This Puppet module provide two Hiera backends to look up keys in pass GnuPG password repositories.
You need to install the ruby_gpg gem on your Puppet Master:
$ puppetserver gem install ruby_gpgYou also need to GnuPG key for your Puppet Master, allowed to decipher the passwords in your pass store.
Example set up with both data_hash and lookup_key backends:
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Pass data_hash"
datadir: "/home/foo/.password-store"
data_hash: pass_data
# Will return the value of key in YAML from $datadir/$::project/*.gpg
glob: "%{::project}/*.gpg"
- name: "Pass lookup_key"
datadir: "/home/foo/.password-store"
lookup_key: pass_lookup_key
# Will return the YAML content of $datadir/$::project/$key.gpg if it exists
path: "%{::project}"
- name: "Common"
path: common.yamlThe pass_data Hiera backend works just like the yaml_data backend, except
it uses GnuPG-encrypted YAML data (following the pass standard).
The pass_lookup_key Hiera backend uses the key as the file name to look for
and returns the YAML hash parsed at that location if the file exists.