summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-08-01 21:46:50 +0200
committerJan Dittberner <jandd@cacert.org>2019-08-01 21:46:50 +0200
commita177a645651c2549423af69d9a9ba4317a9bb1b7 (patch)
treeb6262162297f1a7fa9454ce8d9d4b24635fca220
parent2062535ef2de36fe6d7656505ddb9aa55f32d69a (diff)
downloadcacert-puppet-a177a645651c2549423af69d9a9ba4317a9bb1b7.tar.gz
cacert-puppet-a177a645651c2549423af69d9a9ba4317a9bb1b7.tar.xz
cacert-puppet-a177a645651c2549423af69d9a9ba4317a9bb1b7.zip
Setup mini-dinstall under debarchive user
-rw-r--r--hieradata/nodes/webstatic.yaml70
-rw-r--r--sitemodules/profiles/files/debarchive/cacert-keyring.gpgbin0 -> 12670 bytes
-rw-r--r--sitemodules/profiles/files/debarchive/debarchive.service11
-rw-r--r--sitemodules/profiles/files/debarchive/gpg_pubring.kbxbin0 -> 1313 bytes
-rw-r--r--sitemodules/profiles/files/debarchive/gpg_trustdb.gpgbin0 -> 1240 bytes
-rw-r--r--sitemodules/profiles/manifests/debarchive.pp176
-rw-r--r--sitemodules/profiles/templates/debarchive/sign_release.epp56
-rw-r--r--sitemodules/profiles/templates/mini-dinstall.conf.epp19
8 files changed, 313 insertions, 19 deletions
diff --git a/hieradata/nodes/webstatic.yaml b/hieradata/nodes/webstatic.yaml
index e70bcf7..76dec24 100644
--- a/hieradata/nodes/webstatic.yaml
+++ b/hieradata/nodes/webstatic.yaml
@@ -4,6 +4,76 @@ classes:
profiles::base::admins:
- jandd
- law
+profiles::debarchive::notification_email_address: jandd@cacert.org
+profiles::debarchive::release_signing_keyid: "CAcert Debian Archive Signing Key 2019"
+profiles::debarchive::release_signing_keygrip: 223894064EE26851A245DE9208C5C0ABF772F7A7
+profiles::debarchive::release_signing_passphrase: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAOo5m999kQDHcWwrDXAn37SUyzvQZ3xq6mlMa
+ sJ8RTlgbMe6e22GyaYfD78agnS/M0xgdbtv5YF6lykn9ACi0US7Tr6tS+D/3
+ AxcdLFC1qUAE7HJdq5QBYXU/Ahd1Ot0DXHMnUvX8wSUY1aWIvJpZXnuWZrp+
+ 792E5SxNAmi6T12AxlQbJC9M4mHpRzj65ORAG3heDO/kwL8v4T2acDs7i0g4
+ Q2kszyoG3zKVIP0/k/eCOWZynS2D4H8aSYhU7MDU9lGUlIpd2NyizXYypb9n
+ yWUALiSLCAIy61R9/c/PEAfZtLX9mJTTGqg3LEubULQSktjRlCIVxhL8foiB
+ 1bCYcTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBFres4FSCj+KEUb9gU
+ cfM+gDAvP/N8eQsOcQoZxqZTFl270FiaPZtgcF5Zb/yuLPFvFcU4SdseDjbe
+ e6g7/Uc6du4=]
+profiles::debarchive::release_signing_private_key: >
+ ENC[PKCS7,MIIJfQYJKoZIhvcNAQcDoIIJbjCCCWoCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAYfzMeAdn+nl+k0NB82RjNbSW68Ci4xIKBuRV
+ 7pxDkYDNGp4UUB/SmDiPYO2BbMEJHQMPa+jQDtC81UfwZ9n7f/XINq6ph27c
+ yAWlfw0RgFEk68Qk3EKxCXANCrNf2HiOR6CabWFllzWoOFrZOMdTpZmB0CBy
+ NGnkkkwUfyanwPlycjIbrvP/r072jdA/JuCpa533TH6zw9uwwwTxv5q5deLq
+ mkvXlM8VZsziLaH+bAeopRL8uENqyt83YyaxNMk8zHyz6L1RpP8vVLr8sg3n
+ eYbdVoqch+KM4L3Hi8X/AuG/BEeGihgvEdbqmVzJYHmJh7tBXaADite+H+hr
+ golbtjCCCD4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEIYfkjacKpZlGCwA
+ HbCvYM6AgggQc6wQ9rphDQBo8ybKYIU+QTNPbqFMgk6FR6Mxx/4DugSO7p6f
+ 5aMSGUetOD00fKJb1PlWTuqmnALCwbQu3w018dk9uuFDwiz+lAQHb9p6CLgG
+ kZLnUOQCfnLPFxihePUYeLQFIRqjYsOSvDudzj4dI/70IiDaP51EYznB7wVE
+ vJEVS/np6hm6z+WKnfSibonZTiU/mh8jdHiJVDxAAE1o0ehodREp5Kwwpsjw
+ 8mHreRWrFJRIFrW4h4bTJfzLOEz+LYkBG7WJLtK+VtpU/xiWe1ApT6dXiVS8
+ dISbPJPASzCnIsTzTw8PQ+aOiagAS8oeeA242dnCLHTu1wApKj8DZF5OXlrr
+ A8hE0n1IW4yon2ZsP5acf80r2TwvREfrAfCBKsD5+gfQqcjt4vJFXy3CRwMw
+ zo2/DrOgeHJziZXKkZl8/m4E5Xxw/knX6sJh/qSymotGYKY+VnaDzfff36bk
+ 56Jy1KO8K2k7CnlpartBzQnA3qTEQxRXpj5eAU4iNZMTfk3ZSQe+l6Ws7gqb
+ AEIEF40x5QdsgMJLc2OVjacTtNkHvXDAvaQJ2nd+M0uYFHLWNVI3gQQ0DKH0
+ HaG3lNZfQ+D1Ev16031FjqhGP7lgCx/XQ/ck81k4QiGrTJu30eQV+gl3wxl5
+ TjihVNXcJ3TqoagzHT2JwbfnDTskb29xLTJ1eFRWouJzRVEW51tThMXa9kDV
+ rCE+/jcHGMYwyPn8DlLLLEI1M0Wh06LySEaaDb0ASBIjbHrK88gWHmM8oW9v
+ +oKmfO5VMeGaB+V8Rwqjy+T7C1aB4iSmqu3w9RDonkLNZ5fgny3pVZi2UgSR
+ uEcgGx8Qflg8waDQ8mc23AEsIdzNREvBTfi3IRNf9dquGqnamZYqvOnuMmg1
+ MoC0euxrhLsRvYdOF6kzHfm82NzyHx6ekOhHEONa9HPW4sqVWTBRiewojGfe
+ ZtOHMj2DckZY0J4fmK4CGuz3Y6G25+8P1LCKzkO6jjTHIj1l32tX7BRCdKpH
+ 7M+rsZxEnqz1kMp6xx5JC4vsRv7U3azZ1vmLuJlL1w9eY99WV71v+XCFwuPt
+ FdkmFxvG+c8JWjEEtrH5ObbzqGoOw5LBAhr2cvbDbUbyYIZ4OBeo4yb8nTPG
+ vSEIJkFu7OquG9NWFYAHKc8Vly/B2lJDZPY3HRYcybxwiwPtbUV2vUnC+u21
+ DwJFqQH616edvONhYJAASOfBzrdE5vzgDaJl01K8EnS7bgJQP01J0Elx9jBO
+ bY8hBI9c1KYBA2NjIbigrpFeRXs0555rTzNhOWJzlfKMMZTcOPYIhr1tziem
+ TX8aCxHUcc/8cl0K+mtDTTjbAeHUXrZ0cfUgIexjaehKMiwNkNYAMqkDkEZK
+ oMceeRvRW5daVdqsqYVh0eHlZ9G7n4SNxcffI3XQvm36ZyHUOQ7dBbclVK7u
+ dJKQKwEXKgfDQGbL6Ko4OTgZKgjgwiyKpK4LTii4QR/FU44thBDFFoWjyn//
+ GgDIALXIayiRuDiNZKDJv6Du5vaZzntoKU4tWTzJwOVK34vaj+2U6Yx7Ezkj
+ Cr4duDeXdePuGsqAkcgUGUHuzwjzyMIon33FnlrmfpdqLRJLvY/PEiEWcxil
+ oNbmzmGSpN2ldHOIp/VJ+GvF7sb7WqjyMa489sK4kOaVetWm2hqnTtFTE3Nj
+ D4Do2Sf4MlGBDOr0ZYb3FvKeo93fD7zHh9TnvIg4DzB6HpyrSZ5FQbNj17fV
+ i9bu1DRdhhBlRUYk1BaDTV+jXY0RDnFTo5DR0wkLnT2Re9pF8nDZVlKSJc2O
+ 7zUznCSkSdCrB40f8ARDY5uHPMez5xEraBfqk0aUUKahwzJSXSdPJ0lq/qn9
+ x7E2bLhpvughwqaNeonqngZ2u+tvRAt2Qsa3hzt5fh7LA5+iP+NXXb/QFmVn
+ izlMFPVaF97IOuycZxCpZ0/obWLav9SnQPsbmnHEci7YdNjhueRcTlQryhO+
+ VTmcSKcMcRWuzeu485+hexYXvyf7UxIvvdetB9q7gCGpyeEF4UFvNp222kCg
+ Loy6/UdfF/mukAH+vZ0PjC2FdQLF4NlxjoMbTwvrUaotB7w+Ht+e7OqkUUFB
+ 5tHtI9M3xC6Tfxt5iehwUGUIdy5ybYE8qSuV5YnDRA3vPvVLnjDC9cfZLvJh
+ 3J01qq3H7xWpYXTyAwLqtGkalifzG0gYvZUDBeqCLAgX/Vg5zQ68W6SNQOoM
+ NH4xMJbunhkEkbyPuPheJRP3s8NpDKRguAxGHET2Xm88cprGg60p5rP1CyE0
+ h3uYHRJArbOVEeLB4FmS6t73gnuvadSOcR0CF9Xmj1bAXQTbFr1TCtt/B5eA
+ o+4votCrbFy61qQLXA9rUjMaK4Z2YUWt3gyJgEOKEYFUzYnHZVsWw5NRFQzZ
+ sB7q1KGNSCt/NSgaIVHPWMTzwpTrn+PzE3nRc6DgxzFmHive6fhvK441elBg
+ Lr1rB7siBM+NCRGB/WGOAMJtNE34odq2oDSOI4ImG+l8dciDrp+5yZJ930SQ
+ SnFKunJQ4VHNpec4j5UGGgjZAJzC6mshe5CGM1RHxC+i9mZWXcnEB1wkEL0m
+ BYRXfjHF1w7/cIi4bvQiS4fhHU/brpkNODFDZgGggxuQrYOKLkbbr7gEfGD/
+ s4+hT+NvjWfe+uuCjMCKNe23dhvcWMVqYHuEMAF6XKuXqPRDsDTo0M+neT1V
+ KNYnkHBqPiU2Fgbf+j2BqmoAXsP1RWFhatqoX/rNTqPteHzTYdU/mdYUdkzR
+ w/Ux]
profiles::debarchive::uploaders:
- jandd
profiles::icinga2_agent::pki_ticket: >
diff --git a/sitemodules/profiles/files/debarchive/cacert-keyring.gpg b/sitemodules/profiles/files/debarchive/cacert-keyring.gpg
new file mode 100644
index 0000000..1b62f41
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/cacert-keyring.gpg
Binary files differ
diff --git a/sitemodules/profiles/files/debarchive/debarchive.service b/sitemodules/profiles/files/debarchive/debarchive.service
new file mode 100644
index 0000000..0fc3555
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/debarchive.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=CAcert Debian Archive Update service
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/mini-dinstall
+ExecStop=/usr/bin/mini-dinstall -k
+User=debarchive
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sitemodules/profiles/files/debarchive/gpg_pubring.kbx b/sitemodules/profiles/files/debarchive/gpg_pubring.kbx
new file mode 100644
index 0000000..cd56cf6
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/gpg_pubring.kbx
Binary files differ
diff --git a/sitemodules/profiles/files/debarchive/gpg_trustdb.gpg b/sitemodules/profiles/files/debarchive/gpg_trustdb.gpg
new file mode 100644
index 0000000..d06e51b
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/gpg_trustdb.gpg
Binary files differ
diff --git a/sitemodules/profiles/manifests/debarchive.pp b/sitemodules/profiles/manifests/debarchive.pp
index c0965e5..e075137 100644
--- a/sitemodules/profiles/manifests/debarchive.pp
+++ b/sitemodules/profiles/manifests/debarchive.pp
@@ -6,8 +6,20 @@
# Parameters
# ----------
#
-# @param uploaders a list of users that are allowed to dput files to the
-# Debian archive
+# @param notification_email_address email address that will receive reports
+# from mini-dinstall
+#
+# @param release_signing_keygrip GPG keygrip of the release signing key
+#
+# @param release_signing_keyid GPG key id of the release signing key
+#
+# @param release_signing_passphrase passphrase for the release signing key
+#
+# @param release_signing_private_key data of a GPG key that is used for
+# release file signing
+#
+# @param uploaders a list of users that are allowed to dput
+# files to the Debian archive
#
# Examples
# --------
@@ -28,6 +40,11 @@
# Copyright 2019 Jan Dittberner
#
class profiles::debarchive (
+ String $notification_email_address,
+ String $release_signing_keygrip,
+ String $release_signing_keyid,
+ String $release_signing_passphrase,
+ String $release_signing_private_key,
Array[String] $uploaders = [],
) {
include profiles::base
@@ -36,37 +53,158 @@ class profiles::debarchive (
ensure => latest,
}
group { 'debarchive':
- ensure => present,
- system => true,
+ ensure => absent,
}
user { 'debarchive':
- ensure => present,
- comment => 'CAcert debian archive user',
- system => true,
- gid => 'nogroup',
- home => '/srv/debarchive',
- shell => '/bin/false',
+ ensure => present,
+ comment => 'CAcert debian archive user',
+ system => true,
+ gid => 'nogroup',
+ home => '/srv/debarchive',
+ shell => '/bin/false',
+ purge_ssh_keys => true,
}
file { '/srv/debarchive':
ensure => directory,
owner => 'debarchive',
- group => 'debarchive',
- mode => '0755',
+ group => 'nogroup',
+ mode => '0711',
+ }
+ file { '/srv/debarchive/archive':
+ ensure => directory,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0711',
}
- file { '/srv/debarchive/mini-dinstall':
+ file { '/srv/debarchive/archive/mini-dinstall':
ensure => directory,
owner => 'debarchive',
- group => 'debarchive',
- mode => '0755',
+ group => 'nogroup',
+ mode => '0711',
}
- file { '/srv/debarchive/mini-dinstall/incoming':
+ file { '/srv/debarchive/archive/mini-dinstall/incoming':
ensure => directory,
owner => 'debarchive',
- group => 'debarchive',
- mode => '0770',
+ group => 'nogroup',
+ mode => '0700',
}
$uploaders.each |String $username| {
- User<| title == $username |> { groups +> 'debarchive' }
+ $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
+ $ssh_keys.each |Hash[String, Data] $keydata| {
+ $keyname = $keydata['name']
+ ssh_authorized_key { "debarchive-${username}-${keyname}":
+ ensure => present,
+ user => 'debarchive',
+ type => $keydata['type'],
+ key => $keydata['key'],
+ options => 'command="internal-sftp"',
+ require => User['debarchive'],
+ }
+ }
+ }
+
+ file { '/srv/debarchive/.mini-dinstall.conf':
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => epp('profiles/debarchive/mini-dinstall.conf.epp',
+ { mail_to => $notification_email_address, }
+ ),
+ }
+
+ $gpghome = '/srv/debarchive/.gnupg'
+
+ file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
+ ensure => directory,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0700',
+ }
+ file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => $release_signing_private_key,
+ }
+ file { "${gpghome}/passphrase":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => $release_signing_passphrase,
+ }
+ file { "${gpghome}/gpg-agent.conf":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => 'log-file /srv/debarchive/log/gpg-agent.log',
+ }
+ file { "${gpghome}/pubring.kbx":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
+ }
+ file { "${gpghome}/trustdb.gpg":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
+ }
+ file { '/srv/debarchive/cacert-keyring.gpg':
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
+ }
+ file { '/srv/debarchive/scripts/sign_release':
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0700',
+ content => epp('profiles/debarchive/sign_release.epp',
+ {
+ key_id => $release_signing_keyid,
+ }
+ ),
+ require => [
+ File["${gpghome}/gpg-agent.conf"],
+ File["${gpghome}/passphrase"],
+ File["${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key"],
+ File["${gpghome}/pubring.kbx"],
+ File["${gpghome}/trustdb.gpg"],
+ ],
+ }
+ file { '/etc/systemd/system/debarchive.service':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ source => 'puppet:///modules/profiles/debarchive/debarchive.service',
+ }
+ exec { 'reload systemd when debarchive.service unit changes':
+ command => '/bin/sytemctl daemon-reload',
+ refreshonly => true,
+ subscribe => File['/etc/systemd/system/debarchive.service'],
+ notify => Service['debarchive'],
+ }
+ service { 'debarchive':
+ ensure => running,
+ enable => true,
+ require => [
+ File['/srv/debarchive/.mini-dinstall.conf'],
+ File['/srv/debarchive/archive/mini-dinstall/incoming'],
+ File['/srv/debarchive/cacert-keyring.gpg'],
+ File['/srv/debarchive/scripts/sign_release'],
+ Package['mini-dinstall'],
+ User['debarchive'],
+ ],
}
}
diff --git a/sitemodules/profiles/templates/debarchive/sign_release.epp b/sitemodules/profiles/templates/debarchive/sign_release.epp
new file mode 100644
index 0000000..27cc187
--- /dev/null
+++ b/sitemodules/profiles/templates/debarchive/sign_release.epp
@@ -0,0 +1,56 @@
+<%- | String $key_id | -%>
+#!/bin/bash
+# -*- coding: utf-8 -*-
+# Script to GPG sign Release files
+# Copyright © 2002 Colin Walters <walters@debian.org>
+# Copyright © 2019 Jan Dittberner <jandd@cacert.org>
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+# Usage:
+
+# You need to create a secret keyring (secring.gpg). You can use your
+# existing one, or create a new one by doing something like the
+# following:
+
+# $ GNUPGHOME=/src/debian/mini-dinstall/s3kr1t gnupg --gen-key
+
+set -e
+
+# User variables
+# MAKE SURE TO MAKE THIS DIRECTORY 0700!
+export GNUPGHOME=/srv/debarchive/.gnupg
+if [ ! -d "$GNUPGHOME" ]; then
+ mkdir -p "$GNUPGHOME"
+fi
+if [ -z "$USER" ]; then
+ USER=$(id -n -u)
+fi
+# This is just a default value
+KEYID="<%= $key_id %>"
+PASSPHRASE=$(cat "$GNUPGHOME/passphrase")
+
+# These should fail if for some reason the directory isn't owned by us
+chown "$USER" "$GNUPGHOME"
+chmod 0700 "$GNUPGHOME"
+
+# Initialize GPG
+gpg --help 1>/dev/null 2>&1 || true
+
+rm -f Release.gpg.tmp InRelease.tmp
+echo "$PASSPHRASE" | gpg --batch --no-tty --passphrase-fd 0 --pinentry-mode loopback --default-key "$KEYID" --detach-sign -o Release.gpg.tmp "$1"
+mv Release.gpg.tmp Release.gpg
+echo "$PASSPHRASE" | gpg --batch --no-tty --passphrase-fd 0 --pinentry-mode loopback --default-key "$KEYID" --clearsign -o InRelease.tmp "$1"
+mv InRelease.tmp InRelease
diff --git a/sitemodules/profiles/templates/mini-dinstall.conf.epp b/sitemodules/profiles/templates/mini-dinstall.conf.epp
new file mode 100644
index 0000000..221127a
--- /dev/null
+++ b/sitemodules/profiles/templates/mini-dinstall.conf.epp
@@ -0,0 +1,19 @@
+<%- | String $mail_to |-%>
+[DEFAULT]
+archivedir=/srv/debarchive/archive
+incoming_permissions=0700
+keyrings=/srv/debarchive/cacert-keyring.gpg
+logfile=/srv/debarchive/log/mini-dinstall.log
+mail_to=<%= $mail_to %>
+verify_sigs=True
+archive_style=flat
+generate_release=True
+architectures=source, all, amd64
+
+[cacert]
+release_codename=cacert
+release_description=CAcert Debian package releases
+release_label=cacert
+release_origin=cacert
+release_suite=cacert
+release_signscript=/srv/debarchive/scripts/sign_release