time_based.pp 7.24 KB
Newer Older
1
2
# Manage time-based snapshots of the set of APT repositories Tails needs,
# in a reprepro setup.
intrigeri's avatar
intrigeri committed
3
#
4
5
# Parameters worth documenting:
#
6
7
# Note: the ensure parameter is not fully supported, because some resources
# we are managing here don't provide this functionality.
8
class tails::reprepro::snapshots::time_based (
9
10
11
12
13
14
15
16
  Hash $architectures                          = $tails::reprepro::params::snapshots_architectures,
  Enum['present', 'absent'] $automatic_refresh = 'present',
  $email_recipient                             = 'root',
  Enum['present', 'absent'] $ensure            = 'present',
  Stdlib::Absolutepath $homedir                = '/srv/apt-snapshots/time-based',
  String $signwith                             = $tails::reprepro::params::snapshots_signwith,
  String $user                                 = 'reprepro-time-based-snapshots',
  Stdlib::Fqdn $web_hostname                   = 'time-based.snapshots.deb.tails.boum.org',
17
  Stdlib::Port $web_port                       = 80,
18
) inherits tails::reprepro::params {
19

20
21
  $repositories_dir = "${homedir}/repositories"

22
23
24
25
26
  $package_ensure = $ensure ? {
    absent  => absent,
    default => present,
  }

27
  tails::reprepro::snapshots::base { 'time-based':
intrigeri's avatar
intrigeri committed
28
29
    ensure           => $ensure,
    homedir          => $homedir,
30
    repositories_dir => $repositories_dir,
intrigeri's avatar
intrigeri committed
31
    user             => $user,
32
33
  }

34
  tails::reprepro::snapshots::time_based::repository { 'debian':
35
    ensure                        => $ensure,
intrigeri's avatar
intrigeri committed
36
37
    architectures                 => $architectures,
    automatic_refresh             => $automatic_refresh,
38
39
    automatic_refresh_delta_hours => 5,
    automatic_refresh_delta_mins  => 0,
40
    basedir                       => "${repositories_dir}/debian",
41
    homedir                       => $homedir,
intrigeri's avatar
intrigeri committed
42
43
    signwith                      => $signwith,
    user                          => $user,
44
45
  }

46
  tails::reprepro::snapshots::time_based::repository { 'debian-security':
47
    ensure                        => $ensure,
intrigeri's avatar
intrigeri committed
48
49
    architectures                 => $architectures,
    automatic_refresh             => $automatic_refresh,
50
51
    automatic_refresh_delta_hours => 5,
    automatic_refresh_delta_mins  => 15,
52
    basedir                       => "${repositories_dir}/debian-security",
53
    homedir                       => $homedir,
intrigeri's avatar
intrigeri committed
54
55
    signwith                      => $signwith,
    user                          => $user,
56
57
  }

58
  tails::reprepro::snapshots::time_based::repository { 'tails':
59
    ensure                        => $ensure,
intrigeri's avatar
intrigeri committed
60
61
    architectures                 => $architectures,
    automatic_refresh             => $automatic_refresh,
62
63
    automatic_refresh_delta_hours => 5,
    automatic_refresh_delta_mins  => 30,
64
    basedir                       => "${repositories_dir}/tails",
65
    homedir                       => $homedir,
intrigeri's avatar
intrigeri committed
66
67
    signwith                      => $signwith,
    user                          => $user,
68
69
  }

70
  tails::reprepro::snapshots::time_based::repository { 'torproject':
71
    ensure                        => $ensure,
intrigeri's avatar
intrigeri committed
72
73
    architectures                 => $architectures,
    automatic_refresh             => $automatic_refresh,
74
75
    automatic_refresh_delta_hours => 5,
    automatic_refresh_delta_mins  => 45,
76
    basedir                       => "${repositories_dir}/torproject",
77
    homedir                       => $homedir,
intrigeri's avatar
intrigeri committed
78
79
    signwith                      => $signwith,
    user                          => $user,
80
81
  }

82
83
  ensure_packages(['db5.3-util'], {'ensure' => $package_ensure})

84
  $tails_delete_expired_apt_snapshots_pkg_deps = [
85
86
87
88
89
90
    libdatetime-perl,
    libdatetime-format-mail-perl,
    libfile-find-rule-perl,
    libfile-slurp-perl,
    libipc-system-simple-perl,
    liblist-moreutils-perl,
91
92
93
94
95
96
97
98
  ]
  $tails_update_time_based_apt_snapshots_pkg_deps = [
    libcarp-assert-perl,
    libcarp-assert-more-perl,
    libipc-system-simple-perl,
    libpath-tiny-perl,
    libtry-tiny-perl,
  ]
99
100
101
  $tails_compact_reprepro_db_pkg_deps = [
    python3-bsddb3
  ]
102
  ensure_packages(
103
    $tails_compact_reprepro_db_pkg_deps,
104
105
    {'ensure' => $package_ensure}
  )
intrigeri's avatar
intrigeri committed
106
  ensure_packages(
107
108
109
110
111
    $tails_update_time_based_apt_snapshots_pkg_deps,
    {'ensure' => $package_ensure}
  )
  ensure_packages(
    $tails_delete_expired_apt_snapshots_pkg_deps,
intrigeri's avatar
intrigeri committed
112
113
114
    {'ensure' => $package_ensure}
  )

115
  file { '/usr/local/bin/tails-update-time-based-apt-snapshots':
116
    ensure  => $ensure,
intrigeri's avatar
intrigeri committed
117
118
119
    owner   => root,
    group   => root,
    mode    => '0755',
120
    source  => 'puppet:///modules/tails/reprepro/snapshots/time_based/tails-update-time-based-apt-snapshots',
121
122
    require => [
      Package[$tails_update_time_based_apt_snapshots_pkg_deps],
intrigeri's avatar
intrigeri committed
123
124
125
126
      Exec[
        'tails-reprepro-snapshots-time_based-import-upstream-keys-apt-keys.d',
        'tails-reprepro-snapshots-time_based-import-upstream-keys-upstream-keys.d'
      ],
127
128
129
    ],
  }

130
  file { '/usr/local/bin/tails-bump-apt-snapshot-valid-until':
intrigeri's avatar
Lint.    
intrigeri committed
131
132
133
134
135
    ensure => $ensure,
    owner  => root,
    group  => root,
    mode   => '0755',
    source => 'puppet:///modules/tails/reprepro/snapshots/time_based/tails-bump-apt-snapshot-valid-until',
136
137
  }

138
139
140
141
142
143
144
145
146
  file { '/usr/local/bin/tails-delete-expired-apt-snapshots':
    ensure  => $ensure,
    owner   => root,
    group   => root,
    mode    => '0755',
    source  => 'puppet:///modules/tails/reprepro/snapshots/time_based/tails-delete-expired-apt-snapshots',
    require => Package[$tails_delete_expired_apt_snapshots_pkg_deps],
  }

147
148
149
150
151
152
153
154
155
  file { '/usr/local/bin/tails-compact-reprepro-db':
    ensure  => $ensure,
    owner   => root,
    group   => root,
    mode    => '0755',
    source  => 'puppet:///modules/tails/reprepro/snapshots/time_based/tails-compact-reprepro-db',
    require => Package[$tails_compact_reprepro_db_pkg_deps],
  }

156
  file { '/usr/local/sbin/tails-publish-tagged-apt-snapshot':
bertagaz's avatar
Lint.    
bertagaz committed
157
158
159
160
161
    ensure => $ensure,
    owner  => root,
    group  => root,
    mode   => '0755',
    source => 'puppet:///modules/tails/reprepro/snapshots/time_based/tails-publish-tagged-apt-snapshot',
162
163
  }

164
  sudo::conf { 'tails-publish-tagged-apt-snapshot':
165
166
167
168
    ensure  => $ensure,
    content => "${user} ALL = NOPASSWD: /usr/local/sbin/tails-publish-tagged-apt-snapshot\n",
  }

169
170
  # To avoid having to maintain them in yet another place, let's reuse
  # the keys we give to APT on our systems:
171
  tails::reprepro::snapshots::time_based::import_upstream_keys {
172
    'apt-keys.d':
173
      ensure  => $ensure,
174
      source  => 'puppet:///modules/tails/reprepro/snapshots/time_based/keys.d',
175
      user    => $user,
176
      homedir => $homedir,
177
178
  }
  # These are the additional upstream keys we don't use elsewhere:
179
  tails::reprepro::snapshots::time_based::import_upstream_keys {
180
    'upstream-keys.d':
181
      ensure  => $ensure,
182
      source  => 'puppet:///modules/tails/reprepro/snapshots/time_based/upstream-keys.d',
183
      user    => $user,
184
      homedir => $homedir,
185
  }
186

187
188
  ensure_packages(['libnginx-mod-http-fancyindex'])

189
  nginx::vhostsd { $web_hostname:
190
    content => template('tails/reprepro/snapshots/time_based/nginx_site.erb'),
intrigeri's avatar
Lint.    
intrigeri committed
191
    require => Package[nginx, 'libnginx-mod-http-fancyindex'],
192
193
  }

groente's avatar
groente committed
194
  mailalias { $user:
195
196
    recipient => $email_recipient,
  }
197
198

  # add a cronjob to clean up the snapshot tmpdir
199

200
  file { '/etc/tmpfiles.d/time-based-apt-snapshots.conf':
201
    ensure  => $ensure,
202
203
204
    owner   => root,
    group   => root,
    mode    => '0644',
intrigeri's avatar
Lint.    
intrigeri committed
205
    content => 'e  /srv/apt-snapshots/time-based/tmp/ - - - 7d'
206
  }
207
}