From: Peter Palfrader Date: Mon, 21 Mar 2011 00:06:54 +0000 (+0100) Subject: And a first ekey module X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=3b9bedfb9c7e5cd42e2d198b8dbd7a8649a3608d;p=mirror%2Fdsa-puppet.git And a first ekey module --- diff --git a/manifests/site.pp b/manifests/site.pp index 0c71c52d3..398da0ab9 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -37,23 +37,10 @@ node default { case $hostname { heininen: { - include "stunnel4" - stunnel4::stunnel_server { - "ekeyd": - accept => 18888, - connect => "127.0.0.1:8888", - ; - } + include "entropykey::provider" } unger: { - include "stunnel4" - stunnel4::stunnel_client { - "ekeyd": - accept => "127.0.0.1:8888", - connecthost => "heininen.debian.org", - connectport => 18888, - ; - } + include "entropykey::remote_consumer" } } diff --git a/modules/entropykey/files/ekeyd-egd-linux b/modules/entropykey/files/ekeyd-egd-linux new file mode 100644 index 000000000..ba8c31c09 --- /dev/null +++ b/modules/entropykey/files/ekeyd-egd-linux @@ -0,0 +1,26 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# Change to YES to allow ekeyd-egd-linux to start. Ensure the below are +# correctly configured first though. +START_EKEYD_EGD_LINUX=YES + +# Change this if you want it to be something other than the default +# HOST=127.0.0.1 +# PORT=8888 + +# Number of bits minimum in the pool, below which the daemon will kick in +# and transfer data from the EGD to the pool (providing it's available) +# WATERMARK=1024 + +# Number of 1024 bit (128 byte) blocks to transfer to the kernel each +# time it dips below the low water mark. +# BLOCKS=3 + +# How many shannons-per-byte to claim for data pushed to the pool +# SHANNONS=7 + +# How many seconds between connection retries. Zero means do-not-retry. +RETRYTIME=30 diff --git a/modules/entropykey/files/ekeyd.conf b/modules/entropykey/files/ekeyd.conf new file mode 100644 index 000000000..8cf55d2ac --- /dev/null +++ b/modules/entropykey/files/ekeyd.conf @@ -0,0 +1,94 @@ +-- +-- THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +-- USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +-- + +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +-- SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/modules/entropykey/manifests/init.pp b/modules/entropykey/manifests/init.pp new file mode 100644 index 000000000..e9a2bbec6 --- /dev/null +++ b/modules/entropykey/manifests/init.pp @@ -0,0 +1,66 @@ +class entropykey::provider { + package { + "ekeyd": ensure => installed; + } + + file { + "/etc/entropykey/ekeyd.conf": + source => "puppet:///modules/entropykey/ekeyd.conf", + notify => Exec['restart_ekeyd'], + require => [ Package['ekeyd'] ], + ; + } + + exec { + "restart_ekeyd": + command => "true && cd / && env -i /etc/init.d/ekeyd restart", + require => [ File['/etc/entropykey/ekeyd.conf'] ], + refreshonly => true, + ; + } + + include "stunnel4" + stunnel4::stunnel_server { + "ekeyd": + accept => 18888, + connect => "127.0.0.1:8888", + ; + } +} + +class entropykey::local_consumer { + package { + "ekeyd-egd-linux": ensure => installed; + } + + file { + "/etc/default/ekeyd-egd-linux": + source => "puppet:///modules/entropykey/ekeyd-egd-linux", + notify => Exec['restart_ekeyd-egd-linux'], + require => [ Package['ekeyd-egd-linux'] ], + ; + } + + exec { + "restart_ekeyd-egd-linux": + command => "true && cd / && env -i /etc/init.d/ekeyd-egd-linux restart", + require => [ File['/etc/default/ekeyd-egd-linux'] ], + refreshonly => true, + ; + } +} + +class entropykey::remote_consumer inherits entropykey::local_consumer { + include "stunnel4" + stunnel4::stunnel_client { + "ekeyd": + accept => "127.0.0.1:8888", + connecthost => "heininen.debian.org", + connectport => 18888, + ; + } +} + +# vim:set et: +# vim:set sts=4 ts=4: +# vim:set shiftwidth=4: diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp index a4c9d5048..36b5ce06f 100644 --- a/modules/stunnel4/manifests/init.pp +++ b/modules/stunnel4/manifests/init.pp @@ -73,7 +73,7 @@ class stunnel4 { require => [ Package['stunnel4'] ], ; "restart_stunnel": - command => "env -i /etc/init.d/stunnel4 restart", + command => "true && cd / && env -i /etc/init.d/stunnel4 restart", require => [ File['/etc/stunnel/stunnel.conf'], Exec['enable_stunnel4'], Package['stunnel4'] ], refreshonly => true, ;