Initial commit

.fixtures.yml

@@ -0,0 +1,5 @@
+fixtures:
+  repositories:
+    stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+  symlinks:
+    vault: "#{source_dir}"

.github/CONTRIBUTING

@@ -0,0 +1,7 @@
+## Development
+
+1. Clone the repo
+2. Change directory to the actual module dir
+3. We use pre-commit.com hooks to ensure guidelines `pre-commit install`
+4. Create a feature branch
+5. Submit a PR

.github/ISSUE_TEMPLATE

@@ -0,0 +1,5 @@
+### Expected behavior
+
+### Actual behavior
+
+### Steps to reproduce the behavior

.github/PULL_REQUEST_TEMPLATE

@@ -0,0 +1,11 @@
+Fixes #
+
+Changes proposed in this pull request:
+-
+-
+-
+
+@permeate/admins
+
+<!--- 50-character subject line is recommended --->
+<!--- 72-character wrapped longer description answering the questions above --->

.gitignore

@@ -0,0 +1,12 @@
+/pkg/
+/bin/
+/Gemfile.lock
+/vendor/
+spec/fixtures
+/.vagrant/
+/.bundle/
+/coverage/
+/.idea/
+*.iml
+*.swp
+.tmp

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+-   repo: https://github.com/chriskuehl/puppet-pre-commit-hooks.git
+    sha: 4bc20784cca4713e2ba5f884ff4c37a1e4e87de1
+    hooks:
+    -   id: puppet-validate
+    -   id: erb-validate
+    -   id: puppet-lint
+-   repo: git://github.com/pre-commit/pre-commit-hooks
+    sha: ff65d01841ad012d0a9aa1dc451fc4539d8b7baf
+    hooks:
+    -   id: trailing-whitespace
+    -   id: check-json

.rspec

@@ -0,0 +1,4 @@
+--color
+--format
+progress
+--backtrace

.travis.yml

@@ -0,0 +1,42 @@
+---
+language: ruby
+
+rvm:
+  - 1.8.7
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+
+env:
+  matrix:
+    - PUPPET_GEM_VERSION="~> 3.1.0"
+    - PUPPET_GEM_VERSION="~> 3.2.0"
+    - PUPPET_GEM_VERSION="~> 3.3.0"
+    - PUPPET_GEM_VERSION="~> 3.4.0"
+    - PUPPET_GEM_VERSION="~> 3.5.1"
+    - PUPPET_GEM_VERSION="~> 3.6.0"
+    - PUPPET_GEM_VERSION="~> 3.7.0"
+    - PUPPET_GEM_VERSION="~> 3.8.0"
+
+sudo: false
+
+bundler_args: --without system_tests
+
+script: 'bundle exec metadata-json-lint metadata.json && bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--color --format documentation" bundle exec rake spec'
+
+matrix:
+  fast_finish: true
+  exclude:
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 3.1.0"
+    - rvm: 2.1.0
+      env: PUPPET_GEM_VERSION="~> 3.1.0"
+    - rvm: 2.1.0
+      env: PUPPET_GEM_VERSION="~> 3.2.0"
+    - rvm: 2.1.0
+      env: PUPPET_GEM_VERSION="~> 3.3.0"
+    - rvm: 2.1.0
+      env: PUPPET_GEM_VERSION="~> 3.4.0"
+
+notifications:
+  email: false

Gemfile

@@ -0,0 +1,36 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+if puppetversion = ENV['PUPPET_GEM_VERSION']
+  gem 'puppet', puppetversion, :require => false
+else
+  gem 'puppet', :require => false
+end
+
+gem 'mocha'
+gem 'diff-lcs'
+gem 'json_pure'
+gem 'json'
+gem 'metadata-json-lint'
+gem 'puppetlabs_spec_helper', '>= 0.1.0'
+gem 'facter', '>= 1.7.0'
+gem 'rspec-puppet'
+gem 'rake', '~> 10.5.0'
+
+gem 'puppet-lint', :git => 'https://github.com/rodjek/puppet-lint.git'
+gem 'puppet-lint-absolute_classname-check'
+gem 'puppet-lint-alias-check'
+gem 'puppet-lint-empty_string-check'
+gem 'puppet-lint-file_ensure-check'
+gem 'puppet-lint-file_source_rights-check'
+gem 'puppet-lint-fileserver-check'
+gem 'puppet-lint-leading_zero-check'
+gem 'puppet-lint-spaceship_operator_without_tag-check'
+gem 'puppet-lint-trailing_comma-check'
+gem 'puppet-lint-undef_in_function-check'
+gem 'puppet-lint-unquoted_string-check'
+gem 'puppet-lint-variable_contains_upcase'
+
+# rspec must be v2 for ruby 1.8.7
+if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
+  gem 'rspec', '~> 2.0'
+end

README.md

@@ -0,0 +1,53 @@
+# puppet-vault [![Build Status](https://travis-ci.com/rhoml/puppet-vault.svg?token=vfFGLwkzPiw5jXGyyDBy&branch=master)](https://travis-ci.com/rhoml/puppet-vault)
+
+# Overview
+
+This is a puppet module to install Hashicorp's [vault project](https://www.vaultproject.io) to keep your secrets safe. This module doesn't build the Vault packages which should be pretty easy to do using fpm.
+
+Documentation for Vault can be found on their [site](https://www.vaultproject.io/docs/config/index.html). Take into consideration:
+* You can only define one storage backend, listener and telemetry on the config file.
+* Other configurations should be set up using Vault API or CLI.
+
+# Install Vault
+
+````
+include ::vault
+````
+
+# Configure Vault using Hiera
+
+This module enables you to use hiera to configure your Vault server. It also allows you to use module [data](https://github.com/rhoml/puppet-vault/blob/master/data/common.yaml).
+
+````
+vault::config_hash:
+    backend:
+        consul:
+            address: 127.0.0.1:8500
+            advertise_addr: "http://%{::ipaddress_eth0}"
+            path: 'vault/'
+    listener:
+        tcp:
+            address: "%{::fqdn}:8200"
+            tls_disable: 1
+    telemetry:
+        statsite_address: '127.0.0.1:8125'
+        disable_hostname: true
+    disable_mlock: true
+vault::manage_user: true
+vault::package_ensure: 'latest'
+vault::vault_user: 'vault'
+vault::restart_cmd: '/etc/init.d/vault restart'
+````
+
+# Uninstalling Vault
+
+Ensure the following hiera key is present so Vault can be correctly uninstalled
+
+```
+vault::package_ensure: absent
+```
+
+# See also
+
+* [hiera-vault](https://github.com/jsok/hiera-vault)
+* [consul](https://github.com/solarkennedy/puppet-consul)

Rakefile

@@ -0,0 +1,44 @@
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+
+PuppetLint.configuration.fail_on_warnings = true
+PuppetLint.configuration.send('relative')
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.relative = true
+
+desc 'Validate manifests, templates, and ruby files'
+task :validate do
+  Dir['manifests/**/*.pp'].each do |manifest|
+    sh "puppet parser validate --noop #{manifest}"
+  end
+  Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file|
+    sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/
+  end
+  Dir['templates/**/*.erb'].each do |template|
+    sh "erb -P -x -T '-' #{template} | ruby -c"
+  end
+end
+
+PuppetLint::RakeTask.new :lint do |config|
+  # Pattern of files to check, defaults to `**/*.pp`
+  config.pattern = 'manifests/**/*.pp'
+
+  # Should the task fail if there were any warnings, defaults to false
+  config.fail_on_warnings = true
+
+  # Format string for puppet-lint's output (see the puppet-lint help output
+  # for details
+  config.log_format = '%{filename} - %{message}'
+
+  # Print out the context for the problem, defaults to false
+  config.with_context = true
+
+  # Enable automatic fixing of problems, defaults to false
+  config.fix = true
+
+  # Show ignored problems in the output, defaults to false
+  config.show_ignored = false
+
+  # Compare module layout relative to the module root
+  config.relative = true
+end

data/common.yaml

@@ -0,0 +1,18 @@
+vault::config_hash:
+    backend:
+        consul:
+            advertise_addr: "http://%{::ipaddress}"
+            path: 'vault/'
+    listener:
+        tcp:
+            address: "%{::fqdn}:8200"
+            tls_disable: 1
+    telemetry:
+        statsite_address: '%{::ipaddress}:8125'
+        disable_hostname: true
+    disable_mlock: true
+vault::manage_user: true
+vault::package_ensure: present
+vault::version: 0.5.2
+vault::vault_user: vault
+vault::restart_cmd: '/etc/init.d/vault restart'

data/hiera.yaml

@@ -0,0 +1,8 @@
+---
+version: 4
+
+datadir: hieradata
+
+:hierarchy:
+- osfamily/%{::osfamily}
+- common

lib/puppet/parser/functions/sorted_json.rb

@@ -0,0 +1,44 @@
+# Puppet parser function for outputting JSON-formatted objects, in a sorted consistent way.
+# Credit: @falzm
+# https://gist.github.com/falzm/8575549
+require 'json'
+
+def sorted_json(obj)
+  case obj
+    when String, Fixnum, Float, TrueClass, FalseClass, NilClass
+      return obj.to_json
+    when Array
+      arrayRet = []
+      obj.each do |a|
+        arrayRet.push(sorted_json(a))
+      end
+      return "[" << arrayRet.join(',') << "]";
+    when Hash
+      ret = []
+      obj.keys.sort.each do |k|
+        ret.push(k.to_json << ":" << sorted_json(obj[k]))
+      end
+      return "{" << ret.join(",") << "}";
+    else
+      raise Exception("Unable to handle object of type <%s>" % obj.class.to_s)
+  end
+end
+
+module Puppet::Parser::Functions
+  newfunction(:sorted_json, :type => :rvalue, :doc => <<-EOS
+This function takes data, outputs making sure the hash keys are sorted
+
+*Examples:*
+
+    sorted_json({'key'=>'value'})
+
+Would return: {'key':'value'}
+    EOS
+  ) do |arguments|
+    raise(Puppet::ParseError, "sorted_json(): Wrong number of arguments " +
+      "given (#{arguments.size} for 1)") if arguments.size != 1
+
+    json = arguments[0]
+    return sorted_json(json)
+  end
+end

manifests/config.pp

@@ -0,0 +1,51 @@
+# Class to configure vault
+class vault::config (
+  $config_hash = $::vault::config_hash,
+  $manage_user = $::vault::manage_user,
+  $vault_user  = $::vault::vault_user,
+  ){
+
+  if $manage_user {
+
+    group { $vault_user:
+      ensure => 'present',
+    }
+
+    user { $vault_user:
+      ensure  => 'present',
+      gid     => $vault_user,
+      require => Group['vault'],
+    }
+  }
+
+  file { '/etc/init.d/vault':
+    ensure  => 'file',
+    mode    => '0755',
+    owner   => 'root',
+    group   => 'root',
+    content => template('vault/init-script.erb'),
+    notify  => Class['::vault::service'],
+    require => Package['vault'],
+  }
+
+  file { '/etc/vault':
+    ensure  => 'directory',
+    mode    => '0755',
+    owner   => 'root',
+    group   => 'root',
+    purge   => true,
+    recurse => true,
+    require => Package['vault'],
+  }
+
+  file { '/etc/vault/vault.json':
+    ensure  => 'file',
+    mode    => '0644',
+    group   => $vault_user,
+    owner   => $vault_user,
+    content => sorted_json($config_hash),
+    notify  => Class['::vault::service'],
+    require => [ File['/etc/vault'],
+      File['/etc/init.d/vault'] ],
+  }
+}