Remove passphrase from signing key
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
1 # Class: profiles::debarchive
2 # ===========================
3 #
4 # This class defines a Debian package archive setup.
5 #
6 # Parameters
7 # ----------
8 #
9 # @param notification_email_address email address that will receive reports
10 # from mini-dinstall
11 #
12 # @param release_signing_keyid GPG key id of the release signing key
13 #
14 # @param release_signing_key data of a GPG key that is used for
15 # release file signing
16 #
17 # @param uploaders a list of users that are allowed to dput
18 # files to the Debian archive
19 #
20 # Examples
21 # --------
22 #
23 # @example
24 # class 'roles::myhost' {
25 # include profiles::debarchive
26 # }
27 #
28 # Authors
29 # -------
30 #
31 # Jan Dittberner <jandd@cacert.org>
32 #
33 # Copyright
34 # ---------
35 #
36 # Copyright 2019 Jan Dittberner
37 #
38 class profiles::debarchive (
39 String $notification_email_address,
40 String $release_signing_keyid,
41 String $release_signing_key,
42 Array[String] $uploaders = [],
43 ) {
44 include profiles::base
45
46 package{ ['rssh', 'reprepro']:
47 ensure => latest,
48 } ->
49 file { 'ensure that suid bit on rssh_chroot_helper is set':
50 path => '/usr/lib/rssh/rssh_chroot_helper',
51 ensure => present,
52 owner => 'root',
53 group => 'root',
54 mode => '4755',
55 }
56
57 $debarchive_home = '/srv/debarchive'
58 $gpg_home = "${debarchive_home}/.gnupg"
59 $package_dir = "${debarchive_home}/packages"
60 $upload_chroot = '/srv/upload'
61 $incoming_dir = "${upload_chroot}/incoming"
62
63 # setup user, groups and directories
64 group { 'debarchive':
65 ensure => absent,
66 }
67 user { 'debarchive':
68 ensure => present,
69 comment => 'CAcert debian archive user',
70 system => true,
71 gid => 'nogroup',
72 home => $debarchive_home,
73 shell => '/usr/bin/rssh',
74 purge_ssh_keys => true,
75 require => Package['rssh'],
76 }
77 file { $debarchive_home:
78 ensure => directory,
79 owner => 'debarchive',
80 group => 'nogroup',
81 mode => '0711',
82 }
83 file { $upload_chroot:
84 ensure => directory,
85 owner => 'root',
86 group => 'root',
87 mode => '0755',
88 }
89 file { $incoming_dir:
90 ensure => directory,
91 owner => 'debarchive',
92 group => 'nogroup',
93 mode => '0700',
94 }
95 exec { "/bin/bash /usr/share/doc/rssh/examples/mkchroot.sh ${upload_chroot}":
96 creates => "${upload_chroot}/usr/bin/rssh",
97 require => [Package['rssh'], File[$upload_chroot]],
98 } ~>
99 exec { "/bin/sed -n -i '/^root:/p; /^debarchive:/p' ${upload_chroot}/etc/passwd":
100 refreshonly => true,
101 }
102
103 $rssh_conf = '/etc/rssh.conf'
104
105 concat { $rssh_conf:
106 ensure => present,
107 owner => 'root',
108 group => 'root',
109 mode => '0644',
110 }
111
112 concat::fragment { 'rssh-global':
113 target => $rssh_conf,
114 order => '01',
115 source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
116 }
117
118 concat::fragment { 'rssh-debarchive':
119 target => $rssh_conf,
120 order => '10',
121 content => "user = \"debarchive:022:000110:${upload_chroot}\"\n",
122 }
123
124 # setup ssh keys
125 $uploaders.each |String $username| {
126 $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
127 $ssh_keys.each |Hash[String, Data] $keydata| {
128 $keyname = $keydata['name']
129 ssh_authorized_key { "debarchive-${username}-${keyname}":
130 ensure => present,
131 user => 'debarchive',
132 type => $keydata['type'],
133 key => $keydata['key'],
134 require => User['debarchive'],
135 }
136 }
137 }
138
139 # setup GPG home for signing
140 file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log", "${debarchive_home}/scripts"]:
141 ensure => directory,
142 owner => 'debarchive',
143 group => 'nogroup',
144 mode => '0700',
145 }
146 file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
147 ensure => file,
148 owner => 'debarchive',
149 group => 'nogroup',
150 mode => '0600',
151 content => $release_signing_key,
152 }
153 file { "${gpg_home}/gpg-agent.conf":
154 ensure => file,
155 owner => 'debarchive',
156 group => 'nogroup',
157 mode => '0600',
158 content => "log-file ${debarchive_home}/log/gpg-agent.log",
159 }
160 file { "${gpg_home}/pubring.kbx":
161 ensure => file,
162 owner => 'debarchive',
163 group => 'nogroup',
164 mode => '0600',
165 source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
166 }
167 file { "${gpg_home}/trustdb.gpg":
168 ensure => file,
169 owner => 'debarchive',
170 group => 'nogroup',
171 mode => '0600',
172 source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
173 }
174 file { "${debarchive_home}/cacert-keyring.gpg":
175 ensure => file,
176 owner => 'debarchive',
177 group => 'nogroup',
178 mode => '0600',
179 source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
180 }
181
182 # setup reprepro
183 file { $package_dir:
184 ensure => directory,
185 owner => 'debarchive',
186 group => 'nogroup',
187 mode => '0755',
188 }
189 file { "${package_dir}/conf":
190 ensure => directory,
191 owner => 'debarchive',
192 group => 'nogroup',
193 mode => '0700',
194 }
195
196 concat { "${package_dir}/conf/distributions":
197 ensure => 'present',
198 owner => 'debarchive',
199 group => 'nogroup',
200 mode => '0600',
201 }
202
203 concat::fragment { 'stretch-distribution':
204 target => "${package_dir}/conf/distributions",
205 content => join([
206 'Origin: CAcert Infrastructure Team',
207 'Codename: stretch/cacert',
208 'Architectures: amd64 source',
209 'Components: main',
210 'SignWith: yes',
211 '',
212 ''], "\n"),
213 }
214
215 concat::fragment { 'buster-distribution':
216 target => "${package_dir}/conf/distributions",
217 content => join([
218 'Origin: CAcert Infrastructure Team',
219 'Codename: buster/cacert',
220 'Architectures: amd64 source',
221 'Components: main',
222 'SignWith: yes',
223 '',
224 ''], "\n"),
225 }
226 }