summaryrefslogtreecommitdiff
path: root/global
diff options
context:
space:
mode:
authorLeif Johansson <leifj@sunet.se>2013-12-19 06:45:37 -0800
committerLeif Johansson <leifj@sunet.se>2013-12-19 06:45:37 -0800
commitf1c2ae2e0495f279493d8989b1c72bf3f8ed122a (patch)
tree5e87a9144cf8c23da8b5c7f438380b2bd39ab675 /global
parent6d74b3d6de4ca065c9b6519dbdad677fc72dc184 (diff)
parent389c04019b6df3dcbaf0c9d34a95601231895092 (diff)
Merge pull request #1 from fredrikt/master
Add hiera-gpg for storing secrets used in templates.
Diffstat (limited to 'global')
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf1
-rw-r--r--global/overlay/etc/puppet/hiera.yaml18
-rwxr-xr-xglobal/pre-tasks.d/040hiera-gpg52
3 files changed, 71 insertions, 0 deletions
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index ea69171..af786c4 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -10,3 +10,4 @@ vcsrepo puppetlabs/vcsrepo no
xinetd puppetlabs/xinetd no
#golang elithrar/golang yes
#python git://github.com/stankevich/puppet-python.git yes
+hiera-gpg git://github.com/SUNET/hiera-gpg.git no
diff --git a/global/overlay/etc/puppet/hiera.yaml b/global/overlay/etc/puppet/hiera.yaml
index e69de29..cd619bb 100644
--- a/global/overlay/etc/puppet/hiera.yaml
+++ b/global/overlay/etc/puppet/hiera.yaml
@@ -0,0 +1,18 @@
+---
+:backends: - yaml
+ - gpg
+
+:logger: console
+
+:hierarchy: - %{env}/%{location}/%{calling_module}
+ - %{env}/%{calling_module}
+ - secrets.yaml
+ - common
+
+
+:yaml:
+ :datadir: /etc/hiera/data
+
+:gpg:
+ :datadir: /etc/hiera/data
+ :key_dir: /etc/hiera/gpg
diff --git a/global/pre-tasks.d/040hiera-gpg b/global/pre-tasks.d/040hiera-gpg
new file mode 100755
index 0000000..e5de6da
--- /dev/null
+++ b/global/pre-tasks.d/040hiera-gpg
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Set up a keyring for Hiera GPG
+# https://github.com/crayfishx/hiera-gpg
+#
+
+set -e
+
+GNUPGHOME=/etc/hiera/gpg
+export GNUPGHOME
+
+if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then
+ apt-get update
+ apt-get -y install ruby-gpgme
+fi
+
+
+if [ ! -s $GNUPGHOME/secring.gpg ]; then
+
+ if [ "x$1" != "x--force" ]; then
+ echo ""
+ echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)"
+ echo ""
+ echo " Run \`$0 --force' manually"
+ echo ""
+ exit 0
+ fi
+
+ if [ ! -f /usr/bin/gpg2 ]; then
+ apt-get update
+ apt-get -y install gnupg2
+ fi
+
+ mkdir -p $GNUPGHOME
+ chmod 700 $GNUPGHOME
+
+ TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
+ cat > $TMPFILE <<EOF
+%echo Generating a default key
+Key-Type: default
+Subkey-Type: default
+Name-Real: Cosmos Puppet
+Name-Comment: Hiera GPG key
+Name-Email: root@`hostname --fqdn`
+Expire-Date: 0
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+ gpg2 --batch --gen-key $TMPFILE
+ rm -f $TMPFILE
+fi