summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sitemodules/profiles/files/debarchive/inoticoming.service12
-rw-r--r--sitemodules/profiles/files/debarchive/reprepro_conf_incoming8
-rw-r--r--sitemodules/profiles/manifests/debarchive.pp102
3 files changed, 107 insertions, 15 deletions
diff --git a/sitemodules/profiles/files/debarchive/inoticoming.service b/sitemodules/profiles/files/debarchive/inoticoming.service
new file mode 100644
index 0000000..55480d7
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/inoticoming.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Processor for the incoming queue of the CAcert Debian archive
+Documentation=man:inoticoming(1)
+Requires=local-fs.target
+
+[Service]
+ExecStart=inoticoming --foreground --initialsearch /srv/upload/incoming --suffix .changes --stderr-to-log --stdout-to-log reprepro -s -b /srv/debarchive/packages --waitforlock 1000 processincoming default {} \;
+User=debarchive
+WorkingDirectory=/srv/debarchive
+
+[Install]
+Wanted-By=multi-user.target
diff --git a/sitemodules/profiles/files/debarchive/reprepro_conf_incoming b/sitemodules/profiles/files/debarchive/reprepro_conf_incoming
new file mode 100644
index 0000000..357749d
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/reprepro_conf_incoming
@@ -0,0 +1,8 @@
+Name: default
+IncomingDir: /srv/upload/incoming
+TempDir: /srv/debarchive/tmp
+LogDir: /srv/debarchive/log
+Allow: stretch-cacert buster-cacert
+Default: buster-cacert
+Permit: unused_files
+Cleanup: unused_files unused_buildinfo_files on_deny on_error
diff --git a/sitemodules/profiles/manifests/debarchive.pp b/sitemodules/profiles/manifests/debarchive.pp
index 38f4ca3..ad6f323 100644
--- a/sitemodules/profiles/manifests/debarchive.pp
+++ b/sitemodules/profiles/manifests/debarchive.pp
@@ -44,9 +44,20 @@ class profiles::debarchive (
String $release_signing_keyid,
Array[String] $uploaders = [],
) {
+ $debarchive_home = '/srv/debarchive'
+ $gpg_home = "${debarchive_home}/.gnupg"
+ $package_dir = "${debarchive_home}/packages"
+ $trusted_keyring = "${debarchive_home}/cacert-keyring.gpg"
+ $archive_public_key = "${package_dir}/cacert-debian-archive-2019.gpg"
+ $release_signing_private_key_file = "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key"
+
+ $upload_chroot = '/srv/upload'
+ $incoming_dir = "${upload_chroot}/incoming"
+ $inoticoming_service = '/etc/systemd/system/debarchive-inoticoming.service'
+
include profiles::base
- package{ ['rssh', 'reprepro']:
+ package{ ['rssh', 'reprepro', 'inoticoming']:
ensure => latest,
} ->
file { 'ensure that suid bit on rssh_chroot_helper is set':
@@ -57,12 +68,6 @@ class profiles::debarchive (
mode => '4755',
}
- $debarchive_home = '/srv/debarchive'
- $gpg_home = "${debarchive_home}/.gnupg"
- $package_dir = "${debarchive_home}/packages"
- $upload_chroot = '/srv/upload'
- $incoming_dir = "${upload_chroot}/incoming"
-
# setup user, groups and directories
group { 'debarchive':
ensure => absent,
@@ -139,6 +144,14 @@ class profiles::debarchive (
}
}
+ file { $trusted_keyring:
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
+ }
+
# setup GPG home for signing
file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log"]:
ensure => directory,
@@ -146,7 +159,7 @@ class profiles::debarchive (
group => 'nogroup',
mode => '0700',
}
- file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
+ file { $release_signing_private_key_file:
ensure => file,
owner => 'debarchive',
group => 'nogroup',
@@ -160,6 +173,13 @@ class profiles::debarchive (
mode => '0600',
content => "log-file ${debarchive_home}/log/gpg-agent.log",
}
+ file { "${gpg_home}/gpg.conf":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => "keyring ${trusted_keyring}\n",
+ }
file { "${gpg_home}/pubring.kbx":
ensure => file,
owner => 'debarchive',
@@ -174,12 +194,16 @@ class profiles::debarchive (
mode => '0600',
source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
}
- file { "${debarchive_home}/cacert-keyring.gpg":
- ensure => file,
- owner => 'debarchive',
- group => 'nogroup',
- mode => '0600',
- source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
+ exec { "export archive signing key":
+ command => "/usr/bin/gpg --export --export-options export-minimal \"${release_signing_keyid}\" > ${archive_public_key}",
+ creates => $archive_public_key,
+ require => [
+ File["${gpg_home}/gpg.conf"],
+ File["${gpg_home}/gpg-agent.conf"],
+ File[$release_signing_private_key_file],
+ File["${gpg_home}/pubring.kbx"],
+ File["${gpg_home}/trustdb.gpg"],
+ ],
}
# setup reprepro
@@ -197,7 +221,7 @@ class profiles::debarchive (
}
concat { "${package_dir}/conf/distributions":
- ensure => 'present',
+ ensure => present,
owner => 'debarchive',
group => 'nogroup',
mode => '0600',
@@ -211,6 +235,9 @@ class profiles::debarchive (
'Architectures: amd64 source',
'Components: main',
'SignWith: yes',
+ 'DebIndices: Packages Release . .gz .xz',
+ 'Uploaders: uploaders',
+ "Log: ${debarchive_home}/log/stretch-cacert-updates.log",
'',
''], "\n"),
}
@@ -223,7 +250,52 @@ class profiles::debarchive (
'Architectures: amd64 source',
'Components: main',
'SignWith: yes',
+ 'DebIndices: Packages Release . .gz .xz',
+ 'Uploaders: uploaders',
+ "Log: ${debarchive_home}/log/buster-cacert-updates.log",
'',
''], "\n"),
}
+
+ file { "${package_dir}/conf/incoming":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/reprepro_conf_incoming',
+ }
+
+ file { "${package_dir}/conf/uploaders":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => "allow * by any key",
+ }
+
+ file { $inoticoming_service:
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ source => 'puppet:///modules/profiles/debarchive/inoticoming.service',
+ require => [
+ Package['inoticoming'],
+ File["${package_dir}/conf/distributions"],
+ File["${package_dir}/conf/incoming"],
+ File["${package_dir}/conf/uploaders"],
+ File[$trusted_keyring],
+ User['debarchive'],
+ ],
+ } ~>
+ exec { 'reload systemd configuration after changes to service file':
+ command => '/bin/systemctl daemon-reload',
+ refreshonly => true,
+ }
+
+ service { 'debarchive-inoticoming':
+ ensure => running,
+ enable => true,
+ require => File[$inoticoming_service],
+ }
}