--- /dev/null
+--
+-- THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+-- USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+--
+
+-- -*- Lua -*-
+
+-- Sample configuration file for ekeyd
+
+-- -----------------------------------------------[ General setup ]-----
+
+-- If you want a TCP control socket on 127.0.0.1 then uncomment this
+-- command.
+-- Please note that there is no protection on a TCP socket, anyone on
+-- the box can connect to it and there is no authentication process.
+-- TCPControlSocket "1234"
+
+-- The unix control socket is typically what we use
+UnixControlSocket "/var/run/ekeyd.sock"
+
+-- The keyring contains the keys for the long-term rekey If you change
+-- this location from the default then be aware that the
+-- long-term-rekey tool may not work.
+Keyring "/etc/entropykey/keyring"
+
+-- The daemon background operation may be supressed. In this mode the
+-- daemon will run in the foreground and the controlling tty will not
+-- be released.
+-- Daemonise(false)
+
+-- -------------------------------------------------[ Output Mode ]-----
+
+-- Only one output mode is permitted to be active. Typically on Linux
+-- that would be the kernel output mode, however instead you can opt
+-- to use the EGD interface. Various other daemons then support taking
+-- EGD interfaces and adding entropy to the kernel instead, allowing
+-- multiple clients to retrieve entropy by various means.
+
+-- The SetOutputToKernel option places all the gathered entropy into
+-- the kernel pool. The data placed into the kernel pool is
+-- conservatively estimated to contain 7 shannons of entropy per byte
+-- added.
+-- Note that the data coming from the UDEKEY01 should have one Shannon
+-- of entropy per bit so this value could quite safely be set to
+-- 8. The default value only has the effect of reducing the rate
+-- entropy is mixed into the kernel pool and no other adverse
+-- affect. This default is selected as an conservative choice which is
+-- generally preferable when dealing with random sources.
+-- SetOutputToKernel(7)
+
+-- The daemon may support the EGD (Entropy Gathering Daemon) socket
+-- protocol. There are two choice to create either a TCP or Unix
+-- socket which speaks the EGD protocol.
+-- Note that you cannot have kernel output *and* EGD output, they are
+-- mutually exclusive.
+-- The EGD protocol support assumes entropy coming off the ekeys is at
+-- the level of 8 shannons per byte and this cannot be changed as it
+-- is a limitation of the EGD protocol itself. The TCP socket can be
+-- given an optional parameter to specify the IP address to bind to.
+-- It will default to 127.0.0.1 if not specified.
+
+EGDTCPSocket(8888 --[[, "127.0.0.1" ]])
+-- EGDUnixSocket "/etc/entropy"
+
+-- EGDUnixSocket can optionally take an octal mode string and
+-- username and group to chmod and chown the socket to.
+-- If you do not wish to change the user or group, use empty strings.
+-- You cannot change the user/group without also providing a mode string.
+-- The default is to leave the user/group alone and set the socket to
+-- mode 0600
+-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers")
+
+-- The SetOutputToFile option writes all gathered entropy to the named
+-- file. No additional processing is performed. The output file must
+-- exist before the daemon is run. This option is generally only
+-- useful if the user wishes to gather data for subsequent testing.
+-- Note as with all the other output options this may be the only
+-- output selection and may not be used with either the kernel or EGD
+-- output enabled.
+
+-- SetOutputToFile "/tmp/entropy"
+
+-- -----------------------------------------------[ Device Config ]-----
+
+-- Add entropy keys from /dev/entropykey where our default udev rules
+-- will place symbolic links (on GNU/Linux operating systems).
+AddEntropyKeys "/dev/entropykey"
+-- Also add keys from /var/run/entropykeys where the UNIX domain socket
+-- rules will place sockets if using them.
+AddEntropyKeys "/var/run/entropykeys"
+-- On OpenBSD/MirBSD you will probably need to use something like this
+-- instead (match the device minor (here: 0) with the ucom(4) instance
+-- your umodem(4) device attaches to):
+-- AddEntropyKey "/dev/cuaU0"
--- /dev/null
+class entropykey::provider {
+ package {
+ "ekeyd": ensure => installed;
+ }
+
+ file {
+ "/etc/entropykey/ekeyd.conf":
+ source => "puppet:///modules/entropykey/ekeyd.conf",
+ notify => Exec['restart_ekeyd'],
+ require => [ Package['ekeyd'] ],
+ ;
+ }
+
+ exec {
+ "restart_ekeyd":
+ command => "true && cd / && env -i /etc/init.d/ekeyd restart",
+ require => [ File['/etc/entropykey/ekeyd.conf'] ],
+ refreshonly => true,
+ ;
+ }
+
+ include "stunnel4"
+ stunnel4::stunnel_server {
+ "ekeyd":
+ accept => 18888,
+ connect => "127.0.0.1:8888",
+ ;
+ }
+}
+
+class entropykey::local_consumer {
+ package {
+ "ekeyd-egd-linux": ensure => installed;
+ }
+
+ file {
+ "/etc/default/ekeyd-egd-linux":
+ source => "puppet:///modules/entropykey/ekeyd-egd-linux",
+ notify => Exec['restart_ekeyd-egd-linux'],
+ require => [ Package['ekeyd-egd-linux'] ],
+ ;
+ }
+
+ exec {
+ "restart_ekeyd-egd-linux":
+ command => "true && cd / && env -i /etc/init.d/ekeyd-egd-linux restart",
+ require => [ File['/etc/default/ekeyd-egd-linux'] ],
+ refreshonly => true,
+ ;
+ }
+}
+
+class entropykey::remote_consumer inherits entropykey::local_consumer {
+ include "stunnel4"
+ stunnel4::stunnel_client {
+ "ekeyd":
+ accept => "127.0.0.1:8888",
+ connecthost => "heininen.debian.org",
+ connectport => 18888,
+ ;
+ }
+}
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
projects / dsa-puppet.git / commitdiff