puppet-onetimesecret

1. Overview
2. Requirements
3. Usage
   • Basic usage
   • Choosing a version
   • Customization
   • Using Hiera
4. Reference
5. Development
   • Contributing

Overview

A puppet module for setting up the One-Time Secret web application.

Requirements

Although the One-Time Secret web application is a ready to-use web service, it is highly recommend to run it behind a webserver or reverse proxy. This is emphasized by the fact that it runs on a non-standard port by default. However, setting up a websever or reverse proxy is beyond the scope of this module.

Usage

Basic usage

This example will build and install One-Time Secret from source, setup Redis, create a minimal configuration and activate the service for you:

    class { 'onetimesecret':
      version        => 'v0.9.2',
      secret         => 'SomeHardToGuessRandomCharacters',
      redis_password => 'AnotherGoodPassword',
    }

NOTE: Once the secret is set, do not change it (keep a backup offsite).

Choosing a version

The One-Time Secret project rarely provides new releases. That's why the $version parameter supports different values: a release tag (v0.9.2), a branch name (master) or a commit ID (e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3). Have a look at the One-Time Secret GitHub page for possible values.

Keep in mind that setting $version to a branch name will make it difficult to update One-Time Secret. A commit ID or release tag is highly recommended:

    class { 'onetimesecret':
      version        => 'e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3',
      secret         => 'SomeHardToGuessRandomCharacters',
      redis_password => 'AnotherGoodPassword',
    }

Customization

It is easy to add new options or to overwrite some default values in the configuration:

class { 'onetimesecret':
  install_dir   => '/data',
  symlink_name  => '/data/onetimesecret',
  options       => {
    site => {
      ssl => true,
    },
    emailer => {
      host => 'smtprelay.example.com',
    },
  },
  redis_options => {
    maxmemory => '2gb',
  },
  secret => 'SomeHardToGuessRandomCharacters',
  redis_password => 'AnotherGoodPassword',
}

It is possible to disable certain functionality if you want to manage some aspects on your own:

class { 'onetimesecret':
  manage_redis   => false,
  manage_user    => false,
  manage_service => false,
  secret         => 'SomeHardToGuessRandomCharacters',
  redis_password => 'AnotherGoodPassword',
}

You may opt to disable the default configuration and configure One-Time Secret from scratch:

class { 'onetimesecret':
  use_default_options => false,
  options             => {...}
  secret              => 'SomeHardToGuessRandomCharacters',
  redis_password      => 'AnotherGoodPassword',
}

In this case the $options parameter must contain ALL required configuration options to run the One-Time Secret web application. Otherwise the service may fail to startup.

Using Hiera

You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:

onetimesecret::use_default_options: false
onetimesecret::options:
  site:
    host: 'localhost:7143'
    domain: %{facts.networking.domain}
    ssl: false
    secret: 'CHANGEME'
  redis:
    uri: '''redis://user:CHANGEME@127.0.0.1:7179/0?timeout=10&thread_safe=false&logging=false'''
    config: $redis_config_file
  emailer:
    mode: ':smtp'
    from: "ots@%{facts.networking.domain}"
    host: 'localhost'
    port: 25
  incoming:
    enabled: false
    email: 'example@onetimesecret.com'
    passphrase: 'CHANGEME'
    regex: '\A[a-zA-Z0-9]{6}\z'
  locales:
    - 'en'
    - 'es'
    - 'de'
    - 'nl'
    - 'ru'
  unsupported_locales:
    - 'fr'
    - 'pt'
    - 'jp'
    - 'pt'
  stathat:
    enabled: false
    apikey: 'CHANGEME'
    default_chart: 'CHANGEME'
  text:
    nonpaid_recipient_text: '''You need to create an account!'''
    paid_recipient_text: '''Send the secret link via email'''
  limits:
    create_secret: 250
    create_account: 10
    update_account: 10
    email_recipient: 50
    send_feedback: 10
    authenticate_session: 5
    homepage: 500
    dashboard: 1000
    failed_passphrase: 5
    show_metadata: 1000
    show_secret: 1000
    burn_secret: 1000

Reference

Classes and parameters are documented in REFERENCE.md.

Development

Contributing

Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.

Contributions must pass all existing tests, new features should provide additional unit/acceptance tests.

Reference

Table of Contents

Classes

Public Classes

• onetimesecret: Setup the One-Time Secret web application

Private Classes

• onetimesecret::config: Manage the One-Time Secret configuration
• onetimesecret::install: Install the One-Time Secret distribution archive
• onetimesecret::redis: Setup a Redis instance for use with One-Time Secret
• onetimesecret::service: Setup the One-Time Secret system service
• onetimesecret::user: Create a user and group for One-Time Secret

Classes

onetimesecret

Setup the One-Time Secret web application

Parameters

The following parameters are available in the onetimesecret class:

• additional_packages
• bundle_exec
• config_dir
• config_file
• config_mode
• config_template
• data_dir
• default_options
• domain
• download_url
• gid
• group
• http_port
• host
• install_dir
• log_dir
• log_file
• manage_additional_packages
• manage_config
• manage_redis
• manage_service
• manage_symlink
• manage_user
• options
• path
• pid_dir
• pid_file
• redis_password
• redis_options
• secret
• service_enable
• service_ensure
• service_file
• service_name
• service_template
• service_provider
• symlink_name
• uid
• use_default_options
• user
• version

additional_packages

Data type: Array

A list of optional packages that may be required, depending on the configuration.

bundle_exec

Data type: String

Path to the Ruby bundle executable.

config_dir

Data type: String

Path to the directory containing the One-Time Secret configuration files.

config_file

Data type: String

The main One-Time Secret configuration file (absolute path required).

config_mode

Data type: String

The permissions for the One-Time Secret configuration file.

config_template

Data type: String

The template used to create the One-Time Secret configuration file.

data_dir

Data type: String

Path to the directory containing the persistent One-Time Secret data.

default_options

Data type: Hash

A hash containing the default configuration options.

domain

Data type: String

The domain name that is used by One-Time Secret.

download_url

Data type: String

The base URL which will be used to download release files.

gid

Data type: Optional[Integer]

The GID of the group.

Default value: undef

group

Data type: String

Specifies the group under which the One-Time Secret service will run.

http_port

Data type: Integer

The HTTP port of the One-Time Secrets web server. Note that this defaults to a non-standard port because you are expected to use a reverse proxy in front of the One-Time Secret web application.

host

Data type: String

The hostname that is used when One-Time Secret generates URLs (web/mail). Usually the FQDN which is served by a reverse proxy.

install_dir

Data type: String

Base directory for the installation. A sub-directory for every version will automatically be created. Old versions will not be removed.

log_dir

Data type: String

Directory for One-Time Secret log files.

log_file

Data type: String

The main One-Time Secret log file (absolute path required).

manage_additional_packages

Data type: Boolean

Set to false to disable the installation of dependencies which are required to build and run One-Time Secret.

manage_config

Data type: Boolean

Set to false to disable managing of the One-Time Secret configuration files.

manage_redis

Data type: Boolean

Set to false to disable management of Redis.

manage_service

Data type: Boolean

Set to false to disable service management.

manage_symlink

Data type: Boolean

Set to false to disable the creation/update of a symlink to the current version. Note that the symlink is required when using the default configuration.

manage_user

Data type: Boolean

Set to false to disable the creation of a user and group for One-Time Secret.

options

Data type: Hash

Specifies a hash containing options to either overwrite some default values or to configure One-Time Secret from scratch. Will be merged with the $default_options hash (as long as $use_default_options is set to true).

path

Data type: String

The contents of the PATH environment variable, which will be used for Exec resources.

pid_dir

Data type: String

Specifies the directory for the One-Time Secret PID file.

pid_file

Data type: String

The PID file for the main One-Time Secret web service (absolute path required).

redis_password

Data type: String

A password for connections to the Redis server. It will also be used when setting up a new Redis instance for One-Time Secret.

redis_options

Data type: Hash

Specifies a hash containing options to overwrite some default values for the Redis service (as long as $manage_redis is set to true).

secret

Data type: String

A global secret is included in the encryption key so it needs to be long and secure. NOTE: Once the secret is set, do not change it (keep a backup offsite).

service_enable

Data type: Boolean

Specifies whether the service should be enabled.

service_ensure

Data type: String

Specifies the desired state for the service.

service_file

Data type: Stdlib::Compat::Absolute_path

The path to the service file.

service_name

Data type: String

The name of the service.

service_template

Data type: String

The template that will be used to create the service file.

service_provider

Data type: String

Specifies the service provider. Must be compatible with the operating system.

symlink_name

Data type: String

Controls the name of a version-independent symlink. It will always point to the release specified by $version.

uid

Data type: Optional[Integer]

The UID of the user.

Default value: undef

use_default_options

Data type: Boolean

Set to false to completely disable loading of the default configuration. In this case you are required to provide a fully working configuration.

user

Data type: String

Specifies the user under which the One-Time Secret service will run.

version

Data type: String

The version of One-Time Secret thats should be installed. Supports several different values: a release tag (v0.9.2), a branch name (master) or a commit ID. Have a look at the One-Time Secret GitHub page for possible values.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

2.2.0 - 2023-07-25

Added

• Add basic unit/acceptance tests
• Enable GitHub Actions

Changed

• Update module dependencies and OS support

Fixed

• Fix compatibility with puppetlabs/stdlib v9.0.0

[2.1.2] - 2023-07-11

Changed

• Use modern facts in documentation

Fixed

• Fix puppet lint offenses

2.1.1 - 2022-09-20

Fixed

• Fix module dependencies

2.1.0 - 2022-08-02

Changed

• Update OS version, Puppet version and dependencies
• Update PDK from 1.18.1 to 2.5.0
• Fix puppet-lint offenses

2.0.1 - 2020-11-05

Fixed

• Fix empty $host, set default value to FQDN

2.0.0 - 2020-11-05

This release introduces several breaking changes. Redis is no longer maintained by this module, as a result, the Redis configuration is not compatible with older releases. You should migrate your Redis instance manually to voxpupuli/puppet-redis (dump+restore is recommended). Afterwards change $redis_options to be compatible with your new Redis instance.

Added

• Use systemd to manage the service on Linux
• Add new parameter $manage_redis

Changed

• Do not set a default value for $version
• Use module voxpupuli/puppet-redis to manage Redis
• Redis no longer runs under the same user as One-Time Secret
• Re-add module voxpupuli/puppet-archive to download/extract the distribution archive
• Repurpose $redis_options to work with voxpupuli/puppet-redis, add backwards-incompatible options
• Update default values for $additional_packages
• Change merge strategy for $additional_packages (now set to 'first')
• Convert to PDK 1.18.1
• Convert params.pp to module data
• Migrate ERB templates to EPP
• Require Puppet 6
• Update OS support

Removed

• Remove support for obsolete Linux init script
• Remove parameter $manage_service_file (superseded by $manage_service)
• Remove parameters $redis_config_file, $redis_config_template, $redis_default_options, $redis_exec, $redis_pid_file
• Remove parameters $manage_package and $package_name (no packages available)
• Remove parameter $root_group (using GID 0 is sufficient)

1.0.2 (unreleased)

Changed

• Remove undocumented dependency on voxpupuli/puppet-archive (replace with 'unzip' package). Make changes to install.pp to support installation of zip file.
• Change 'ruby1.9.1' and 'ruby1.9.1-dev' for the metapackages that also have installation candidates for Ubuntu 16 & 18. This adds support for Ubuntu 16 & 18.
• Change method of class ordering in init.pp
• Change download URL and version to onetimesecret fork. This was necessary because the Gemfile/Gemfile.lock in the official versions referenced a broken version of the gem 'yajl-ruby'. See https://github.com/onetimesecret/onetimesecret/issues/81
• Manifests linted in various places

Fixed

• Github download filename no longer gets prefixed with a 'v', so remove associated block from install.pp
• Fix issue with /etc/init.d/onetimesecret startup script, where PIDFILE dir ownership was not set (move lines, correct variable names)
• Fix issue with /etc/init.d/onetimesecret startup script, where variable reference was incorrectly set to $HTTP_PORT (changed to $ONETIME_HTTP_PORT)

1.0.1 - 2016-12-19

Fixed

• Use custom value for $data_dir in redis server.

1.0.0 - 2016-12-18

• Initial release