reprepro.pp

class tails::reprepro (
  $basedir = '/srv/reprepro',
  $uploaders = [
    'C92949B8A63BB098+',
    '1D84CCF010CC5BC7',
    '91F73701D9C99DC9',
    '7EF27D76B2177E1F'
  ],
  $origin = 'Tails',
  $web_hostname  = 'deb.tails.boum.org',
  $web_port      = 80,
  $nginx_managed = true,
  $git_remote    = 'https://git-tails.immerda.ch/tails'
) {

  ### Sanity checks

  if $::lsbdistcodename != 'jessie' {
    fail('The tails::tester module only supports Debian Jessie.')
  }

  ### Class variables

  $git_repo = "${basedir}/tails.git"
  $shell_lib = '/usr/local/share/tails-reprepro/functions.sh'

  ### Pull in external dependencies

  include tails_secrets_apt
  include ::reprepro

  ### Resources

  reprepro::repository { 'tails':
    uploaders                    => $uploaders,
    basedir                      => $basedir,
    origin                       => $origin,
    basedir_mode                 => '0751',
    incoming_mode                => '1775',
    manage_distributions_conf    => false,
    manage_incoming_conf         => false,
    handle_incoming_with_inotify => true,
    index_template               => 'tails/reprepro/index.html.erb',
  }

  ensure_packages(['git', 'moreutils'])

  file {

    '/usr/local/share/tails-reprepro':
      ensure => directory,
      mode => '0755', owner => root, group => reprepro;

    $shell_lib:
      mode => '0644', owner => root, group => reprepro,
      source  => [ 'puppet:///modules/tails/reprepro/functions.sh' ],
      require => File['/usr/local/share/tails-reprepro'];

    '/usr/local/bin/tails-diff-suites':
      source  => [ 'puppet:///modules/tails/reprepro/tails-diff-suites' ],
      require => File[$shell_lib],
      mode => '0755', owner => root, group => root;

    '/usr/local/bin/tails-merge-suite':
      source  => [ 'puppet:///modules/tails/reprepro/tails-merge-suite' ],
      require => File[$shell_lib],
      mode => '0755', owner => root, group => root;

    '/usr/local/bin/tails-suites-list':
      source  => [ 'puppet:///modules/tails/reprepro/tails-suites-list' ],
      require => File[$shell_lib],
      mode => '0755', owner => root, group => root;

    '/usr/local/bin/tails-suites-to-distributions':
      source => [ 'puppet:///modules/tails/reprepro/tails-suites-to-distributions' ],
      mode => '0755', owner => root, group => root;

    '/usr/local/bin/tails-suites-to-incoming':
      source => [ 'puppet:///modules/tails/reprepro/tails-suites-to-incoming' ],
      mode => '0755', owner => root, group => root;

    '/usr/local/bin/tails-update-reprepro-config':
      source  => [ 'puppet:///modules/tails/reprepro/tails-update-reprepro-config' ],
      require => [
        Exec['tails-reprepro-git-clone'],
        File[$shell_lib],
        File['/usr/local/bin/tails-suites-list'],
        File['/usr/local/bin/tails-suites-to-distributions'],
        File['/usr/local/bin/tails-suites-to-incoming'],
        Package['moreutils'],
      ],
      mode => '0755', owner => root, group => root;

    "${basedir}/conf/deny_all_uploaders":
      mode => '0660', owner => root, group => reprepro,
      content => '',
      require => File["${basedir}/conf"];

  }

  cron { 'tails-update-reprepro-config':
    user    => 'reprepro',
    minute  => '*',
    command => "flock -n /var/lock/tails-update-reprepro-config /usr/local/bin/tails-update-reprepro-config '${git_repo}' '${origin}' '${basedir}'",
    require => [ File['/usr/local/bin/tails-update-reprepro-config'], ],
  }

  # Can't use vcsrepo, that doesn't support --mirror
  exec { 'tails-reprepro-git-clone':
    user    => reprepro,
    group   => reprepro,
    cwd     => $basedir,
    command => "git clone --bare --mirror '${git_remote}' '${git_repo}' && chmod -R g+rX '${git_repo}'",
    creates => "${git_repo}/config",
    require => Package['git'],
    timeout => -1,
  }

  exec { 'tails-reprepro-import-keys':
    user        => reprepro,
    group       => reprepro,
    command     => "gpg --homedir '${basedir}/.gnupg' --batch --quiet --import '${tails_secrets_apt::keys}'",
    subscribe   => File[$tails_secrets_apt::keys],
    refreshonly => true,
    notify      => Exec["/usr/local/bin/reprepro-export-key '${basedir}'"],
    require     => Mount[$tails_secrets_apt::gnupg_homedir],
  }

  mailalias { 'reprepro': ensure => present, recipient => ['root']; }

  class { 'tails::reprepro::nginx':
    hostname => $web_hostname,
    port     => $web_port,
    basedir  => $basedir,
    managed  => $nginx_managed;
  }

  # Refresh OpenPGP keys

  package { ['dbus-x11', 'parcimonie']:
    ensure          => present,
    install_options => [ '--no-install-recommends' ],
  }

  file { '/etc/systemd/system/parcimonie-reprepro.service':
    ensure  => present,
    owner   => root,
    group   => root,
    mode    => '0644',
    require => Package['dbus-x11', 'parcimonie'],
    content => "[Unit]
Description=Refresh reprepro's GnuPG keyring

[Service]
Type=simple
ExecStart=/usr/bin/dbus-launch /usr/bin/parcimonie --verbose
User=reprepro

[Install]
WantedBy=multi-user.target
",
  }

  service { 'parcimonie-reprepro.service':
    ensure    => running,
    enable    => true,
    provider  => systemd,
    require   => File['/etc/systemd/system/parcimonie-reprepro.service'],
    subscribe => File['/etc/systemd/system/parcimonie-reprepro.service'],
  }

}