Re-add key grip needed for private key
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
1 # Class: profiles::debarchive
2 # ===========================
3 #
4 # This class defines a Debian package archive setup.
5 #
6 # Parameters
7 # ----------
8 #
9 # @param notification_email_address email address that will receive reports
10 # from mini-dinstall
11 #
12 # @param release_signing_key data of a GPG key that is used for
13 # release file signing
14 #
15 # @param release_signing_keygrip GPG keygrip of the release signing key
16 #
17 # @param release_signing_keyid GPG key id of the release signing key
18 #
19 # @param uploaders a list of users that are allowed to dput
20 # files to the Debian archive
21 #
22 # Examples
23 # --------
24 #
25 # @example
26 # class 'roles::myhost' {
27 # include profiles::debarchive
28 # }
29 #
30 # Authors
31 # -------
32 #
33 # Jan Dittberner <jandd@cacert.org>
34 #
35 # Copyright
36 # ---------
37 #
38 # Copyright 2019 Jan Dittberner
39 #
40 class profiles::debarchive (
41 String $notification_email_address,
42 String $release_signing_key,
43 String $release_signing_keygrip,
44 String $release_signing_keyid,
45 Array[String] $uploaders = [],
46 ) {
47 include profiles::base
48
49 package{ ['rssh', 'reprepro']:
50 ensure => latest,
51 } ->
52 file { 'ensure that suid bit on rssh_chroot_helper is set':
53 path => '/usr/lib/rssh/rssh_chroot_helper',
54 ensure => present,
55 owner => 'root',
56 group => 'root',
57 mode => '4755',
58 }
59
60 $debarchive_home = '/srv/debarchive'
61 $gpg_home = "${debarchive_home}/.gnupg"
62 $package_dir = "${debarchive_home}/packages"
63 $upload_chroot = '/srv/upload'
64 $incoming_dir = "${upload_chroot}/incoming"
65
66 # setup user, groups and directories
67 group { 'debarchive':
68 ensure => absent,
69 }
70 user { 'debarchive':
71 ensure => present,
72 comment => 'CAcert debian archive user',
73 system => true,
74 gid => 'nogroup',
75 home => $debarchive_home,
76 shell => '/usr/bin/rssh',
77 purge_ssh_keys => true,
78 require => Package['rssh'],
79 }
80 file { $debarchive_home:
81 ensure => directory,
82 owner => 'debarchive',
83 group => 'nogroup',
84 mode => '0711',
85 }
86 file { $upload_chroot:
87 ensure => directory,
88 owner => 'root',
89 group => 'root',
90 mode => '0755',
91 }
92 file { $incoming_dir:
93 ensure => directory,
94 owner => 'debarchive',
95 group => 'nogroup',
96 mode => '0700',
97 }
98 exec { "/bin/bash /usr/share/doc/rssh/examples/mkchroot.sh ${upload_chroot}":
99 creates => "${upload_chroot}/usr/bin/rssh",
100 require => [Package['rssh'], File[$upload_chroot]],
101 } ~>
102 exec { "/bin/sed -n -i '/^root:/p; /^debarchive:/p' ${upload_chroot}/etc/passwd":
103 refreshonly => true,
104 }
105
106 $rssh_conf = '/etc/rssh.conf'
107
108 concat { $rssh_conf:
109 ensure => present,
110 owner => 'root',
111 group => 'root',
112 mode => '0644',
113 }
114
115 concat::fragment { 'rssh-global':
116 target => $rssh_conf,
117 order => '01',
118 source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
119 }
120
121 concat::fragment { 'rssh-debarchive':
122 target => $rssh_conf,
123 order => '10',
124 content => "user = \"debarchive:022:000110:${upload_chroot}\"\n",
125 }
126
127 # setup ssh keys
128 $uploaders.each |String $username| {
129 $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
130 $ssh_keys.each |Hash[String, Data] $keydata| {
131 $keyname = $keydata['name']
132 ssh_authorized_key { "debarchive-${username}-${keyname}":
133 ensure => present,
134 user => 'debarchive',
135 type => $keydata['type'],
136 key => $keydata['key'],
137 require => User['debarchive'],
138 }
139 }
140 }
141
142 # setup GPG home for signing
143 file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log"]:
144 ensure => directory,
145 owner => 'debarchive',
146 group => 'nogroup',
147 mode => '0700',
148 }
149 file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
150 ensure => file,
151 owner => 'debarchive',
152 group => 'nogroup',
153 mode => '0600',
154 content => $release_signing_key,
155 }
156 file { "${gpg_home}/gpg-agent.conf":
157 ensure => file,
158 owner => 'debarchive',
159 group => 'nogroup',
160 mode => '0600',
161 content => "log-file ${debarchive_home}/log/gpg-agent.log",
162 }
163 file { "${gpg_home}/pubring.kbx":
164 ensure => file,
165 owner => 'debarchive',
166 group => 'nogroup',
167 mode => '0600',
168 source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
169 }
170 file { "${gpg_home}/trustdb.gpg":
171 ensure => file,
172 owner => 'debarchive',
173 group => 'nogroup',
174 mode => '0600',
175 source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
176 }
177 file { "${debarchive_home}/cacert-keyring.gpg":
178 ensure => file,
179 owner => 'debarchive',
180 group => 'nogroup',
181 mode => '0600',
182 source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
183 }
184
185 # setup reprepro
186 file { $package_dir:
187 ensure => directory,
188 owner => 'debarchive',
189 group => 'nogroup',
190 mode => '0755',
191 }
192 file { "${package_dir}/conf":
193 ensure => directory,
194 owner => 'debarchive',
195 group => 'nogroup',
196 mode => '0700',
197 }
198
199 concat { "${package_dir}/conf/distributions":
200 ensure => 'present',
201 owner => 'debarchive',
202 group => 'nogroup',
203 mode => '0600',
204 }
205
206 concat::fragment { 'stretch-distribution':
207 target => "${package_dir}/conf/distributions",
208 content => join([
209 'Origin: CAcert Infrastructure Team',
210 'Codename: stretch/cacert',
211 'Architectures: amd64 source',
212 'Components: main',
213 'SignWith: yes',
214 '',
215 ''], "\n"),
216 }
217
218 concat::fragment { 'buster-distribution':
219 target => "${package_dir}/conf/distributions",
220 content => join([
221 'Origin: CAcert Infrastructure Team',
222 'Codename: buster/cacert',
223 'Architectures: amd64 source',
224 'Components: main',
225 'SignWith: yes',
226 '',
227 ''], "\n"),
228 }
229 }