summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sitemodules/profiles/files/debarchive/debarchive.service11
-rw-r--r--sitemodules/profiles/manifests/debarchive.pp79
-rw-r--r--sitemodules/profiles/templates/debarchive/mini-dinstall.conf.epp19
-rw-r--r--sitemodules/profiles/templates/debarchive/sign_release.epp56
4 files changed, 23 insertions, 142 deletions
diff --git a/sitemodules/profiles/files/debarchive/debarchive.service b/sitemodules/profiles/files/debarchive/debarchive.service
deleted file mode 100644
index 0fc3555..0000000
--- a/sitemodules/profiles/files/debarchive/debarchive.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=CAcert Debian Archive Update service
-
-[Service]
-Type=forking
-ExecStart=/usr/bin/mini-dinstall
-ExecStop=/usr/bin/mini-dinstall -k
-User=debarchive
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sitemodules/profiles/manifests/debarchive.pp b/sitemodules/profiles/manifests/debarchive.pp
index 22e75d1..70735d9 100644
--- a/sitemodules/profiles/manifests/debarchive.pp
+++ b/sitemodules/profiles/manifests/debarchive.pp
@@ -1,7 +1,7 @@
# Class: profiles::debarchive
# ===========================
#
-# This class defines a mini-dinstall based Debian package archive setup.
+# This class defines a Debian package archive setup.
#
# Parameters
# ----------
@@ -49,9 +49,28 @@ class profiles::debarchive (
) {
include profiles::base
+ # remove first try with mini-dinstall
package { 'mini-dinstall':
- ensure => latest,
+ ensure => purged,
}
+ service { 'debarchive':
+ ensure => stopped,
+ enable => false,
+ }
+ file { '/etc/systemd/system/debarchive.service':
+ ensure => absent,
+ }
+ exec { 'reload systemd when debarchive.service unit changes':
+ command => '/bin/systemctl daemon-reload',
+ refreshonly => true,
+ subscribe => File['/etc/systemd/system/debarchive.service'],
+ notify => Service['debarchive'],
+ }
+ file { '/srv/debarchive/.mini-dinstall.conf':
+ ensure => absent,
+ }
+
+ # setup user, groups and directories
group { 'debarchive':
ensure => absent,
}
@@ -83,6 +102,7 @@ class profiles::debarchive (
mode => '0700',
}
+ # setup ssh keys
$uploaders.each |String $username| {
$ssh_keys = $::profiles::base::users[$username]['ssh_keys']
$ssh_keys.each |Hash[String, Data] $keydata| {
@@ -92,22 +112,12 @@ class profiles::debarchive (
user => 'debarchive',
type => $keydata['type'],
key => $keydata['key'],
- options => 'command="internal-sftp"',
require => User['debarchive'],
}
}
}
- file { '/srv/debarchive/.mini-dinstall.conf':
- ensure => file,
- owner => 'debarchive',
- group => 'nogroup',
- mode => '0600',
- content => epp('profiles/debarchive/mini-dinstall.conf.epp',
- { mail_to => $notification_email_address, }
- ),
- }
-
+ # setup GPG home for signing
$gpghome = '/srv/debarchive/.gnupg'
file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
@@ -158,47 +168,4 @@ class profiles::debarchive (
mode => '0600',
source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
}
- file { '/srv/debarchive/scripts/sign_release':
- ensure => file,
- owner => 'debarchive',
- group => 'nogroup',
- mode => '0700',
- content => epp('profiles/debarchive/sign_release.epp',
- {
- key_id => $release_signing_keyid,
- }
- ),
- require => [
- File["${gpghome}/gpg-agent.conf"],
- File["${gpghome}/passphrase"],
- File["${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key"],
- File["${gpghome}/pubring.kbx"],
- File["${gpghome}/trustdb.gpg"],
- ],
- }
- file { '/etc/systemd/system/debarchive.service':
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0644',
- source => 'puppet:///modules/profiles/debarchive/debarchive.service',
- }
- exec { 'reload systemd when debarchive.service unit changes':
- command => '/bin/systemctl daemon-reload',
- refreshonly => true,
- subscribe => File['/etc/systemd/system/debarchive.service'],
- notify => Service['debarchive'],
- }
- service { 'debarchive':
- ensure => running,
- enable => true,
- require => [
- File['/srv/debarchive/.mini-dinstall.conf'],
- File['/srv/debarchive/cacert-keyring.gpg'],
- File['/srv/debarchive/scripts/sign_release'],
- File['/srv/upload/incoming'],
- Package['mini-dinstall'],
- User['debarchive'],
- ],
- }
}
diff --git a/sitemodules/profiles/templates/debarchive/mini-dinstall.conf.epp b/sitemodules/profiles/templates/debarchive/mini-dinstall.conf.epp
deleted file mode 100644
index 221127a..0000000
--- a/sitemodules/profiles/templates/debarchive/mini-dinstall.conf.epp
+++ /dev/null
@@ -1,19 +0,0 @@
-<%- | String $mail_to |-%>
-[DEFAULT]
-archivedir=/srv/debarchive/archive
-incoming_permissions=0700
-keyrings=/srv/debarchive/cacert-keyring.gpg
-logfile=/srv/debarchive/log/mini-dinstall.log
-mail_to=<%= $mail_to %>
-verify_sigs=True
-archive_style=flat
-generate_release=True
-architectures=source, all, amd64
-
-[cacert]
-release_codename=cacert
-release_description=CAcert Debian package releases
-release_label=cacert
-release_origin=cacert
-release_suite=cacert
-release_signscript=/srv/debarchive/scripts/sign_release
diff --git a/sitemodules/profiles/templates/debarchive/sign_release.epp b/sitemodules/profiles/templates/debarchive/sign_release.epp
deleted file mode 100644
index 27cc187..0000000
--- a/sitemodules/profiles/templates/debarchive/sign_release.epp
+++ /dev/null
@@ -1,56 +0,0 @@
-<%- | String $key_id | -%>
-#!/bin/bash
-# -*- coding: utf-8 -*-
-# Script to GPG sign Release files
-# Copyright © 2002 Colin Walters <walters@debian.org>
-# Copyright © 2019 Jan Dittberner <jandd@cacert.org>
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-# Usage:
-
-# You need to create a secret keyring (secring.gpg). You can use your
-# existing one, or create a new one by doing something like the
-# following:
-
-# $ GNUPGHOME=/src/debian/mini-dinstall/s3kr1t gnupg --gen-key
-
-set -e
-
-# User variables
-# MAKE SURE TO MAKE THIS DIRECTORY 0700!
-export GNUPGHOME=/srv/debarchive/.gnupg
-if [ ! -d "$GNUPGHOME" ]; then
- mkdir -p "$GNUPGHOME"
-fi
-if [ -z "$USER" ]; then
- USER=$(id -n -u)
-fi
-# This is just a default value
-KEYID="<%= $key_id %>"
-PASSPHRASE=$(cat "$GNUPGHOME/passphrase")
-
-# These should fail if for some reason the directory isn't owned by us
-chown "$USER" "$GNUPGHOME"
-chmod 0700 "$GNUPGHOME"
-
-# Initialize GPG
-gpg --help 1>/dev/null 2>&1 || true
-
-rm -f Release.gpg.tmp InRelease.tmp
-echo "$PASSPHRASE" | gpg --batch --no-tty --passphrase-fd 0 --pinentry-mode loopback --default-key "$KEYID" --detach-sign -o Release.gpg.tmp "$1"
-mv Release.gpg.tmp Release.gpg
-echo "$PASSPHRASE" | gpg --batch --no-tty --passphrase-fd 0 --pinentry-mode loopback --default-key "$KEYID" --clearsign -o InRelease.tmp "$1"
-mv InRelease.tmp InRelease