Remove passphrase from signing key
[cacert-puppet.git] / sitemodules / profiles / manifests / debarchive.pp
index d684379..eb89f3e 100644 (file)
@@ -6,20 +6,16 @@
 # Parameters
 # ----------
 #
-# @param notification_email_address  email address that will receive reports
-#                                    from mini-dinstall
+# @param notification_email_address email address that will receive reports
+#                                   from mini-dinstall
 #
-# @param release_signing_keygrip     GPG keygrip of the release signing key
+# @param release_signing_keyid      GPG key id of the release signing key
 #
-# @param release_signing_keyid       GPG key id of the release signing key
+# @param release_signing_key        data of a GPG key that is used for
+#                                   release file signing
 #
-# @param release_signing_passphrase  passphrase for the release signing key
-#
-# @param release_signing_private_key data of a GPG key that is used for
-#                                    release file signing
-#
-# @param uploaders                   a list of users that are allowed to dput
-#                                    files to the Debian archive
+# @param uploaders                  a list of users that are allowed to dput
+#                                   files to the Debian archive
 #
 # Examples
 # --------
 #
 class profiles::debarchive (
   String $notification_email_address,
-  String $release_signing_keygrip,
   String $release_signing_keyid,
-  String $release_signing_passphrase,
-  String $release_signing_private_key,
+  String $release_signing_key,
   Array[String] $uploaders = [],
 ) {
   include profiles::base
 
   package{ ['rssh', 'reprepro']:
     ensure => latest,
+  } ->
+  file { 'ensure that suid bit on rssh_chroot_helper is set':
+    path   => '/usr/lib/rssh/rssh_chroot_helper',
+    ensure => present,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '4755',
   }
 
+  $debarchive_home = '/srv/debarchive'
+  $gpg_home = "${debarchive_home}/.gnupg"
+  $package_dir = "${debarchive_home}/packages"
+  $upload_chroot = '/srv/upload'
+  $incoming_dir = "${upload_chroot}/incoming"
+
   # setup user, groups and directories
   group { 'debarchive':
     ensure => absent,
@@ -62,29 +69,36 @@ class profiles::debarchive (
     comment        => 'CAcert debian archive user',
     system         => true,
     gid            => 'nogroup',
-    home           => '/srv/debarchive',
+    home           => $debarchive_home,
     shell          => '/usr/bin/rssh',
     purge_ssh_keys => true,
     require        => Package['rssh'],
   }
-  file { '/srv/debarchive':
+  file { $debarchive_home:
     ensure => directory,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0711',
   }
-  file { '/srv/upload':
+  file { $upload_chroot:
     ensure => directory,
     owner  => 'root',
     group  => 'root',
     mode   => '0755',
   }
-  file { '/srv/upload/incoming':
+  file { $incoming_dir:
     ensure => directory,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0700',
   }
+  exec { "/bin/bash /usr/share/doc/rssh/examples/mkchroot.sh ${upload_chroot}":
+    creates => "${upload_chroot}/usr/bin/rssh",
+    require => [Package['rssh'], File[$upload_chroot]],
+  } ~>
+  exec { "/bin/sed -n -i '/^root:/p; /^debarchive:/p' ${upload_chroot}/etc/passwd":
+    refreshonly => true,
+  }
 
   $rssh_conf = '/etc/rssh.conf'
 
@@ -104,7 +118,7 @@ class profiles::debarchive (
   concat::fragment { 'rssh-debarchive':
     target  => $rssh_conf,
     order   => '10',
-    content => "user = \"debarchive:022:0001100:/srv/upload\"\n",
+    content => "user = \"debarchive:022:000110:${upload_chroot}\"\n",
   }
 
   # setup ssh keys
@@ -123,54 +137,90 @@ class profiles::debarchive (
   }
 
   # setup GPG home for signing
-  $gpghome = '/srv/debarchive/.gnupg'
-
-  file { [$gpghome, "${gpghome}/private-keys-v1.d", '/srv/debarchive/log', '/srv/debarchive/scripts']:
+  file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log", "${debarchive_home}/scripts"]:
     ensure => directory,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0700',
   }
-  file { "${gpghome}/private-keys-v1.d/${release_signing_keygrip}.key":
+  file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
     ensure  => file,
     owner   => 'debarchive',
     group   => 'nogroup',
     mode    => '0600',
-    content => $release_signing_private_key,
+    content => $release_signing_key,
   }
-  file { "${gpghome}/passphrase":
+  file { "${gpg_home}/gpg-agent.conf":
     ensure  => file,
     owner   => 'debarchive',
     group   => 'nogroup',
     mode    => '0600',
-    content => $release_signing_passphrase,
+    content => "log-file ${debarchive_home}/log/gpg-agent.log",
   }
-  file { "${gpghome}/gpg-agent.conf":
-    ensure  => file,
-    owner   => 'debarchive',
-    group   => 'nogroup',
-    mode    => '0600',
-    content => 'log-file /srv/debarchive/log/gpg-agent.log',
-  }
-  file { "${gpghome}/pubring.kbx":
+  file { "${gpg_home}/pubring.kbx":
     ensure => file,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/gpg_pubring.kbx',
   }
-  file { "${gpghome}/trustdb.gpg":
+  file { "${gpg_home}/trustdb.gpg":
     ensure => file,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
   }
-  file { '/srv/debarchive/cacert-keyring.gpg':
+  file { "${debarchive_home}/cacert-keyring.gpg":
     ensure => file,
     owner  => 'debarchive',
     group  => 'nogroup',
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
   }
+
+  # setup reprepro
+  file { $package_dir:
+    ensure => directory,
+    owner  => 'debarchive',
+    group  => 'nogroup',
+    mode   => '0755',
+  }
+  file { "${package_dir}/conf":
+    ensure => directory,
+    owner  => 'debarchive',
+    group  => 'nogroup',
+    mode   => '0700',
+  }
+
+  concat { "${package_dir}/conf/distributions":
+    ensure  => 'present',
+    owner   => 'debarchive',
+    group   => 'nogroup',
+    mode    => '0600',
+  }
+
+  concat::fragment { 'stretch-distribution':
+    target  => "${package_dir}/conf/distributions",
+    content => join([
+      'Origin: CAcert Infrastructure Team',
+      'Codename: stretch/cacert',
+      'Architectures: amd64 source',
+      'Components: main',
+      'SignWith: yes',
+      '',
+      ''], "\n"),
+  }
+
+  concat::fragment { 'buster-distribution':
+    target  => "${package_dir}/conf/distributions",
+    content => join([
+      'Origin: CAcert Infrastructure Team',
+      'Codename: buster/cacert',
+      'Architectures: amd64 source',
+      'Components: main',
+      'SignWith: yes',
+      '',
+      ''], "\n"),
+  }
 }