Fix dependency declaration for debarchive service
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
1 # Class: profiles::debarchive
2 # ===========================
3 #
4 # This class defines a mini-dinstall based Debian package archive setup.
5 #
6 # Parameters
7 # ----------
8 #
9 # @param notification_email_address email address that will receive reports
10 # from mini-dinstall
11 #
12 # @param release_signing_keygrip GPG keygrip of the release signing key
13 #
14 # @param release_signing_keyid GPG key id of the release signing key
15 #
16 # @param release_signing_passphrase passphrase for the release signing key
17 #
18 # @param release_signing_private_key data of a GPG key that is used for
19 # release file signing
20 #
21 # @param uploaders a list of users that are allowed to dput
22 # files to the Debian archive
23 #
24 # Examples
25 # --------
26 #
27 # @example
28 # class 'roles::myhost' {
29 # include profiles::debarchive
30 # }
31 #
32 # Authors
33 # -------
34 #
35 # Jan Dittberner <jandd@cacert.org>
36 #
37 # Copyright
38 # ---------
39 #
40 # Copyright 2019 Jan Dittberner
41 #
42 class profiles::debarchive (
43 String $notification_email_address,
44 String $release_signing_keygrip,
45 String $release_signing_keyid,
46 String $release_signing_passphrase,
47 String $release_signing_private_key,
48 Array[String] $uploaders = [],
49 ) {
50 include profiles::base
51
52 package { 'mini-dinstall':
53 ensure => latest,
54 }
55 group { 'debarchive':
56 ensure => absent,
57 }
58 user { 'debarchive':
59 ensure => present,
60 comment => 'CAcert debian archive user',
61 system => true,
62 gid => 'nogroup',
63 home => '/srv/debarchive',
64 shell => '/bin/false',
65 purge_ssh_keys => true,
66 }
67 file { '/srv/debarchive':
68 ensure => directory,
69 owner => 'debarchive',
70 group => 'nogroup',
71 mode => '0711',
72 }
73 file { '/srv/upload':
74 ensure => directory,
75 owner => 'root',
76 group => 'root',
77 mode => '0755',
78 }
79 file { '/srv/upload/incoming':
80 ensure => directory,
81 owner => 'debarchive',
82 group => 'nogroup',
83 mode => '0700',
84 }
85
86 $uploaders.each |String $username| {
87 $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
88 $ssh_keys.each |Hash[String, Data] $keydata| {
89 $keyname = $keydata['name']
90 ssh_authorized_key { "debarchive-${username}-${keyname}":
91 ensure => present,
92 user => 'debarchive',
93 type => $keydata['type'],
94 key => $keydata['key'],
95 options => 'command="internal-sftp"',
96 require => User['debarchive'],
97 }
98 }
99 }
100
101 file { '/srv/debarchive/.mini-dinstall.conf':
102 ensure => file,
103 owner => 'debarchive',
104 group => 'nogroup',
105 mode => '0600',
106 content => epp('profiles/debarchive/mini-dinstall.conf.epp',
107 { mail_to => $notification_email_address, }
108 ),
109 }
110
111 $gpghome = '/srv/debarchive/.gnupg'
112
113 file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
114 ensure => directory,
115 owner => 'debarchive',
116 group => 'nogroup',
117 mode => '0700',
118 }
119 file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
120 ensure => file,
121 owner => 'debarchive',
122 group => 'nogroup',
123 mode => '0600',
124 content => $release_signing_private_key,
125 }
126 file { "${gpghome}/passphrase":
127 ensure => file,
128 owner => 'debarchive',
129 group => 'nogroup',
130 mode => '0600',
131 content => $release_signing_passphrase,
132 }
133 file { "${gpghome}/gpg-agent.conf":
134 ensure => file,
135 owner => 'debarchive',
136 group => 'nogroup',
137 mode => '0600',
138 content => 'log-file /srv/debarchive/log/gpg-agent.log',
139 }
140 file { "${gpghome}/pubring.kbx":
141 ensure => file,
142 owner => 'debarchive',
143 group => 'nogroup',
144 mode => '0600',
145 source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
146 }
147 file { "${gpghome}/trustdb.gpg":
148 ensure => file,
149 owner => 'debarchive',
150 group => 'nogroup',
151 mode => '0600',
152 source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
153 }
154 file { '/srv/debarchive/cacert-keyring.gpg':
155 ensure => file,
156 owner => 'debarchive',
157 group => 'nogroup',
158 mode => '0600',
159 source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
160 }
161 file { '/srv/debarchive/scripts/sign_release':
162 ensure => file,
163 owner => 'debarchive',
164 group => 'nogroup',
165 mode => '0700',
166 content => epp('profiles/debarchive/sign_release.epp',
167 {
168 key_id => $release_signing_keyid,
169 }
170 ),
171 require => [
172 File["${gpghome}/gpg-agent.conf"],
173 File["${gpghome}/passphrase"],
174 File["${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key"],
175 File["${gpghome}/pubring.kbx"],
176 File["${gpghome}/trustdb.gpg"],
177 ],
178 }
179 file { '/etc/systemd/system/debarchive.service':
180 ensure => file,
181 owner => 'root',
182 group => 'root',
183 mode => '0644',
184 source => 'puppet:///modules/profiles/debarchive/debarchive.service',
185 }
186 exec { 'reload systemd when debarchive.service unit changes':
187 command => '/bin/sytemctl daemon-reload',
188 refreshonly => true,
189 subscribe => File['/etc/systemd/system/debarchive.service'],
190 notify => Service['debarchive'],
191 }
192 service { 'debarchive':
193 ensure => running,
194 enable => true,
195 require => [
196 File['/srv/debarchive/.mini-dinstall.conf'],
197 File['/srv/debarchive/cacert-keyring.gpg'],
198 File['/srv/debarchive/scripts/sign_release'],
199 File['/srv/upload/incoming'],
200 Package['mini-dinstall'],
201 User['debarchive'],
202 ],
203 }
204 }