Use double quotes to allow newline
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
1 # Class: profiles::debarchive
2 # ===========================
3 #
4 # This class defines a Debian package archive setup.
5 #
6 # Parameters
7 # ----------
8 #
9 # @param notification_email_address email address that will receive reports
10 # from mini-dinstall
11 #
12 # @param release_signing_keygrip GPG keygrip of the release signing key
13 #
14 # @param release_signing_keyid GPG key id of the release signing key
15 #
16 # @param release_signing_passphrase passphrase for the release signing key
17 #
18 # @param release_signing_private_key data of a GPG key that is used for
19 # release file signing
20 #
21 # @param uploaders a list of users that are allowed to dput
22 # files to the Debian archive
23 #
24 # Examples
25 # --------
26 #
27 # @example
28 # class 'roles::myhost' {
29 # include profiles::debarchive
30 # }
31 #
32 # Authors
33 # -------
34 #
35 # Jan Dittberner <jandd@cacert.org>
36 #
37 # Copyright
38 # ---------
39 #
40 # Copyright 2019 Jan Dittberner
41 #
42 class profiles::debarchive (
43 String $notification_email_address,
44 String $release_signing_keygrip,
45 String $release_signing_keyid,
46 String $release_signing_passphrase,
47 String $release_signing_private_key,
48 Array[String] $uploaders = [],
49 ) {
50 include profiles::base
51
52 package{ ['rssh', 'reprepro']:
53 ensure => latest,
54 }
55
56 # setup user, groups and directories
57 group { 'debarchive':
58 ensure => absent,
59 }
60 user { 'debarchive':
61 ensure => present,
62 comment => 'CAcert debian archive user',
63 system => true,
64 gid => 'nogroup',
65 home => '/srv/debarchive',
66 shell => '/usr/bin/rssh',
67 purge_ssh_keys => true,
68 require => Package['rssh'],
69 }
70 file { '/srv/debarchive':
71 ensure => directory,
72 owner => 'debarchive',
73 group => 'nogroup',
74 mode => '0711',
75 }
76 file { '/srv/upload':
77 ensure => directory,
78 owner => 'root',
79 group => 'root',
80 mode => '0755',
81 }
82 file { '/srv/upload/incoming':
83 ensure => directory,
84 owner => 'debarchive',
85 group => 'nogroup',
86 mode => '0700',
87 }
88
89 $rssh_conf = '/etc/rssh.conf'
90
91 concat { $rssh_conf:
92 ensure => present,
93 owner => 'root',
94 group => 'root',
95 mode => '0644',
96 }
97
98 concat::fragment { 'rssh-global':
99 target => $rssh_conf,
100 order => '01',
101 source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
102 }
103
104 concat::fragment { 'rssh-debarchive':
105 target => $rssh_conf,
106 order => '10',
107 content => "user = \"debarchive:022:0001100:/srv/upload\"\n",
108 }
109
110 # setup ssh keys
111 $uploaders.each |String $username| {
112 $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
113 $ssh_keys.each |Hash[String, Data] $keydata| {
114 $keyname = $keydata['name']
115 ssh_authorized_key { "debarchive-${username}-${keyname}":
116 ensure => present,
117 user => 'debarchive',
118 type => $keydata['type'],
119 key => $keydata['key'],
120 require => User['debarchive'],
121 }
122 }
123 }
124
125 # setup GPG home for signing
126 $gpghome = '/srv/debarchive/.gnupg'
127
128 file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
129 ensure => directory,
130 owner => 'debarchive',
131 group => 'nogroup',
132 mode => '0700',
133 }
134 file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
135 ensure => file,
136 owner => 'debarchive',
137 group => 'nogroup',
138 mode => '0600',
139 content => $release_signing_private_key,
140 }
141 file { "${gpghome}/passphrase":
142 ensure => file,
143 owner => 'debarchive',
144 group => 'nogroup',
145 mode => '0600',
146 content => $release_signing_passphrase,
147 }
148 file { "${gpghome}/gpg-agent.conf":
149 ensure => file,
150 owner => 'debarchive',
151 group => 'nogroup',
152 mode => '0600',
153 content => 'log-file /srv/debarchive/log/gpg-agent.log',
154 }
155 file { "${gpghome}/pubring.kbx":
156 ensure => file,
157 owner => 'debarchive',
158 group => 'nogroup',
159 mode => '0600',
160 source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
161 }
162 file { "${gpghome}/trustdb.gpg":
163 ensure => file,
164 owner => 'debarchive',
165 group => 'nogroup',
166 mode => '0600',
167 source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
168 }
169 file { '/srv/debarchive/cacert-keyring.gpg':
170 ensure => file,
171 owner => 'debarchive',
172 group => 'nogroup',
173 mode => '0600',
174 source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
175 }
176 }