3
0
Fork
You've already forked gocryptfs
0
Puppet module for gocryptfs
  • Puppet 38.6%
  • Ruby 32.9%
  • Shell 27.5%
  • Pascal 1%
2025年11月24日 11:56:56 +01:00
files feat: use systemd dropin instead of puppet templates 2025年11月24日 11:56:56 +01:00
manifests feat: use systemd dropin instead of puppet templates 2025年11月24日 11:56:56 +01:00
spec added spec test 2025年11月19日 14:02:47 +01:00
templates feat: use systemd dropin instead of puppet templates 2025年11月24日 11:56:56 +01:00
types fix tags in the CI and change script to use all parameters from the configuration file 2025年11月19日 19:58:47 +01:00
.fixtures.yml added spec test 2025年11月19日 14:02:47 +01:00
.gitignore initial commit 2025年11月18日 15:58:23 +01:00
.gitlab-ci.yml fix tags in the CI and change script to use all parameters from the configuration file 2025年11月19日 19:58:47 +01:00
.puppet-lint.rc added spec test 2025年11月19日 14:02:47 +01:00
.rspec added spec test 2025年11月19日 14:02:47 +01:00
.rubocop.yml added spec test 2025年11月19日 14:02:47 +01:00
Gemfile added spec test 2025年11月19日 14:02:47 +01:00
metadata.json fix: enhance mount_after handling in gocryptfs configuration and service template 2025年11月21日 16:32:18 +01:00
Rakefile added spec test 2025年11月19日 14:02:47 +01:00
README.md feat: use systemd dropin instead of puppet templates 2025年11月24日 11:56:56 +01:00

gocryptfs

  1. Overview
  2. Requirements and notes
  3. Usage and examples
    1. including the main class
    2. Defining a gocryptfs Resource
      1. mount and unmount
      2. ensure paramter
      3. password rotation
  4. Limitations and notes

Overview

This Puppet module manages gocryptfs encrypted filesystems.

It helps you:

  • create the encrypted source and decrypted destination directories (if needed),
  • securely install the passfile (password file),
  • initialize an encrypted store (optionally, unattended),
  • generate a dedicated systemd unit to mount the decrypted view at boot
  • optionally validate password strength

The module takes an encrypted source directory, a decrypted destination, and a secret, and ensures that the decrypted mount is available and persistent.

Requirements

This module depends on:

  • puppetlabs-stdlib
  • puppetlabs-systemd

Usage and examples

Including the main class

include the main class (required)

You can include it without parameters:

include goscryptfs

You can check the main class if you want to set package version or package name.

Defining a gocryptfs Resource

gocryptfs::gocryptfs { '/source/encrypted': decrypted_destination => '/mnt/decrypted', secret => Sensitive(lookup('gocryptfs_token')), owner => 'alice', group => 'alice', mode => '0700', mount_allow_other => true, mount_after_mountpoints => ['/source/encrypted'], fascist_password_check => true,}

This will:

  • create parent directories (if needed)
  • create /mnt/decrypted and /source/encrypted
  • create /etc/gocryptfs/* config files and a passfile
  • install a systemd unit called gocryptfs-mount@destination-path.service, to mount/unmount the decrypted directory
  • ensure that the password meets complexity requirements
  • ensure the decrypted directory is mounted after /source/encrypted. This is useful when the encrypted source is another filesystem, which must be mounted in advance (i.e.: a network filesystem or a partition)

mount and unmount

mount and umount is done through the systemd service. The systemd template name (in this case destination-path) is the value of the parameter decrypted_destination.

systemctl start gocryptfs-mount@destination-path.service # mount the decrypted directory
systemctl stop gocryptfs-mount@destination-path.service # unmount the decrypted directory

ensure parameter

Ensure can be set to present (default), disable and destroy.

  • present enable the systemd service and mount the decrypted destination
  • disable disable the systemd service, and unmount the filesystem. Keeps the data.
  • destroy destroys all data

password rotation

You can rotate the password by updating the secret parameter in the gocryptfs::gocryptfs resource. The module will automatically update the encrypted volume’s password.

Limitations and notes

  • Tested only on Ubuntu (other distributions will probably work).
  • the rspec tests are still basic

Contributions are welcome