Forge Home


One-Time Secret web application


259 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.1.1 (latest)
  • 2.1.0
  • 2.0.1
  • 2.0.0
  • 1.0.1
  • 1.0.0
released Sep 20th 2022
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 8.0.0
  • , , , ,
This module has been deprecated by its author since Jul 11th 2023.

The reason given was: new maintainer

The author has suggested markt-onetimesecret as its replacement.

Start using this module


fraenki/onetimesecret — version 2.1.1 Sep 20th 2022


Build Status Puppet Forge Puppet Forge

  1. Overview
  2. Requirements
  3. Usage
  4. Reference
  5. Development


A puppet module for setting up the One-Time Secret web application.


Although the One-Time Secret web application is a ready to-use web service, it is highly recommend to run it behind a webserver or reverse proxy. This is emphasized by the fact that it runs on a non-standard port by default. However, setting up a websever or reverse proxy is beyond the scope of this module.


Basic usage

This example will build and install One-Time Secret from source, setup Redis, create a minimal configuration and activate the service for you:

    class { 'onetimesecret':
      version        => 'v0.9.2',
      secret         => 'SomeHardToGuessRandomCharacters',
      redis_password => 'AnotherGoodPassword',

NOTE: Once the secret is set, do not change it (keep a backup offsite).

Choosing a version

The One-Time Secret project rarely provides new releases. That's why the $version parameter supports different values: a release tag (v0.9.2), a branch name (master) or a commit ID (e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3). Have a look at the One-Time Secret GitHub page for possible values.

Keep in mind that setting $version to a branch name will make it difficult to update One-Time Secret. A commit ID or release tag is highly recommended:

    class { 'onetimesecret':
      version        => 'e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3',
      secret         => 'SomeHardToGuessRandomCharacters',
      redis_password => 'AnotherGoodPassword',


It is easy to add new options or to overwrite some default values in the configuration:

class { 'onetimesecret':
  install_dir   => '/data',
  symlink_name  => '/data/onetimesecret',
  options       => {
    site => {
      ssl => true,
    emailer => {
      host => '',
  redis_options => {
    maxmemory => '2gb',
  secret => 'SomeHardToGuessRandomCharacters',
  redis_password => 'AnotherGoodPassword',

It is possible to disable certain functionality if you want to manage some aspects on your own:

class { 'onetimesecret':
  manage_redis   => false,
  manage_user    => false,
  manage_service => false,
  secret         => 'SomeHardToGuessRandomCharacters',
  redis_password => 'AnotherGoodPassword',

You may opt to disable the default configuration and configure One-Time Secret from scratch:

class { 'onetimesecret':
  use_default_options => false,
  options             => {...}
  secret              => 'SomeHardToGuessRandomCharacters',
  redis_password      => 'AnotherGoodPassword',

In this case the $options parameter must contain ALL required configuration options to run the One-Time Secret web application. Otherwise the service may fail to startup.

Using Hiera

You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:

onetimesecret::use_default_options: false
    host: 'localhost:7143'
    domain: %{::domain}
    ssl: false
    secret: 'CHANGEME'
    uri: '''redis://user:CHANGEME@'''
    config: $redis_config_file
    mode: ':smtp'
    from: "ots@%{::domain}"
    host: 'localhost'
    port: 25
    enabled: false
    email: ''
    passphrase: 'CHANGEME'
    regex: '\A[a-zA-Z0-9]{6}\z'
    - 'en'
    - 'es'
    - 'de'
    - 'nl'
    - 'ru'
    - 'fr'
    - 'pt'
    - 'jp'
    - 'pt'
    enabled: false
    apikey: 'CHANGEME'
    default_chart: 'CHANGEME'
    nonpaid_recipient_text: '''You need to create an account!'''
    paid_recipient_text: '''Send the secret link via email'''
    create_secret: 250
    create_account: 10
    update_account: 10
    email_recipient: 50
    send_feedback: 10
    authenticate_session: 5
    homepage: 500
    dashboard: 1000
    failed_passphrase: 5
    show_metadata: 1000
    show_secret: 1000
    burn_secret: 1000


Classes and parameters are documented in



Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.

Contributions must pass all existing tests, new features should provide additional unit/acceptance tests.