summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/debarchive.pp
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules/profiles/manifests/debarchive.pp')
-rw-r--r--sitemodules/profiles/manifests/debarchive.pp146
1 files changed, 125 insertions, 21 deletions
diff --git a/sitemodules/profiles/manifests/debarchive.pp b/sitemodules/profiles/manifests/debarchive.pp
index c0965e5..67cb157 100644
--- a/sitemodules/profiles/manifests/debarchive.pp
+++ b/sitemodules/profiles/manifests/debarchive.pp
@@ -1,13 +1,25 @@
# Class: profiles::debarchive
# ===========================
#
-# This class defines a mini-dinstall based Debian package archive setup.
+# This class defines a Debian package archive setup.
#
# Parameters
# ----------
#
-# @param uploaders a list of users that are allowed to dput files to the
-# Debian archive
+# @param notification_email_address email address that will receive reports
+# from mini-dinstall
+#
+# @param release_signing_keygrip GPG keygrip of the release signing key
+#
+# @param release_signing_keyid GPG key id of the release signing key
+#
+# @param release_signing_passphrase passphrase for the release signing key
+#
+# @param release_signing_private_key data of a GPG key that is used for
+# release file signing
+#
+# @param uploaders a list of users that are allowed to dput
+# files to the Debian archive
#
# Examples
# --------
@@ -28,45 +40,137 @@
# Copyright 2019 Jan Dittberner
#
class profiles::debarchive (
+ String $notification_email_address,
+ String $release_signing_keygrip,
+ String $release_signing_keyid,
+ String $release_signing_passphrase,
+ String $release_signing_private_key,
Array[String] $uploaders = [],
) {
include profiles::base
- package { 'mini-dinstall':
+ package{ ['rssh', 'reprepro']:
ensure => latest,
}
+
+ # setup user, groups and directories
group { 'debarchive':
- ensure => present,
- system => true,
+ ensure => absent,
}
user { 'debarchive':
- ensure => present,
- comment => 'CAcert debian archive user',
- system => true,
- gid => 'nogroup',
- home => '/srv/debarchive',
- shell => '/bin/false',
+ ensure => present,
+ comment => 'CAcert debian archive user',
+ system => true,
+ gid => 'nogroup',
+ home => '/srv/debarchive',
+ shell => '/usr/bin/rssh',
+ purge_ssh_keys => true,
+ require => Package['rssh'],
}
file { '/srv/debarchive':
ensure => directory,
owner => 'debarchive',
- group => 'debarchive',
- mode => '0755',
+ group => 'nogroup',
+ mode => '0711',
}
- file { '/srv/debarchive/mini-dinstall':
+ file { '/srv/upload':
ensure => directory,
- owner => 'debarchive',
- group => 'debarchive',
+ owner => 'root',
+ group => 'root',
mode => '0755',
}
- file { '/srv/debarchive/mini-dinstall/incoming':
+ file { '/srv/upload/incoming':
ensure => directory,
owner => 'debarchive',
- group => 'debarchive',
- mode => '0770',
+ group => 'nogroup',
+ mode => '0700',
+ }
+
+ $rssh_conf = '/etc/rssh.conf'
+
+ concat { $rssh_conf:
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+
+ concat::fragment { 'rssh-global':
+ target => $rssh_conf,
+ order => '01',
+ source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
}
+ concat::fragment { 'rssh-debarchive':
+ target => $rssh_conf,
+ order => '10',
+ content => 'user=debarchive:022:0001100:/srv/upload',
+ }
+
+ # setup ssh keys
$uploaders.each |String $username| {
- User<| title == $username |> { groups +> 'debarchive' }
+ $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
+ $ssh_keys.each |Hash[String, Data] $keydata| {
+ $keyname = $keydata['name']
+ ssh_authorized_key { "debarchive-${username}-${keyname}":
+ ensure => present,
+ user => 'debarchive',
+ type => $keydata['type'],
+ key => $keydata['key'],
+ require => User['debarchive'],
+ }
+ }
+ }
+
+ # setup GPG home for signing
+ $gpghome = '/srv/debarchive/.gnupg'
+
+ file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
+ ensure => directory,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0700',
+ }
+ file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => $release_signing_private_key,
+ }
+ file { "${gpghome}/passphrase":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => $release_signing_passphrase,
+ }
+ file { "${gpghome}/gpg-agent.conf":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ content => 'log-file /srv/debarchive/log/gpg-agent.log',
+ }
+ file { "${gpghome}/pubring.kbx":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
+ }
+ file { "${gpghome}/trustdb.gpg":
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
+ }
+ file { '/srv/debarchive/cacert-keyring.gpg':
+ ensure => file,
+ owner => 'debarchive',
+ group => 'nogroup',
+ mode => '0600',
+ source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
}
}