Forge Home


One-Time Secret web application


197 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.2.0 (latest)
  • 2.1.2
released Jul 25th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 9.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'markt-onetimesecret', '2.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add markt-onetimesecret
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install markt-onetimesecret --version 2.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



markt/onetimesecret — version 2.2.0 Jul 25th 2023


Build Status Puppet Forge Puppet Forge

  1. Overview
  2. Requirements
  3. Usage
  4. Reference
  5. Development


A puppet module for setting up the One-Time Secret web application.


Although the One-Time Secret web application is a ready to-use web service, it is highly recommend to run it behind a webserver or reverse proxy. This is emphasized by the fact that it runs on a non-standard port by default. However, setting up a websever or reverse proxy is beyond the scope of this module.


Basic usage

This example will build and install One-Time Secret from source, setup Redis, create a minimal configuration and activate the service for you:

    class { 'onetimesecret':
      version        => 'v0.9.2',
      secret         => 'SomeHardToGuessRandomCharacters',
      redis_password => 'AnotherGoodPassword',

NOTE: Once the secret is set, do not change it (keep a backup offsite).

Choosing a version

The One-Time Secret project rarely provides new releases. That's why the $version parameter supports different values: a release tag (v0.9.2), a branch name (master) or a commit ID (e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3). Have a look at the One-Time Secret GitHub page for possible values.

Keep in mind that setting $version to a branch name will make it difficult to update One-Time Secret. A commit ID or release tag is highly recommended:

    class { 'onetimesecret':
      version        => 'e1156b1f8ab98322a898ee4defd1c3f0adb9b5d3',
      secret         => 'SomeHardToGuessRandomCharacters',
      redis_password => 'AnotherGoodPassword',


It is easy to add new options or to overwrite some default values in the configuration:

class { 'onetimesecret':
  install_dir   => '/data',
  symlink_name  => '/data/onetimesecret',
  options       => {
    site => {
      ssl => true,
    emailer => {
      host => '',
  redis_options => {
    maxmemory => '2gb',
  secret => 'SomeHardToGuessRandomCharacters',
  redis_password => 'AnotherGoodPassword',

It is possible to disable certain functionality if you want to manage some aspects on your own:

class { 'onetimesecret':
  manage_redis   => false,
  manage_user    => false,
  manage_service => false,
  secret         => 'SomeHardToGuessRandomCharacters',
  redis_password => 'AnotherGoodPassword',

You may opt to disable the default configuration and configure One-Time Secret from scratch:

class { 'onetimesecret':
  use_default_options => false,
  options             => {...}
  secret              => 'SomeHardToGuessRandomCharacters',
  redis_password      => 'AnotherGoodPassword',

In this case the $options parameter must contain ALL required configuration options to run the One-Time Secret web application. Otherwise the service may fail to startup.

Using Hiera

You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:

onetimesecret::use_default_options: false
    host: 'localhost:7143'
    domain: %{facts.networking.domain}
    ssl: false
    secret: 'CHANGEME'
    uri: '''redis://user:CHANGEME@'''
    config: $redis_config_file
    mode: ':smtp'
    from: "ots@%{facts.networking.domain}"
    host: 'localhost'
    port: 25
    enabled: false
    email: ''
    passphrase: 'CHANGEME'
    regex: '\A[a-zA-Z0-9]{6}\z'
    - 'en'
    - 'es'
    - 'de'
    - 'nl'
    - 'ru'
    - 'fr'
    - 'pt'
    - 'jp'
    - 'pt'
    enabled: false
    apikey: 'CHANGEME'
    default_chart: 'CHANGEME'
    nonpaid_recipient_text: '''You need to create an account!'''
    paid_recipient_text: '''Send the secret link via email'''
    create_secret: 250
    create_account: 10
    update_account: 10
    email_recipient: 50
    send_feedback: 10
    authenticate_session: 5
    homepage: 500
    dashboard: 1000
    failed_passphrase: 5
    show_metadata: 1000
    show_secret: 1000
    burn_secret: 1000


Classes and parameters are documented in



Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.

Contributions must pass all existing tests, new features should provide additional unit/acceptance tests.