Setup inoticoming service and trusted keyring
authorJan Dittberner <jandd@cacert.org>
Fri, 2 Aug 2019 13:57:28 +0000 (15:57 +0200)
committerJan Dittberner <jandd@cacert.org>
Fri, 2 Aug 2019 13:57:28 +0000 (15:57 +0200)
sitemodules/profiles/files/debarchive/inoticoming.service [new file with mode: 0644]
sitemodules/profiles/files/debarchive/reprepro_conf_incoming [new file with mode: 0644]
sitemodules/profiles/manifests/debarchive.pp

diff --git a/sitemodules/profiles/files/debarchive/inoticoming.service b/sitemodules/profiles/files/debarchive/inoticoming.service
new file mode 100644 (file)
index 0000000..55480d7
--- /dev/null
@@ -0,0 +1,12 @@
+[Unit]
+Description=Processor for the incoming queue of the CAcert Debian archive
+Documentation=man:inoticoming(1)
+Requires=local-fs.target
+
+[Service]
+ExecStart=inoticoming --foreground --initialsearch /srv/upload/incoming --suffix .changes --stderr-to-log --stdout-to-log reprepro -s -b /srv/debarchive/packages --waitforlock 1000 processincoming default {} \;
+User=debarchive
+WorkingDirectory=/srv/debarchive
+
+[Install]
+Wanted-By=multi-user.target
diff --git a/sitemodules/profiles/files/debarchive/reprepro_conf_incoming b/sitemodules/profiles/files/debarchive/reprepro_conf_incoming
new file mode 100644 (file)
index 0000000..357749d
--- /dev/null
@@ -0,0 +1,8 @@
+Name: default
+IncomingDir: /srv/upload/incoming
+TempDir: /srv/debarchive/tmp
+LogDir: /srv/debarchive/log
+Allow: stretch-cacert buster-cacert
+Default: buster-cacert
+Permit: unused_files
+Cleanup: unused_files unused_buildinfo_files on_deny on_error
index 38f4ca3..ad6f323 100644 (file)
@@ -44,9 +44,20 @@ class profiles::debarchive (
   String $release_signing_keyid,
   Array[String] $uploaders = [],
 ) {
+  $debarchive_home = '/srv/debarchive'
+  $gpg_home = "${debarchive_home}/.gnupg"
+  $package_dir = "${debarchive_home}/packages"
+  $trusted_keyring = "${debarchive_home}/cacert-keyring.gpg"
+  $archive_public_key = "${package_dir}/cacert-debian-archive-2019.gpg"
+  $release_signing_private_key_file = "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key"
+
+  $upload_chroot = '/srv/upload'
+  $incoming_dir = "${upload_chroot}/incoming"
+  $inoticoming_service = '/etc/systemd/system/debarchive-inoticoming.service'
+
   include profiles::base
 
-  package{ ['rssh', 'reprepro']:
+  package{ ['rssh', 'reprepro', 'inoticoming']:
     ensure => latest,
   } ->
   file { 'ensure that suid bit on rssh_chroot_helper is set':
@@ -57,12 +68,6 @@ class profiles::debarchive (
     mode   => '4755',
   }
 
-  $debarchive_home = '/srv/debarchive'
-  $gpg_home = "${debarchive_home}/.gnupg"
-  $package_dir = "${debarchive_home}/packages"
-  $upload_chroot = '/srv/upload'
-  $incoming_dir = "${upload_chroot}/incoming"
-
   # setup user, groups and directories
   group { 'debarchive':
     ensure => absent,
@@ -139,6 +144,14 @@ class profiles::debarchive (
     }
   }
 
+  file { $trusted_keyring:
+    ensure => file,
+    owner  => 'debarchive',
+    group  => 'nogroup',
+    mode   => '0600',
+    source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
+  }
+
   # setup GPG home for signing
   file { [$gpg_home, "${gpg_home}/private-keys-v1.d", "${debarchive_home}/log"]:
     ensure => directory,
@@ -146,7 +159,7 @@ class profiles::debarchive (
     group  => 'nogroup',
     mode   => '0700',
   }
-  file { "${gpg_home}/private-keys-v1.d/${release_signing_keygrip}.key":
+  file { $release_signing_private_key_file:
     ensure  => file,
     owner   => 'debarchive',
     group   => 'nogroup',
@@ -160,6 +173,13 @@ class profiles::debarchive (
     mode    => '0600',
     content => "log-file ${debarchive_home}/log/gpg-agent.log",
   }
+  file { "${gpg_home}/gpg.conf":
+    ensure  => file,
+    owner   => 'debarchive',
+    group   => 'nogroup',
+    mode    => '0600',
+    content => "keyring ${trusted_keyring}\n",
+  }
   file { "${gpg_home}/pubring.kbx":
     ensure => file,
     owner  => 'debarchive',
@@ -174,12 +194,16 @@ class profiles::debarchive (
     mode   => '0600',
     source => 'puppet:///modules/profiles/debarchive/gpg_trustdb.gpg',
   }
-  file { "${debarchive_home}/cacert-keyring.gpg":
-    ensure => file,
-    owner  => 'debarchive',
-    group  => 'nogroup',
-    mode   => '0600',
-    source => 'puppet:///modules/profiles/debarchive/cacert-keyring.gpg',
+  exec { "export archive signing key":
+    command => "/usr/bin/gpg --export --export-options export-minimal \"${release_signing_keyid}\" > ${archive_public_key}",
+    creates => $archive_public_key,
+    require => [
+      File["${gpg_home}/gpg.conf"],
+      File["${gpg_home}/gpg-agent.conf"],
+      File[$release_signing_private_key_file],
+      File["${gpg_home}/pubring.kbx"],
+      File["${gpg_home}/trustdb.gpg"],
+    ],
   }
 
   # setup reprepro
@@ -197,7 +221,7 @@ class profiles::debarchive (
   }
 
   concat { "${package_dir}/conf/distributions":
-    ensure  => 'present',
+    ensure  => present,
     owner   => 'debarchive',
     group   => 'nogroup',
     mode    => '0600',
@@ -211,6 +235,9 @@ class profiles::debarchive (
       'Architectures: amd64 source',
       'Components: main',
       'SignWith: yes',
+      'DebIndices: Packages Release . .gz .xz',
+      'Uploaders: uploaders',
+      "Log: ${debarchive_home}/log/stretch-cacert-updates.log",
       '',
       ''], "\n"),
   }
@@ -223,7 +250,52 @@ class profiles::debarchive (
       'Architectures: amd64 source',
       'Components: main',
       'SignWith: yes',
+      'DebIndices: Packages Release . .gz .xz',
+      'Uploaders: uploaders',
+      "Log: ${debarchive_home}/log/buster-cacert-updates.log",
       '',
       ''], "\n"),
   }
+
+  file { "${package_dir}/conf/incoming":
+    ensure => file,
+    owner  => 'debarchive',
+    group  => 'nogroup',
+    mode   => '0600',
+    source => 'puppet:///modules/profiles/debarchive/reprepro_conf_incoming',
+  }
+
+  file { "${package_dir}/conf/uploaders":
+    ensure  => file,
+    owner   => 'debarchive',
+    group   => 'nogroup',
+    mode    => '0600',
+    content => "allow * by any key",
+  }
+
+  file { $inoticoming_service:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/profiles/debarchive/inoticoming.service',
+    require => [
+      Package['inoticoming'],
+      File["${package_dir}/conf/distributions"],
+      File["${package_dir}/conf/incoming"],
+      File["${package_dir}/conf/uploaders"],
+      File[$trusted_keyring],
+      User['debarchive'],
+    ],
+  } ~>
+  exec { 'reload systemd configuration after changes to service file':
+    command     => '/bin/systemctl daemon-reload',
+    refreshonly => true,
+  }
+
+  service { 'debarchive-inoticoming':
+    ensure  => running,
+    enable  => true,
+    require => File[$inoticoming_service],
+  }
 }