Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 7.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'fraenki-onetimesecret', '2.0.1'
Learn more about managing modules with a PuppetfileDocumentation
puppet-onetimesecret
Overview
A puppet module for setting up the One-Time Secret web application.
Requirements
Although the One-Time Secret web application is a ready to-use web service, it is highly recommend to run it behind a webserver or reverse proxy. This is emphasized by the fact that it runs on a non-standard port by default. However, setting up a websever or reverse proxy is beyond the scope of this module.
Usage
Basic usage
This example will build and install One-Time Secret from source, setup Redis, create a minimal configuration and activate the service for you:
class { 'onetimesecret':
version => 'v0.9.2',
secret => 'SomeHardToGuessRandomCharacters',
redis_password => 'AnotherGoodPassword',
}
NOTE: Once the secret
is set, do not change it (keep a backup offsite).
Choosing a version
The One-Time Secret project rarely provides new releases. That's why the $version
parameter supports different values: a release tag (v0.9.2), a branch name (master) or a commit ID (e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3). Have a look at the One-Time Secret GitHub page for possible values.
Keep in mind that setting $version
to a branch name will make it difficult to update One-Time Secret. A commit ID or release tag is highly recommended:
class { 'onetimesecret':
version => 'e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3',
secret => 'SomeHardToGuessRandomCharacters',
redis_password => 'AnotherGoodPassword',
}
Customization
It is easy to add new options or to overwrite some default values in the configuration:
class { 'onetimesecret':
install_dir => '/data',
symlink_name => '/data/onetimesecret',
options => {
site => {
ssl => true,
},
emailer => {
host => 'smtprelay.example.com',
},
},
redis_options => {
maxmemory => '2gb',
},
secret => 'SomeHardToGuessRandomCharacters',
redis_password => 'AnotherGoodPassword',
}
It is possible to disable certain functionality if you want to manage some aspects on your own:
class { 'onetimesecret':
manage_redis => false,
manage_user => false,
manage_service => false,
secret => 'SomeHardToGuessRandomCharacters',
redis_password => 'AnotherGoodPassword',
}
You may opt to disable the default configuration and configure One-Time Secret from scratch:
class { 'onetimesecret':
use_default_options => false,
options => {...}
secret => 'SomeHardToGuessRandomCharacters',
redis_password => 'AnotherGoodPassword',
}
In this case the $options
parameter must contain ALL required configuration options to run the One-Time Secret web application. Otherwise the service may fail to startup.
Using Hiera
You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:
onetimesecret::use_default_options: false
onetimesecret::options:
site:
host: 'localhost:7143'
domain: %{::domain}
ssl: false
secret: 'CHANGEME'
redis:
uri: '''redis://user:CHANGEME@127.0.0.1:7179/0?timeout=10&thread_safe=false&logging=false'''
config: $redis_config_file
emailer:
mode: ':smtp'
from: "ots@%{::domain}"
host: 'localhost'
port: 25
incoming:
enabled: false
email: 'example@onetimesecret.com'
passphrase: 'CHANGEME'
regex: '\A[a-zA-Z0-9]{6}\z'
locales:
- 'en'
- 'es'
- 'de'
- 'nl'
- 'ru'
unsupported_locales:
- 'fr'
- 'pt'
- 'jp'
- 'pt'
stathat:
enabled: false
apikey: 'CHANGEME'
default_chart: 'CHANGEME'
text:
nonpaid_recipient_text: '''You need to create an account!'''
paid_recipient_text: '''Send the secret link via email'''
limits:
create_secret: 250
create_account: 10
update_account: 10
email_recipient: 50
send_feedback: 10
authenticate_session: 5
homepage: 500
dashboard: 1000
failed_passphrase: 5
show_metadata: 1000
show_secret: 1000
burn_secret: 1000
Reference
Classes and parameters are documented in REFERENCE.md.
Development
Contributing
Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.
Contributions must pass all existing tests, new features should provide additional unit/acceptance tests.
Reference
Table of Contents
Classes
Public Classes
onetimesecret
: Setup the One-Time Secret web application
Private Classes
onetimesecret::config
: Manage the One-Time Secret configurationonetimesecret::install
: Install the One-Time Secret distribution archiveonetimesecret::redis
: Setup a Redis instance for use with One-Time Secretonetimesecret::service
: Setup the One-Time Secret system serviceonetimesecret::user
: Create a user and group for One-Time Secret
Classes
onetimesecret
Setup the One-Time Secret web application
Parameters
The following parameters are available in the onetimesecret
class.
config_dir
Data type: String
Path to the directory containing the One-Time Secret configuration files.
config_file
Data type: String
The main One-Time Secret configuration file (absolute path required).
data_dir
Data type: String
Path to the directory containing the persistent One-Time Secret data.
domain
Data type: String
The domain name that is used by One-Time Secret.
group
Data type: String
Specifies the group under which the One-Time Secret service will run.
http_port
Data type: Integer
The HTTP port of the One-Time Secrets web server. Note that this defaults to a non-standard port because you are expected to use a reverse proxy in front of the One-Time Secret web application.
host
Data type: String
The hostname that is used when One-Time Secret generates URLs (web/mail). Usually the FQDN which is served by a reverse proxy.
install_dir
Data type: String
Base directory for the installation. A sub-directory for every version will automatically be created. Old versions will not be removed.
log_dir
Data type: String
Directory for One-Time Secret log files.
log_file
Data type: String
The main One-Time Secret log file (absolute path required).
manage_additional_packages
Data type: Boolean
Set to false
to disable the installation of dependencies which are
required to build and run One-Time Secret.
manage_config
Data type: Boolean
Set to false
to disable managing of the One-Time Secret configuration
files.
manage_service
Data type: Boolean
Set to false
to disable service management.
manage_symlink
Data type: Boolean
Set to false
to disable the creation/update of a symlink to the current
version. Note that the symlink is required when using the default
configuration.
manage_user
Data type: Boolean
Set to false
to disable the creation of a user and group for One-Time Secret.
options
Data type: Hash
Specifies a hash containing options to either overwrite some default values
or to configure One-Time Secret from scratch. Will be merged with the
$default_options
hash (as long as $use_default_options
is set to true
).
pid_dir
Data type: String
Specifies the directory for the One-Time Secret PID file.
pid_file
Data type: String
The PID file for the main One-Time Secret web service (absolute path required).
redis_password
Data type: String
A password for connections to the Redis server. It will also be used when setting up a new Redis instance for One-Time Secret.
redis_options
Data type: Hash
Specifies a hash containing options to overwrite some default values
for the Redis service (as long as $manage_redis
is set to true
).
secret
Data type: String
A global secret is included in the encryption key so it needs to be
long and secure. NOTE: Once the secret
is set, do not change it
(keep a backup offsite).
service_enable
Data type: Boolean
Specifies whether the service should be enabled.
service_ensure
Data type: String
Specifies the desired state for the service.
service_provider
Data type: String
Specifies the service provider. Must be compatible with the operating system.
symlink_name
Data type: String
Controls the name of a version-independent symlink. It will always point
to the release specified by $version
.
use_default_options
Data type: Boolean
Set to false
to completely disable loading of the default configuration.
In this case you are required to provide a fully working configuration.
user
Data type: String
Specifies the user under which the One-Time Secret service will run.
version
Data type: String
The version of One-Time Secret thats should be installed. Supports several different values: a release tag (v0.9.2), a branch name (master) or a commit ID. Have a look at the One-Time Secret GitHub page for possible values.
additional_packages
Data type: Array
bundle_exec
Data type: String
config_mode
Data type: String
config_template
Data type: String
default_options
Data type: Hash
download_url
Data type: String
manage_redis
Data type: Boolean
path
Data type: String
service_file
Data type: Stdlib::Compat::Absolute_path
service_name
Data type: String
service_template
Data type: String
gid
Data type: Optional[Integer]
Default value: undef
uid
Data type: Optional[Integer]
Default value: undef
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
2.0.1 - 2020-11-05
Fixed
- Fix empty
$host
, set default value to FQDN
2.0.0 - 2020-11-05
This release introduces several breaking changes. Redis is no longer
maintained by this module, as a result, the Redis configuration is not
compatible with older releases. You should migrate your Redis instance
manually to voxpupuli/puppet-redis (dump+restore is recommended).
Afterwards change $redis_options
to be compatible with your new Redis instance.
Added
- Use systemd to manage the service on Linux
- Add new parameter
$manage_redis
Changed
- Do not set a default value for
$version
- Use module voxpupuli/puppet-redis to manage Redis
- Redis no longer runs under the same user as One-Time Secret
- Re-add module voxpupuli/puppet-archive to download/extract the distribution archive
- Repurpose
$redis_options
to work with voxpupuli/puppet-redis, add backwards-incompatible options - Update default values for
$additional_packages
- Change merge strategy for
$additional_packages
(now set to 'first') - Convert to PDK 1.18.1
- Convert
params.pp
to module data - Migrate ERB templates to EPP
- Require Puppet 6
- Update OS support
Removed
- Remove support for obsolete Linux init script
- Remove parameter
$manage_service_file
(superseded by$manage_service
) - Remove parameters
$redis_config_file
,$redis_config_template
,$redis_default_options
,$redis_exec
,$redis_pid_file
- Remove parameters
$manage_package
and$package_name
(no packages available) - Remove parameter
$root_group
(using GID 0 is sufficient)
1.0.2 (unreleased)
Changed
- Remove undocumented dependency on voxpupuli/puppet-archive (replace with 'unzip' package). Make changes to install.pp to support installation of zip file.
- Change 'ruby1.9.1' and 'ruby1.9.1-dev' for the metapackages that also have installation candidates for Ubuntu 16 & 18. This adds support for Ubuntu 16 & 18.
- Change method of class ordering in init.pp
- Change download URL and version to onetimesecret fork. This was necessary because the Gemfile/Gemfile.lock in the official versions referenced a broken version of the gem 'yajl-ruby'. See https://github.com/onetimesecret/onetimesecret/issues/81
- Manifests linted in various places
Fixed
- Github download filename no longer gets prefixed with a 'v', so remove associated block from install.pp
- Fix issue with /etc/init.d/onetimesecret startup script, where PIDFILE dir ownership was not set (move lines, correct variable names)
- Fix issue with /etc/init.d/onetimesecret startup script, where variable reference was incorrectly set to $HTTP_PORT (changed to $ONETIME_HTTP_PORT)
1.0.1 - 2016-12-19
Fixed
- Use custom value for
$data_dir
in redis server.
1.0.0 - 2016-12-18
- Initial release
Dependencies
- puppetlabs/stdlib (>= 4.25.0 < 7.0.0)
- puppet/redis (>= 6.0.0 < 7.0.0)
- puppet/archive (>= 4.0.0 < 5.0.0)
Copyright (C) 2016 Frank Wall All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.