List fields and contexts:
$ propellor --list-fields
Set a field for a particular context:
$ propellor --set 'SshAuthorizedKeys "myuser"' yourServers < authKeys
Dump a field from a specific context:
$ propellor --dump 'SshAuthorizedKeys "myuser"' yourServers
When using Propellor for configuration management, you can utilise GPG encryption to encrypt data sets. This enables you to leverage public git repositories for your centralised configuration management needs.
To list existing fields, you can run:
$ propellor --list-fields
which will not only list existing fields but will helpfully also list fields that would be used if set:
Missing data that would be used if set:
Field Context Used by
----- ------- -------
'Password "myuser"' 'yourDesktops' your.host.name
'CryptPassword "myuser"' 'yourServers' your.server.name
'PrivFile "/etc/mail/dkim.key"' 'mailServers' your.mail.server
You can set these fields with input from either STDIN or files prepared earlier.
For example, if you have public SSH keys you wish to distribute, you can place then into a file then use that file to populate the fields of an appropriate context. The contents of an example authorized_keys, we'll call authKeys, may look like this:
ssh-ed25519 eetohm9doJ4ta2Joo~P2geetoh6aBah9efu4ta5ievoongah5feih2eY4fie9xa1ughi you@host1
ssh-ed25519 choi7moogh<i2Jie6uejoo6ANoMei;th2ahm^aiR(e5Gohgh5Du-oqu1roh6Mie4shie you@host2
ssh-ed25519 baewah%vooPho2Huofaicahnob=i^ph;o1Meod:eugohtiuGeecho2eiwi.a7cuJain6 you@host3
To add these keys to the appropriate users for the hosts of a particular context you could run:
$ propellor --set 'SshAuthorizedKeys "myuser"' yourServers < authKeys
To verify that the fields for this context have the correct data, you can dump it:
$ propellor --dump 'SshAuthorizedKeys "myuser"' yourServers
gpg: encrypted with 256-bit ECDH key, ID 5F4CEXB7GU3AHT1E, created 2019-03-08
"My User <myuser@my.domain.tld>"
ssh-ed25519 eetohm9doJ4ta2Joo~P2geetoh6aBah9efu4ta5ievoongah5feih2eY4fie9xa1ughi you@host1
ssh-ed25519 choi7moogh<i2Jie6uejoo6ANoMei;th2ahm^aiR(e5Gohgh5Du-oqu1roh6Mie4shie you@host2
ssh-ed25519 baewah%vooPho2Huofaicahnob=i^ph;o1Meod:eugohtiuGeecho2eiwi.a7cuJain6 you@host3
When you next spin Propellor for the desired hosts, those SSH public keys with be installed into the authorized_keys_ filefor the user myuser for hosts that belong to the allServers context.
One of the most obvious and practical uses of this feature is to set secure data that needs to be distributed, such as passwords or certificates. We'll use passwords for this example.
Create a hash of the password you wish to distribute:
$ mkpasswd -m sha-512 > /tmp/deleteme
Password:
$ cat /tmp/deleteme
$6$cyxX.TmGPZWuqQu$LxhbVBaUnFmevOVi1V1NApZA0TCcSkK1241eiZwhhBQTm/PpjoLHe3OMnbjeswa6rgzNAq3pXTB4KjvfF1iXA1
Now that we have that file, we can use it as input for Propellor:
$ propellor --set 'CryptPassword "myuser"' yourServers < /tmp/deleteme
Enter private data on stdin; ctrl-D when done:
gpg: encrypted with 256-bit ECDH key, ID 5F4CEXB7GU3AHT1E, created 2019-03-08
"My User <myuser@my.domain.tld>"
gpg: WARNING: standard input reopened
Private data set.
Tidy up:
$ rm /tmp/deletem
You're now ready to deploy that password for that user to those servers.