}/%{calling_module} + - secrets.yaml + - common + + +:yaml: + :datadir: /etc/hiera/data + +:gpg: + :datadir: /etc/hiera/data + :key_dir: /etc/hiera/gpg diff --git a/global/pre-tasks.d/040hiera-gpg b/global/pre-tasks.d/040hiera-gpg new file mode 100755 index 0000000..e5de6da --- /dev/null +++ b/global/pre-tasks.d/040hiera-gpg @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Set up a keyring for Hiera GPG +# https://github.com/crayfishx/hiera-gpg +# + +set -e + +GNUPGHOME=/etc/hiera/gpg +export GNUPGHOME + +if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then + apt-get update + apt-get -y install ruby-gpgme +fi + + +if [ ! -s $GNUPGHOME/secring.gpg ]; then + + if [ "x$1" != "x--force" ]; then + echo "" + echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)" + echo "" + echo " Run \`$0 --force' manually" + echo "" + exit 0 + fi + + if [ ! -f /usr/bin/gpg2 ]; then + apt-get update + apt-get -y install gnupg2 + fi + + mkdir -p $GNUPGHOME + chmod 700 $GNUPGHOME + + TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX) + cat > $TMPFILE <<EOF +%echo Generating a default key +Key-Type: default +Subkey-Type: default +Name-Real: Cosmos Puppet +Name-Comment: Hiera GPG key +Name-Email: root@`hostname --fqdn` +Expire-Date: 0 +# Do a commit here, so that we can later print "done" :-) +%commit +%echo done +EOF + gpg2 --batch --gen-key $TMPFILE + rm -f $TMPFILE +fi |