5 files changed, 90 insertions, 0 deletions

diff --git a/modules/gnupg/manifests/client.pp b/modules/gnupg/manifests/client.pp
new file mode 100644
index 00000000..301e569a
--- /dev/null
+++ b/modules/gnupg/manifests/client.pp
@@ -0,0 +1,17 @@
+class gnupg::client {
+if versioncmp($::lsbdistrelease, '7') < 0 {
+    package {['gnupg',
+              'rng-utils']:
+    }
+} else {
+    package {['gnupg2',
+              'rng-utils']:
+    }
+}
+
+    mga_common::local_script { 'create_gnupg_keys.sh':
+        content => template('gnupg/create_gnupg_keys.sh')
+    }
+}
+
+
diff --git a/modules/gnupg/manifests/init.pp b/modules/gnupg/manifests/init.pp
new file mode 100644
index 00000000..d6ae319d
--- /dev/null
+++ b/modules/gnupg/manifests/init.pp
@@ -0,0 +1 @@
+class gnupg { }
diff --git a/modules/gnupg/manifests/keys.pp b/modules/gnupg/manifests/keys.pp
new file mode 100644
index 00000000..b99ed393
--- /dev/null
+++ b/modules/gnupg/manifests/keys.pp
@@ -0,0 +1,38 @@
+    # debian recommend SHA2, with 4096
+    # https://wiki.debian.org/Keysigning
+    # as they are heavy users of gpg, I will tend
+    # to follow them
+    # however, for testing purpose, 4096 is too strong,
+    # this empty the entropy of my vm
+define gnupg::keys($email,
+                   $key_name,
+                   $key_type = 'RSA',
+                   $key_length = '4096',
+                   $expire_date = '400d',
+                   $login = 'signbot',
+                   $batchdir = '/var/lib/signbot/batches',
+                   $keydir = '/var/lib/signbot/keys') {
+
+    include gnupg::client
+    file { "${name}.batch":
+        path    => "${batchdir}/${name}.batch",
+        content => template('gnupg/batch')
+    }
+
+    file { $keydir:
+        ensure => directory,
+        owner  => $login,
+        mode   => '0700',
+    }
+
+    file { $batchdir:
+        ensure => directory,
+        owner  => $login,
+    }
+
+    exec { "/usr/local/bin/create_gnupg_keys.sh ${batchdir}/${name}.batch ${keydir} ${batchdir}/${name}.done":
+        user    => $login,
+        creates => "${batchdir}/${name}.done",
+        require => [File[$keydir], File["${batchdir}/${name}.batch"], Package['rng-utils']],
+    }
+}
diff --git a/modules/gnupg/templates/batch b/modules/gnupg/templates/batch
new file mode 100644
index 00000000..d55bdd52
--- /dev/null
+++ b/modules/gnupg/templates/batch
@@ -0,0 +1,8 @@
+%echo Generating a standard key
+Key-Type: <%= @key_type %>
+Key-Length: <%= @key_length %>
+Name-Real: <%= @key_name %>
+Name-Email: <%= @email %>
+Expire-Date: <%= @expire_date %>
+%commit
+%echo done
diff --git a/modules/gnupg/templates/create_gnupg_keys.sh b/modules/gnupg/templates/create_gnupg_keys.sh
new file mode 100644
index 00000000..a2caba2d
--- /dev/null
+++ b/modules/gnupg/templates/create_gnupg_keys.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+BATCHFILE="$1"
+HOMEDIR="$2"
+LOCK="$3"
+
+test $# -eq 3 || exit 1
+
+if [ -e "$LOCK" ]
+then
+    echo "Lock file already exist." 1>&2
+    echo "Remove $LOCK if you want to regenerate key." 1>&2
+    exit 2
+fi
+
+touch "$LOCK"
+
+/sbin/rngd -f -r /dev/urandom &
+RAND=$!
+cd $HOMEDIR
+gpg --homedir $HOMEDIR --batch --gen-key $BATCHFILE
+EXIT=$?
+
+kill $RAND
+
+exit $EXIT