custom.pp 7.47 KB
Newer Older
intrigeri's avatar
intrigeri committed
1
# Manage Tails custom APT repository
2
class tails::reprepro::custom (
3
4
5
  Stdlib::Absolutepath $basedir = '/srv/reprepro',
  String $email_recipient       = 'root',
  Array[String] $uploaders      = [
intrigeri's avatar
intrigeri committed
6
    'C92949B8A63BB098+',
intrigeri's avatar
intrigeri committed
7
    '1D84CCF010CC5BC7',
8
    '3D72E31D55CC34E6',
intrigeri's avatar
intrigeri committed
9
  ],
10
11
12
  String $origin                = 'Tails',
  Stdlib::Fqdn $web_hostname    = 'deb.tails.boum.org',
  String $onion_hostname        = '',
groente's avatar
groente committed
13
  String $onion_v3_hostname     = '',
14
  Stdlib::Port $web_port        = 80,
15
  String $git_remote            = 'https://gitlab.tails.boum.org/tails/tails.git'
16
) inherits tails::reprepro::params {
intrigeri's avatar
intrigeri committed
17

18
19
20
  ### Sanity checks

  if !defined(Class['::nginx']) {
21
    fail('Depends on the nginx class')
22
23
  }

24
25
26
27
  if !defined(Class['::reprepro']) {
    fail('Depends on the reprepro class')
  }

intrigeri's avatar
intrigeri committed
28
29
  if !defined(Class['::tails_secrets_apt']) {
    fail('Depends on the tails_secrets_apt class')
30
31
  }

intrigeri's avatar
intrigeri committed
32
  ### Class variables
intrigeri's avatar
intrigeri committed
33
34

  $git_repo = "${basedir}/tails.git"
intrigeri's avatar
intrigeri committed
35
  $shell_lib = '/usr/local/share/tails-reprepro/functions.sh'
intrigeri's avatar
intrigeri committed
36

intrigeri's avatar
intrigeri committed
37
38
  ### Resources

39
  reprepro::repository { 'tails':
intrigeri's avatar
intrigeri committed
40
41
42
43
44
    uploaders                    => $uploaders,
    basedir                      => $basedir,
    origin                       => $origin,
    basedir_mode                 => '0751',
    incoming_mode                => '1775',
45
46
47
    manage_distributions_conf    => false,
    manage_incoming_conf         => false,
    handle_incoming_with_inotify => true,
48
    index_template               => 'tails/reprepro/index.html.erb',
49
50
  }

51
  ensure_packages(['git', 'moreutils'])
intrigeri's avatar
intrigeri committed
52
53

  file {
intrigeri's avatar
misc    
intrigeri committed
54
55
56

    '/usr/local/share/tails-reprepro':
      ensure => directory,
intrigeri's avatar
Lint.    
intrigeri committed
57
58
59
      mode   => '0755',
      owner  => root,
      group  => reprepro;
intrigeri's avatar
misc    
intrigeri committed
60

intrigeri's avatar
intrigeri committed
61
    $shell_lib:
intrigeri's avatar
Lint.    
intrigeri committed
62
63
64
      mode    => '0644',
      owner   => root,
      group   => reprepro,
65
      source  => 'puppet:///modules/tails/reprepro/custom/functions.sh',
intrigeri's avatar
misc    
intrigeri committed
66
67
      require => File['/usr/local/share/tails-reprepro'];

68
    '/usr/local/bin/tails-diff-suites':
69
      source  => 'puppet:///modules/tails/reprepro/custom/tails-diff-suites',
70
      require => File[$shell_lib],
intrigeri's avatar
Lint.    
intrigeri committed
71
72
73
      mode    => '0755',
      owner   => root,
      group   => root;
74

75
    '/usr/local/bin/tails-merge-suite':
76
      source  => 'puppet:///modules/tails/reprepro/custom/tails-merge-suite',
intrigeri's avatar
intrigeri committed
77
      require => File[$shell_lib],
intrigeri's avatar
Lint.    
intrigeri committed
78
79
80
      mode    => '0755',
      owner   => root,
      group   => root;
81

intrigeri's avatar
misc    
intrigeri committed
82
    '/usr/local/bin/tails-suites-list':
83
      source  => 'puppet:///modules/tails/reprepro/custom/tails-suites-list',
intrigeri's avatar
intrigeri committed
84
      require => File[$shell_lib],
intrigeri's avatar
Lint.    
intrigeri committed
85
86
87
      mode    => '0755',
      owner   => root,
      group   => root;
intrigeri's avatar
misc    
intrigeri committed
88
89

    '/usr/local/bin/tails-suites-to-distributions':
90
      source => 'puppet:///modules/tails/reprepro/custom/tails-suites-to-distributions',
intrigeri's avatar
Lint.    
intrigeri committed
91
92
93
      mode   => '0755',
      owner  => root,
      group  => root;
intrigeri's avatar
misc    
intrigeri committed
94
95

    '/usr/local/bin/tails-suites-to-incoming':
96
      source => 'puppet:///modules/tails/reprepro/custom/tails-suites-to-incoming',
intrigeri's avatar
Lint.    
intrigeri committed
97
98
99
      mode   => '0755',
      owner  => root,
      group  => root;
intrigeri's avatar
misc    
intrigeri committed
100
101

    '/usr/local/bin/tails-update-reprepro-config':
102
      source  => 'puppet:///modules/tails/reprepro/custom/tails-update-reprepro-config',
intrigeri's avatar
misc    
intrigeri committed
103
      require => [
intrigeri's avatar
intrigeri committed
104
        Exec['tails-reprepro-git-clone'],
intrigeri's avatar
intrigeri committed
105
        File[$shell_lib],
intrigeri's avatar
intrigeri committed
106
107
108
109
110
        File['/usr/local/bin/tails-suites-list'],
        File['/usr/local/bin/tails-suites-to-distributions'],
        File['/usr/local/bin/tails-suites-to-incoming'],
        Package['moreutils'],
      ],
intrigeri's avatar
Lint.    
intrigeri committed
111
112
113
      mode    => '0755',
      owner   => root,
      group   => root;
intrigeri's avatar
misc    
intrigeri committed
114

intrigeri's avatar
intrigeri committed
115
    "${basedir}/conf/deny_all_uploaders":
intrigeri's avatar
Lint.    
intrigeri committed
116
117
118
      mode    => '0660',
      owner   => root,
      group   => reprepro,
intrigeri's avatar
misc    
intrigeri committed
119
      content => '',
intrigeri's avatar
intrigeri committed
120
      require => File["${basedir}/conf"];
intrigeri's avatar
misc    
intrigeri committed
121

intrigeri's avatar
intrigeri committed
122
123
  }

intrigeri's avatar
misc    
intrigeri committed
124
  cron { 'tails-update-reprepro-config':
125
126
127
128
129
    user        => 'reprepro',
    minute      => '*',
    command     => "flock -n /var/lock/tails-update-reprepro-config /usr/local/bin/tails-update-reprepro-config '${git_repo}' '${origin}' '${basedir}'", # lint:ignore:140chars -- command
    require     => File['/usr/local/bin/tails-update-reprepro-config'],
    environment => [ "MAILTO=${email_recipient}" ],
intrigeri's avatar
intrigeri committed
130
131
  }

132
133
134
  # Can't use vcsrepo, that doesn't support --mirror before
  # https://github.com/puppetlabs/puppetlabs-vcsrepo/commit/b8f25cea95317a4b2a622e2799f1aa7ba159bdca
  # that is not part of an upstream release as of 20160523
intrigeri's avatar
intrigeri committed
135
  exec { 'tails-reprepro-git-clone':
intrigeri's avatar
misc    
intrigeri committed
136
137
    user    => reprepro,
    group   => reprepro,
intrigeri's avatar
intrigeri committed
138
    cwd     => $basedir,
intrigeri's avatar
intrigeri committed
139
    command => "git clone --bare --mirror '${git_remote}' '${git_repo}' && chmod -R g+rX '${git_repo}'",
intrigeri's avatar
intrigeri committed
140
141
142
143
    creates => "${git_repo}/config",
    require => Package['git'],
    timeout => -1,
  }
intrigeri's avatar
misc    
intrigeri committed
144

145
146
147
148
149
150
151
152
  exec { 'tails-reprepro-import-keys':
    user        => reprepro,
    group       => reprepro,
    command     => "gpg --homedir '${basedir}/.gnupg' --batch --quiet --import '${tails_secrets_apt::keys}'",
    subscribe   => File[$tails_secrets_apt::keys],
    refreshonly => true,
    notify      => Exec["/usr/local/bin/reprepro-export-key '${basedir}'"],
    require     => Mount[$tails_secrets_apt::gnupg_homedir],
intrigeri's avatar
misc    
intrigeri committed
153
154
  }

intrigeri's avatar
intrigeri committed
155
156
  mailalias { 'reprepro': ensure => present, recipient => ['root']; }

157
  class { '::tails::reprepro::custom::nginx':
intrigeri's avatar
intrigeri committed
158
    hostname      => $web_hostname,
159
160
    basedir       => $basedir,
    vhost_content => template('tails/reprepro/custom/nginx/site.erb'),
161
162
  }

163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
  # Refresh OpenPGP keys

  package { ['dbus-x11', 'parcimonie']:
    ensure          => present,
    install_options => [ '--no-install-recommends' ],
  }

  file { '/etc/systemd/system/parcimonie-reprepro.service':
    ensure  => present,
    owner   => root,
    group   => root,
    mode    => '0644',
    require => Package['dbus-x11', 'parcimonie'],
    content => "[Unit]
Description=Refresh reprepro's GnuPG keyring

[Service]
Type=simple
ExecStart=/usr/bin/dbus-launch /usr/bin/parcimonie --verbose
User=reprepro

[Install]
WantedBy=multi-user.target
",
  }

  service { 'parcimonie-reprepro.service':
    ensure    => running,
    enable    => true,
    provider  => systemd,
193
194
195
196
    require   => [
      File['/etc/systemd/system/parcimonie-reprepro.service'],
      File_line['set_onion_keyserver_in_dirmngr'],
    ],
197
198
199
    subscribe => File['/etc/systemd/system/parcimonie-reprepro.service'],
  }

200
201
202
203
204
205
206
207
208
209
210
211
212
213
  # Fix parcimonie in Stretch (see debian bug #898085)
  file { '/srv/reprepro/.gnupg/dirmngr.conf':
    ensure => present,
    owner  => reprepro,
    group  => reprepro,
    mode   => '0644',
  }

  file_line { 'set_onion_keyserver_in_dirmngr':
    path => '/srv/reprepro/.gnupg/dirmngr.conf',
    line => 'keyserver hkp://jirk5u4osbsr34t5.onion',
  }

  exec { 'shutdown_reprepro_dirmngr':
214
215
216
217
    user        => reprepro,
    command     => 'dirmngr --shutdown',
    subscribe   => File_line['set_onion_keyserver_in_dirmngr'],
    refreshonly => true,
218
219
  }

220
221
222
223
224
225
226
  # Make sure the exported public key is up-to-date
  cron { 'tails-reprepro-export-key':
    user    => reprepro,
    minute  => 17,
    command => "/usr/local/bin/reprepro-export-key '${basedir}'",
    require => Reprepro::Repository['tails'],
  }
227
228
229

  class { '::tails::reprepro::custom::notify_incoming':
    ensure           => present,
230
    mail_to          => $email_recipient,
231
    mail_from        => 'reprepro@lizard.tails.boum.org',
232
233
    reprepro_basedir => $basedir,
  }
234
235
236
237
238

  # Configure the signing key for this reprepro instance
  $gpg_conf = "${basedir}/.gnupg/gpg.conf"

  file { $gpg_conf:
intrigeri's avatar
Lint    
intrigeri committed
239
240
241
242
    ensure => file,
    owner  => reprepro,
    group  => reprepro,
    mode   => '0600',
243
244
245
  }

  file_line { "set default key in ${gpg_conf}":
intrigeri's avatar
Lint    
intrigeri committed
246
    path  => $gpg_conf,
intrigeri's avatar
Lint    
intrigeri committed
247
248
    line  => "default-key ${tails::reprepro::params::signing_key}",
    match => '^default-key\s'
249
250
  }

intrigeri's avatar
intrigeri committed
251
}