unkinben/puppet-bind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #20 from inkblot/auto-generating-keys

Browse Source 
Auto generating keys
This commit is contained in:
Nate Riffe 2015-01-18 10:45:32 -06:00
commit f2673698f5
4 changed files with 48 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -55,12 +55,18 @@ Puppet will manage the entire `named.conf` file and its includes. Most paramete
Creates a TSIG key file. Only the `secret` parameter is required, but it is recommended to explicitly supply the `algorithm` as well. The key file will be stored in `${::bind::confdir}/keys` with a filename derived from the title of the `bind::key` declaration. Creates a TSIG key file. Only the `secret` parameter is required, but it is recommended to explicitly supply the `algorithm` as well. The key file will be stored in `${::bind::confdir}/keys` with a filename derived from the title of the `bind::key` declaration.
bind::key { 'local-update': bind::key { 'local-update':
algorithm => 'hmac-sha256', algorithm => 'hmac-sha256', # default: 'hmac-sha256'
secret => '012345678901345678901234567890123456789=', secret => '012345678901345678901234567890123456789=',
owner => 'root', owner => 'root',
group => 'bind', group => 'bind',
} }
If no secret is specified, the bind::key define will generate one. The secret_bits parameter controls the size of the secret.
bind::key { 'local-update':
secret_bits => 512, # default: 256
}
###bind::acl ###bind::acl
Declares an acl in the server's configuration. The acl's name is the title of the `bind::acl` declaration. Declares an acl in the server's configuration. The acl's name is the title of the `bind::acl` declaration.

9
lib/puppet/parser/functions/hmac_secret.rb Normal file
View File

@ -0,0 +1,9 @@
# ex: syntax=ruby si sw=2 ts=2 et
require 'securerandom'
module Puppet::Parser::Functions
newfunction(:hmac_secret, :type => :rvalue) do |args|
bits = args[0].to_i
SecureRandom.base64(bits / 8)
end
end

34
manifests/key.pp
View File

@ -1,28 +1,50 @@
# ex: syntax=puppet si ts=4 sw=4 et # ex: syntax=puppet si ts=4 sw=4 et
define bind::key ( define bind::key (
$secret, $secret = undef,
$secret_bits = 256,
$algorithm = 'hmac-sha256', $algorithm = 'hmac-sha256',
$owner = 'root', $owner = 'root',
$group = $bind::params::bind_group, $group = $bind::params::bind_group,
$keydir = $::bind::keydir::keydir,
$keyfile = undef,
$include = true,
) { ) {
$keydir = $::bind::keydir::keydir
file { "${keydir}/${name}": # Generate a key of size $secret_bits if no $secret
$secret_actual = $secret ? {
undef => hmac_secret($secret_bits),
default => $secret,
}
# Keep existing key if the module is generating a key
$replace = $secret ? {
undef => false,
default => true,
}
# Use key name as key file name if none is supplied
$key_file_name = $keyfile ? {
undef => $name,
default => $keyfile,
}
file { "${keydir}/${key_file_name}":
ensure => present, ensure => present,
owner => $owner, owner => $owner,
group => $group, group => $group,
mode => '0640', mode => '0640',
replace => $replace,
content => template('bind/key.conf.erb'), content => template('bind/key.conf.erb'),
} }
if (defined(Class['bind'])) { if $include and defined(Class['bind']) {
Package['bind'] -> File["${keydir}/${name}"] ~> Service['bind'] Package['bind'] -> File["${keydir}/${key_file_name}"] ~> Service['bind']
concat::fragment { "bind-key-${name}": concat::fragment { "bind-key-${name}":
order => '10', order => '10',
target => "${bind::confdir}/keys.conf", target => "${bind::confdir}/keys.conf",
content => "include \"${bind::confdir}/keys/${name}\";\n", content => "include \"${keydir}/${key_file_name}\";\n",
} }
} }
} }

2
templates/key.conf.erb
View File

@ -1,5 +1,5 @@
key <%= @name %> { key <%= @name %> {
algorithm <%= @algorithm %>; algorithm <%= @algorithm %>;
secret "<%= @secret %>"; secret "<%= @secret_actual %>";
}; };