mandersson/matrix-ops
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #32 from SUNET/feature-ft-install_eyaml

Browse source 
Install eyaml on newer hosts
This commit is contained in:
Patrik Lundin 2023-02-06 12:31:31 +01:00 committed by GitHub
parent 8599d395c2 f9a286fc05
commit 906edf3caf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
global/pre-tasks.d/040hiera-eyaml Executable file
View file

@ -0,0 +1,36 @@
#!/bin/sh
#
# Set up eyaml for Hiera
#
set -e
EYAMLDIR=/etc/hiera/eyaml
vendor=$(lsb_release -is)
version=$(lsb_release -rs)
# eyaml is only used on Ubuntu 20.04 and newer, and Debian 11 and newer (earlier OSes use hiera-gpg instead)
test "${vendor}" = "Ubuntu" && dpkg --compare-versions "${version}" "lt" "18.04" && exit 0
test "${vendor}" = "Debian" && dpkg --compare-versions "${version}" "lt" "10" && exit 0
stamp="$COSMOS_BASE/stamps/hiera-eyaml-v01.stamp"
test -f "$stamp" && exit 0
if [ ! -f /usr/bin/eyaml ] || [ ! -d /usr/share/doc/yaml-mode ]; then
apt-get update
apt-get -y install hiera-eyaml yaml-mode
fi
if [ ! -f ${EYAMLDIR}/public_certkey.pkcs7.pem ] || [ ! -f ${EYAMLDIR}/private_key.pkcs7.pem ]; then
# hiera-eyaml wants a certificate and public key, not just a public key oddly enough
echo "$0: Generating eyaml key in ${EYAMLDIR} - this might take a while..."
mkdir -p /etc/hiera/eyaml
openssl req -x509 -newkey rsa:4096 -keyout ${EYAMLDIR}/private_key.pkcs7.pem \
-out ${EYAMLDIR}/public_certkey.pkcs7.pem -days 3653 -nodes -sha256 \
-subj "/C=SE/O=SUNET/OU=EYAML/CN=$(hostname)"
rm -f ${EYAMLDIR}/public_key.pkcs7.pem # cleanup
fi
mkdir -p "$(dirname "${stamp}")"
touch "$stamp"

23
global/pre-tasks.d/040hiera-gpg
View file

@ -9,12 +9,21 @@ set -e
GNUPGHOME=/etc/hiera/gpg GNUPGHOME=/etc/hiera/gpg
export GNUPGHOME export GNUPGHOME
vendor=$(lsb_release -is)
version=$(lsb_release -rs)
# If the OS is Ubuntu 18.04 or newer, or Debian 10 or newer, we don't need to do anything (those use eyaml instead)
test "${vendor}" = "Ubuntu" && dpkg --compare-versions "${version}" "ge" "18.04" && exit 0
test "${vendor}" = "Debian" && dpkg --compare-versions "${version}" "ge" "10" && exit 0
stamp="$COSMOS_BASE/stamps/hiera-gpg-v01.stamp"
test -f "$stamp" && exit 0
if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then
apt-get update apt-get update
apt-get -y install ruby-gpgme apt-get -y install ruby-gpgme
fi fi
if [ ! -s $GNUPGHOME/secring.gpg ]; then if [ ! -s $GNUPGHOME/secring.gpg ]; then
if [ "x$1" != "x--force" ]; then if [ "x$1" != "x--force" ]; then
@ -35,19 +44,21 @@ if [ ! -s $GNUPGHOME/secring.gpg ]; then
chmod 700 $GNUPGHOME chmod 700 $GNUPGHOME
TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX) TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
cat > $TMPFILE <<EOF cat > "$TMPFILE" <<EOF
%echo Generating a default key %echo Generating a default key
Key-Type: default Key-Type: default
Subkey-Type: default Subkey-Type: default
Name-Real: Cosmos Puppet Name-Real: Cosmos Puppet
Name-Comment: Hiera GPG key Name-Comment: Hiera GPG key
Name-Email: root@`hostname --fqdn` Name-Email: root@$(hostname --fqdn)
Expire-Date: 0 Expire-Date: 0
# Do a commit here, so that we can later print "done" :-) # Do a commit here, so that we can later print "done" :-)
%no-protection
%commit %commit
%echo done %echo done
EOF EOF
gpg2 --batch --gen-key $TMPFILE gpg2 --batch --gen-key "$TMPFILE"
rm -f $TMPFILE rm -f "$TMPFILE"
fi fi
mkdir -p "$(dirname "${stamp}")"
touch "$stamp"