Remove passphrase from signing key
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
index 5281c4b..eb89f3e 100644 (file)
@@ -1,25 +1,21 @@
 # Class: profiles::debarchive
 # ===========================
 #
-# This class defines a mini-dinstall based Debian package archive setup.
+# This class defines a Debian package archive setup.
 #
 # Parameters
 # ----------
 #
-# @param notification_email_address  email address that will receive reports
-#                                    from mini-dinstall
+# @param notification_email_address email address that will receive reports
+#                                   from mini-dinstall
 #
-# @param release_signing_keygrip     GPG keygrip of the release signing key
+# @param release_signing_keyid      GPG key id of the release signing key
 #
-# @param release_signing_keyid       GPG key id of the release signing key
+# @param release_signing_key        data of a GPG key that is used for
+#                                   release file signing
 #
-# @param release_signing_passphrase  passphrase for the release signing key
-#
-# @param release_signing_private_key data of a GPG key that is used for
-#                                    release file signing
-#
-# @param uploaders                   a list of users that are allowed to dput
-#                                    files to the Debian archive
+# @param uploaders                  a list of users that are allowed to dput
+#                                   files to the Debian archive
 #
 # Examples
 # --------
 #
 class profiles::debarchive (
   String $notification_email_address,
-  String $release_signing_keygrip,
   String $release_signing_keyid,
-  String $release_signing_passphrase,
-  String $release_signing_private_key,
+  String $release_signing_key,
   Array[String] $uploaders = [],
 ) {
   include profiles::base
 
-  package { 'mini-dinstall':
+  package{ ['rssh', 'reprepro']:
     ensure => latest,
+  } ->
+  file { 'ensure that suid bit on rssh_chroot_helper is set':
+    path   => '/usr/lib/rssh/rssh_chroot_helper',
+    ensure => present,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '4755',
   }
+
+  $debarchive_home = '/srv/debarchive'
+  $gpg_home = "${debarchive_home}/.gnupg"
+  $package_dir = "${debarchive_home}/packages"
+  $upload_chroot = '/srv/upload'
+  $incoming_dir = "${upload_chroot}/incoming"
+
+  # setup user, groups and directories
   group { 'debarchive':
     ensure => absent,
   }
@@ -60,29 +69,59 @@ class profiles::debarchive (
     comment        => 'CAcert debian archive user',
     system         => true,
     gid            => 'nogroup',
-    home           => '/srv/debarchive',
-    shell          => '/bin/false',
+    home           => $debarchive_home,
+    shell          => '/usr/bin/rssh',
     purge_ssh_keys => true,
+    require        => Package['rssh'],
   }
-  file { '/srv/debarchive':
+  file { $debarchive_home:
     ensure => directory,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0711',
   }
-  file { '/srv/upload':
+  file { $upload_chroot:
     ensure => directory,
     owner  => 'root',
     group  => 'root',
     mode   => '0755',
   }
-  file { '/srv/upload/incoming':
+  file { $incoming_dir:
     ensure => directory,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0700',
   }
+  exec { "/bin/bash /usr/share/doc/rssh/examples/mkchroot.sh ${upload_chroot}":
+    creates => "${upload_chroot}/usr/bin/rssh",
+    require => [Package['rssh'], File[$upload_chroot]],
+  } ~>
+  exec { "/bin/sed -n -i '/^root:/p; /^debarchive:/p' ${upload_chroot}/etc/passwd":
+    refreshonly => true,
+  }
+
+  $rssh_conf = '/etc/rssh.conf'
+
+  concat { $rssh_conf:
+    ensure => present,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
 
+  concat::fragment { 'rssh-global':
+    target => $rssh_conf,
+    order  => '01',
+    source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
+  }
+
+  concat::fragment { 'rssh-debarchive':
+    target  => $rssh_conf,
+    order   => '10',
+    content => "user = \"debarchive:022:000110:${upload_chroot}\"\n",
+  }
+
+  # setup ssh keys
   $uploaders.each |String $username| {
     $ssh_keys = $::profiles::base::users[$username]['ssh_keys']
     $ssh_keys.each |Hash[String, Data] $keydata| {
@@ -92,113 +131,96 @@ class profiles::debarchive (
         user    => 'debarchive',
         type    => $keydata['type'],
         key     => $keydata['key'],
-        options => 'command="internal-sftp"',
         require => User['debarchive'],
       }
     }
   }
 
-  file { '/srv/debarchive/.mini-dinstall.conf':
-    ensure  => file,
-    owner   => 'debarchive',
-    group   => 'nogroup',
-    mode    => '0600',
-    content => epp('profiles/debarchive/mini-dinstall.conf.epp',
-      { mail_to => $notification_email_address, }
-    ),
-  }
-
-  $gpghome = '/srv/debarchive/.gnupg'
-
-  file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
+  # setup GPG home for signing
+  file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log", "${debarchive_home}/scripts"]:
     ensure => directory,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0700',
   }
-  file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
+  file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
     ensure  => file,
     owner   => 'debarchive',
     group   => 'nogroup',
     mode    => '0600',
-    content => $release_signing_private_key,
+    content => $release_signing_key,
   }
-  file { "${gpghome}/passphrase":
+  file { "${gpg_home}/gpg-agent.conf":
     ensure  => file,
     owner   => 'debarchive',
     group   => 'nogroup',
     mode    => '0600',
-    content => $release_signing_passphrase,
+    content => "log-file ${debarchive_home}/log/gpg-agent.log",
   }
-  file { "${gpghome}/gpg-agent.conf":
-    ensure  => file,
-    owner   => 'debarchive',
-    group   => 'nogroup',
-    mode    => '0600',
-    content => 'log-file /srv/debarchive/log/gpg-agent.log',
-  }
-  file { "${gpghome}/pubring.kbx":
+  file { "${gpg_home}/pubring.kbx":
     ensure => file,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
   }
-  file { "${gpghome}/trustdb.gpg":
+  file { "${gpg_home}/trustdb.gpg":
     ensure => file,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
   }
-  file { '/srv/debarchive/cacert-keyring.gpg':
+  file { "${debarchive_home}/cacert-keyring.gpg":
     ensure => file,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
   }
-  file { '/srv/debarchive/scripts/sign_release':
-    ensure  => file,
+
+  # setup reprepro
+  file { $package_dir:
+    ensure => directory,
+    owner  => 'debarchive',
+    group  => 'nogroup',
+    mode   => '0755',
+  }
+  file { "${package_dir}/conf":
+    ensure => directory,
+    owner  => 'debarchive',
+    group  => 'nogroup',
+    mode   => '0700',
+  }
+
+  concat { "${package_dir}/conf/distributions":
+    ensure  => 'present',
     owner   => 'debarchive',
     group   => 'nogroup',
-    mode    => '0700',
-    content => epp('profiles/debarchive/sign_release.epp',
-      {
-        key_id => $release_signing_keyid,
-      }
-    ),
-    require => [
-      File["${gpghome}/gpg-agent.conf"],
-      File["${gpghome}/passphrase"],
-      File["${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key"],
-      File["${gpghome}/pubring.kbx"],
-      File["${gpghome}/trustdb.gpg"],
-    ],
-  }
-  file { '/etc/systemd/system/debarchive.service':
-    ensure => file,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0644',
-    source => 'puppet:///modules/profiles/debarchive/debarchive.service',
+    mode    => '0600',
   }
-  exec { 'reload systemd when debarchive.service unit changes':
-    command     => '/bin/sytemctl daemon-reload',
-    refreshonly => true,
-    subscribe   => File['/etc/systemd/system/debarchive.service'],
-    notify      => Service['debarchive'],
-  }
-  service { 'debarchive':
-    ensure  => running,
-    enable  => true,
-    require => [
-      File['/srv/debarchive/.mini-dinstall.conf'],
-      File['/srv/debarchive/archive/mini-dinstall/incoming'],
-      File['/srv/debarchive/cacert-keyring.gpg'],
-      File['/srv/debarchive/scripts/sign_release'],
-      Package['mini-dinstall'],
-      User['debarchive'],
-    ],
+
+  concat::fragment { 'stretch-distribution':
+    target  => "${package_dir}/conf/distributions",
+    content => join([
+      'Origin: CAcert Infrastructure Team',
+      'Codename: stretch/cacert',
+      'Architectures: amd64 source',
+      'Components: main',
+      'SignWith: yes',
+      '',
+      ''], "\n"),
+  }
+
+  concat::fragment { 'buster-distribution':
+    target  => "${package_dir}/conf/distributions",
+    content => join([
+      'Origin: CAcert Infrastructure Team',
+      'Codename: buster/cacert',
+      'Architectures: amd64 source',
+      'Components: main',
+      'SignWith: yes',
+      '',
+      ''], "\n"),
   }
 }