Dzahn has submitted this change and it was merged.
Change subject: Puppetise yhsm-daemon
......................................................................
Puppetise yhsm-daemon
Part of the Yubi 2FA auth servers.
Change-Id: I788972c138a8812877c7a841c74d34c436f1332c
---
M manifests/role/yubiauth.pp
A modules/yubiauth/manifests/yhsm-daemon.pp
A modules/yubiauth/templates/yhsm-daemon-default.erb
3 files changed, 52 insertions(+), 0 deletions(-)
Approvals:
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/manifests/role/yubiauth.pp b/manifests/role/yubiauth.pp
index 58cfdb4..6f36ab2 100644
--- a/manifests/role/yubiauth.pp
+++ b/manifests/role/yubiauth.pp
@@ -6,6 +6,8 @@
include standard
include base::firewall
+ include ::yubiauth::yhsm_daemon
+
system::role { 'role::yubiauth':
ensure => 'present',
description => 'Yubi 2FA authentication server',
diff --git a/modules/yubiauth/manifests/yhsm-daemon.pp
b/modules/yubiauth/manifests/yhsm-daemon.pp
new file mode 100644
index 0000000..a62bbf0
--- /dev/null
+++ b/modules/yubiauth/manifests/yhsm-daemon.pp
@@ -0,0 +1,27 @@
+class yubiauth::yhsm_daemon(
+ $yhsmdevice = '/dev/ttyACM0',
+) {
+
+ require_package('yhsm-daemon')
+
+ file { 'yhsm-daemon-default':
+ mode => '0440',
+ owner => root,
+ group => root,
+ path => '/etc/default/yhsm-daemon',
+ content => template('yubiauth/yhsm-daemon-default.erb'),
+ }
+
+ service { 'yhsm-daemon':
+ enable => true,
+ require => [
+ Package['yhsm-daemon'],
+ File['/etc/default/yhsm-daemon'],
+ ],
+ }
+}
+
+
+
+
+
diff --git a/modules/yubiauth/templates/yhsm-daemon-default.erb
b/modules/yubiauth/templates/yhsm-daemon-default.erb
new file mode 100644
index 0000000..f0c6d51
--- /dev/null
+++ b/modules/yubiauth/templates/yhsm-daemon-default.erb
@@ -0,0 +1,23 @@
+# Should the YubiHSM server daemon be started?
+#
+# Valid values: "true" or "false"
+YHSM_DAEMON_ENABLE="true"
+
+# The device name of the YubiHSM. For a production setting, a name that is
+# invariant of system state when the YubiHSM is inserted is recommended
+# (e.g. "/dev/serial/by-id/usb-Yubico_Yubico_YubiHSM_xxxx-if00").
+YHSM_DAEMON_DEVICE="<%= @yhsmdevice %>"
+
+# If you have protected the key store of your YubiHSM with an 'HSM password'
+# (recommended), the key store must be unlocked before any validations can
+# be performed. Either log in to your server after every reboot and unlock
+# the key store manually (recommended), or enter the 'HSM password' in this
+# variable to have the startup script unlock the key store for you (less
+# secure). To unlock manually, use /usr/sbin/yhsm-keystore-unlock.
+YHSM_DAEMON_UNLOCK_PASSPHRASE=""
+
+# The network address to listen on. As a restrictive default, "127.0.0.1" is
used.
+# By default port 5348 is used.
+#DAEMON_ARGS="$DAEMON_ARGS --interface 127.0.0.1 --port 5348"
+
+[ "x$YHSM_DAEMON_DEVICE" != "x" ] && DAEMON_ARGS="$DAEMON_ARGS -D
$YHSM_DAEMON_DEVICE"
--
To view, visit https://gerrit.wikimedia.org/r/270728
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I788972c138a8812877c7a841c74d34c436f1332c
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
