Trash the mini-dinstall setup
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
1 # Class: profiles::debarchive
2 # ===========================
3 #
4 # This class defines a Debian package archive setup.
5 #
6 # Parameters
7 # ----------
8 #
9 # @param notification_email_address email address that will receive reports
10 # from mini-dinstall
11 #
12 # @param release_signing_keygrip GPG keygrip of the release signing key
13 #
14 # @param release_signing_keyid GPG key id of the release signing key
15 #
16 # @param release_signing_passphrase passphrase for the release signing key
17 #
18 # @param release_signing_private_key data of a GPG key that is used for
19 # release file signing
20 #
21 # @param uploaders a list of users that are allowed to dput
22 # files to the Debian archive
23 #
24 # Examples
25 # --------
26 #
27 # @example
28 # class 'roles::myhost' {
29 # include profiles::debarchive
30 # }
31 #
32 # Authors
33 # -------
34 #
35 # Jan Dittberner <jandd@cacert.org>
36 #
37 # Copyright
38 # ---------
39 #
40 # Copyright 2019 Jan Dittberner
41 #
42 class profiles::debarchive (
43 String $notification_email_address,
44 String $release_signing_keygrip,
45 String $release_signing_keyid,
46 String $release_signing_passphrase,
47 String $release_signing_private_key,
48 Array[String] $uploaders = [],
49 ) {
50 include profiles::base
51
52 # remove first try with mini-dinstall
53 package { 'mini-dinstall':
54 ensure => purged,
55 }
56 service { 'debarchive':
57 ensure => stopped,
58 enable => false,
59 }
60 file { '/etc/systemd/system/debarchive.service':
61 ensure => absent,
62 }
63 exec { 'reload systemd when debarchive.service unit changes':
64 command => '/bin/systemctl daemon-reload',
65 refreshonly => true,
66 subscribe => File['/etc/systemd/system/debarchive.service'],
67 notify => Service['debarchive'],
68 }
69 file { '/srv/debarchive/.mini-dinstall.conf':
70 ensure => absent,
71 }
72
73 # setup user, groups and directories
74 group { 'debarchive':
75 ensure => absent,
76 }
77 user { 'debarchive':
78 ensure => present,
79 comment => 'CAcert debian archive user',
80 system => true,
81 gid => 'nogroup',
82 home => '/srv/debarchive',
83 shell => '/bin/false',
84 purge_ssh_keys => true,
85 }
86 file { '/srv/debarchive':
87 ensure => directory,
88 owner => 'debarchive',
89 group => 'nogroup',
90 mode => '0711',
91 }
92 file { '/srv/upload':
93 ensure => directory,
94 owner => 'root',
95 group => 'root',
96 mode => '0755',
97 }
98 file { '/srv/upload/incoming':
99 ensure => directory,
100 owner => 'debarchive',
101 group => 'nogroup',
102 mode => '0700',
103 }
104
105 # setup ssh keys
106 $uploaders.each |String $username| {
107 $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
108 $ssh_keys.each |Hash[String, Data] $keydata| {
109 $keyname = $keydata['name']
110 ssh_authorized_key { "debarchive-${username}-${keyname}":
111 ensure => present,
112 user => 'debarchive',
113 type => $keydata['type'],
114 key => $keydata['key'],
115 require => User['debarchive'],
116 }
117 }
118 }
119
120 # setup GPG home for signing
121 $gpghome = '/srv/debarchive/.gnupg'
122
123 file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
124 ensure => directory,
125 owner => 'debarchive',
126 group => 'nogroup',
127 mode => '0700',
128 }
129 file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
130 ensure => file,
131 owner => 'debarchive',
132 group => 'nogroup',
133 mode => '0600',
134 content => $release_signing_private_key,
135 }
136 file { "${gpghome}/passphrase":
137 ensure => file,
138 owner => 'debarchive',
139 group => 'nogroup',
140 mode => '0600',
141 content => $release_signing_passphrase,
142 }
143 file { "${gpghome}/gpg-agent.conf":
144 ensure => file,
145 owner => 'debarchive',
146 group => 'nogroup',
147 mode => '0600',
148 content => 'log-file /srv/debarchive/log/gpg-agent.log',
149 }
150 file { "${gpghome}/pubring.kbx":
151 ensure => file,
152 owner => 'debarchive',
153 group => 'nogroup',
154 mode => '0600',
155 source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
156 }
157 file { "${gpghome}/trustdb.gpg":
158 ensure => file,
159 owner => 'debarchive',
160 group => 'nogroup',
161 mode => '0600',
162 source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
163 }
164 file { '/srv/debarchive/cacert-keyring.gpg':
165 ensure => file,
166 owner => 'debarchive',
167 group => 'nogroup',
168 mode => '0600',
169 source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
170 }
171 }