01a9170545d387c8171ddaffa6b1fd8b6d355928
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
1 # Class: profiles::debarchive
2 # ===========================
3 #
4 # This class defines a Debian package archive setup.
5 #
6 # Parameters
7 # ----------
8 #
9 # @param notification_email_address email address that will receive reports
10 # from mini-dinstall
11 #
12 # @param release_signing_keygrip GPG keygrip of the release signing key
13 #
14 # @param release_signing_keyid GPG key id of the release signing key
15 #
16 # @param release_signing_passphrase passphrase for the release signing key
17 #
18 # @param release_signing_private_key data of a GPG key that is used for
19 # release file signing
20 #
21 # @param uploaders a list of users that are allowed to dput
22 # files to the Debian archive
23 #
24 # Examples
25 # --------
26 #
27 # @example
28 # class 'roles::myhost' {
29 # include profiles::debarchive
30 # }
31 #
32 # Authors
33 # -------
34 #
35 # Jan Dittberner <jandd@cacert.org>
36 #
37 # Copyright
38 # ---------
39 #
40 # Copyright 2019 Jan Dittberner
41 #
42 class profiles::debarchive (
43 String $notification_email_address,
44 String $release_signing_keygrip,
45 String $release_signing_keyid,
46 String $release_signing_passphrase,
47 String $release_signing_private_key,
48 Array[String] $uploaders = [],
49 ) {
50 include profiles::base
51
52 package{ ['rssh', 'reprepro']:
53 ensure => latest,
54 } ->
55 file { 'ensure that suid bit on rssh_chroot_helper is set':
56 path => '/usr/lib/rssh/rssh_chroot_helper',
57 ensure => present,
58 owner => 'root',
59 group => 'root',
60 mode => '4755',
61 }
62
63 $debarchive_home = '/srv/debarchive'
64 $gpg_home = "${debarchive_home}/.gnupg"
65 $package_dir = "${debarchive_home}/packages"
66 $upload_chroot = '/srv/upload'
67 $incoming_dir = "${upload_chroot}/incoming"
68
69 # setup user, groups and directories
70 group { 'debarchive':
71 ensure => absent,
72 }
73 user { 'debarchive':
74 ensure => present,
75 comment => 'CAcert debian archive user',
76 system => true,
77 gid => 'nogroup',
78 home => $debarchive_home,
79 shell => '/usr/bin/rssh',
80 purge_ssh_keys => true,
81 require => Package['rssh'],
82 }
83 file { $debarchive_home:
84 ensure => directory,
85 owner => 'debarchive',
86 group => 'nogroup',
87 mode => '0711',
88 }
89 file { $upload_chroot:
90 ensure => directory,
91 owner => 'root',
92 group => 'root',
93 mode => '0755',
94 }
95 file { $incoming_dir:
96 ensure => directory,
97 owner => 'debarchive',
98 group => 'nogroup',
99 mode => '0700',
100 }
101 exec { "/bin/bash /usr/share/doc/rssh/examples/mkchroot.sh ${upload_chroot}":
102 creates => "${upload_chroot}/usr/bin/rssh",
103 require => [Package['rssh'], File[$upload_chroot]],
104 } ~>
105 exec { "/bin/sed -n -i '/^root:/p; /^debarchive:/p' ${upload_chroot}/etc/passwd":
106 refreshonly => true,
107 }
108
109 $rssh_conf = '/etc/rssh.conf'
110
111 concat { $rssh_conf:
112 ensure => present,
113 owner => 'root',
114 group => 'root',
115 mode => '0644',
116 }
117
118 concat::fragment { 'rssh-global':
119 target => $rssh_conf,
120 order => '01',
121 source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
122 }
123
124 concat::fragment { 'rssh-debarchive':
125 target => $rssh_conf,
126 order => '10',
127 content => "user = \"debarchive:022:000110:${upload_chroot}\"\n",
128 }
129
130 # setup ssh keys
131 $uploaders.each |String $username| {
132 $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
133 $ssh_keys.each |Hash[String, Data] $keydata| {
134 $keyname = $keydata['name']
135 ssh_authorized_key { "debarchive-${username}-${keyname}":
136 ensure => present,
137 user => 'debarchive',
138 type => $keydata['type'],
139 key => $keydata['key'],
140 require => User['debarchive'],
141 }
142 }
143 }
144
145 # setup GPG home for signing
146 file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log", "${debarchive_home}/scripts"]:
147 ensure => directory,
148 owner => 'debarchive',
149 group => 'nogroup',
150 mode => '0700',
151 }
152 file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
153 ensure => file,
154 owner => 'debarchive',
155 group => 'nogroup',
156 mode => '0600',
157 content => $release_signing_private_key,
158 }
159 file { "${gpg_home}/passphrase":
160 ensure => file,
161 owner => 'debarchive',
162 group => 'nogroup',
163 mode => '0600',
164 content => $release_signing_passphrase,
165 }
166 file { "${gpg_home}/gpg-agent.conf":
167 ensure => file,
168 owner => 'debarchive',
169 group => 'nogroup',
170 mode => '0600',
171 content => "log-file ${debarchive_home}/log/gpg-agent.log",
172 }
173 file { "${gpg_home}/pubring.kbx":
174 ensure => file,
175 owner => 'debarchive',
176 group => 'nogroup',
177 mode => '0600',
178 source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
179 }
180 file { "${gpg_home}/trustdb.gpg":
181 ensure => file,
182 owner => 'debarchive',
183 group => 'nogroup',
184 mode => '0600',
185 source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
186 }
187 file { "${debarchive_home}/cacert-keyring.gpg":
188 ensure => file,
189 owner => 'debarchive',
190 group => 'nogroup',
191 mode => '0600',
192 source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
193 }
194
195 # setup reprepro
196 file { $package_dir:
197 ensure => directory,
198 owner => 'debarchive',
199 group => 'nogroup',
200 mode => '0755',
201 }
202 file { "${package_dir}/conf":
203 ensure => directory,
204 owner => 'debarchive',
205 group => 'nogroup',
206 mode => '0700',
207 }
208
209 concat { "${package_dir}/conf/distributions":
210 ensure => 'present',
211 owner => 'debarchive',
212 group => 'nogroup',
213 mode => '0600',
214 }
215
216 concat::fragment { 'stretch-distribution':
217 target => "${package_dir}/conf/distributions",
218 content => join([
219 'Origin: CAcert Infrastructure Team',
220 'Codename: stretch/cacert',
221 'Architectures: amd64 source',
222 'Components: main',
223 '',
224 ''], "\n"),
225 }
226
227 concat::fragment { 'buster-distribution':
228 target => "${package_dir}/conf/distributions",
229 content => join([
230 'Origin: CAcert Infrastructure Team',
231 'Codename: buster/cacert',
232 'Architectures: amd64 source',
233 'Components: main',
234 '',
235 ''], "\n"),
236 }
237 }