If you can see this, it worked

Thu, 13 Feb 2014 22:50:59 +0000

For values of “this” which you don’t care about and can’t see, but my hacky homebrew blogging engine now watches a bare git repo using inotify and runs a checkout/refreshes its content when it sees changes. I’m not sure it wouldn’t have been simpler just to make it die and then use a, y’know, shell script or something to run a git pull before restarting the server, but I did it this way because ZERO DOWNTIME.

Anyway. You don’t see and can’t care, or possibly vice versa. But the previous Heath Robinson stuff with git hooks wasn’t working now that the bare git repo is owned by someone other than the uid that runs the http daemon, so a different Heath was called for.

If you can see this, it worked

Keeping secrets in public with puppet

Mon, 10 Feb 2014 18:26:14 +0000

I recently stumbled across dotgpg , which is in essence some scripts to make it easy to securely keep secret files in a public git repo, which are protected by means of having been encrypted (usually for multiple recipients). It comes with capistrano glue for decrypting them again and sending them to your production servers, but it doesn’t quite fit my masterless use case where everything happens on the same box and there isn’t the same notion of a ‘target system’

But it set me to thinking: what if there was some kind of gpg agent that let you type in your key once and used it for multiple decryptions (turns out there is) and what if you then wrote some custom puppet function, let’s call it decrypt, so you could then say

  file {'/etc/wpa_supplicant.conf':
    content=>decrypt("templates/etc/wpa_supplicant.conf.gpg"),
    owner=>root,
    mode=>0600
  }

and everything would Just Work. Well, turns out I did and you can and (as far as I can tell) it does. The custom function is as simple as creating the file puppet/parser/functions/decrypt.rb inside /etc/puppet (or wherever) containing

module Puppet::Parser::Functions
  newfunction(:decrypt, :type=>:rvalue) do |args|
    filename = args[0]
    `/usr/bin/gpg --use-agent --decrypt #{filename}`
  end
end

and now at the expense of a slightly more convoluted puppet invocation

$ sudo  make -C/etc/puppet/ GNUPGHOME=$HOME/.gnupg GPG_AGENT_INFO=$GPG_AGENT_INFO

I can put my wpa network configuration (and my jabber passwords, and smtp client passwords, and some other stuff I can’t right now remember what it is but am sure exists) alongside my all my other configuration instead of either having to do something silly with git submodules or rebuilding it by hand. Am now furiously trying to memorise my passphrase.

Better error checking would be nice, so that it doesn’t overwrite a perfectly good config file with an empty one if the gpg stars aren’t all aligned, but that is left as an exercise for next time.

Keeping secrets in public with puppet

Older posts